I have a query. In TCP.cc , the information is trasferred to the child analyzers (i.e. application protocol analyzer) using statement
LOOP_OVER_GIVEN_ and calling NextPacket() function
but in the case of UDP I dont find any mechanism to transfer info to the application layer protocol. Do the UDP based application protocol get their own information from connection via their respective .pac analyzer? If not can you please explain in brief.
Is ForwardPacket() function supplyin the info to the child analyzer?
Each connection starts with an analyzer tree that looks like (see analyzer::Manager::BuildInitialAnalyzerTree):
UDP: UDP_Analyzer -> PIA_UDP, any analyzers registered for a well-known UDP resp port
TCP: TCP_Analyzer -> PIA_TCP, any analyzers registered for a well-known TCP resp port
The PIA_*, Port Independent Analysis (I think), are responsible for automatically attaching new analyzers if payload content matches provided signatures.
Children of UDP_Analyzer which override Analyzer::DeliverPacket will start receiving packets immediately from Analyzer::ForwardPacket.
Children of TCP_Analyzer which override Analyzer::DeliverPacket will start receiving packets immediately from (1) Analyzer::ForwardPacket if reassembly is not enabled (2) Analyzer::NextPacket if they were explicitly added as children via TCP_Analyzer::AddChildPacketAnalyzer.
It’s more typical for children of TCP_Analyzer to be overriding Analyzer::DeliverStream in order to receive input as reassembled TCP segments. i.e. protocols on top of TCP may choose between packet-wise and stream-wise input, but the later is more common.