Integrating WiFi Analyzer within Bro

Hi,

In my project, I am integrating a WiFi protocol analyzer with bro to parse and monitor WiFi packets header information.

I am using BinPac to generate template for the WiFi protocol analyzer in the src/analyzer/protocol directory.

As per my knowledge WiFi(802.11) is not a TCP type of protocol. So I wish to know what should I use instead of the option “–tcp” while using the command:

python start.py WiFi “WiFi Protocol” …/bro --tcp

Any help will be really appreciated!

Unfortunately, there is no way to implement lower level protocols with
BinPAC quickstart right now. Similary, we don't have any examples of a
BinPAC lower-level analyzer if you were to do it manually.

If you are able to get it working, I'd certainly be interested in how
you did it, and would look at adding it to binpac_quickstart.

  --Vlad

pratik inamdar <pratikinamdar@gmail.com> writes:

Hi,

Thank you for your reply!

Is BinPac parser the only way to generate an analyzer for a protocol? What is other way I can do it?

Because as far as I know, BinPac also generated 3 files automatically in base/scripts folder which cannot be done manually. Please let me know another way I could do it without using BinPac.

Please shed some light on this.

Thanks,
Pratik inamdar

Hi Vlad,

Hope you are doing good!

I chose to switch the protocol. So now I am writing an analyzer for 6LoWPAN instead of WiFi.

Quick question:

Will I be able to successfully use BinPac to write an analyzer for 6LoWPAN?

Also, if possible, please guide me with some key points to remember while writing analyzer for 6LoWPAN.

Your help will be greatly appreciated!

Thanks,
Pratik Inamdar

Hello Pratik,

I think the answer stays the same - if I understand things correctly, you have to implement IEEE 802.15.4, which is a lower level protocol, which currently cannot be implemented with just BinPAC and needs core changes (probably in src/iosource/Packet.cc and others). There are currently no examples for that, besides the existing code.

Johanna

Hi,

Thanks you for the prompt response!

My task is to write an analyzer in bro using BinPac for an IoT protocol. I have already written analyzers for application layer protocols namely MQTT and AMQP.

Now I wish to write an analyzer for an IoT protocol which does not fall in the application layer.

The IoT protocol should be able to use Bro BinPac language. Could you please suggest me one?

Thanks,
Pratik Inamdar

Hi,

the answer is the same for all protocols that are underneath tcp/udp. You will have to change the core for any of them. If you have an IoT protocol that works over UDP/TCP, you should be able to use BinPac alone.

Johanna

So just to verify if I understood it correctly.

You mean to say that all the protocols on or above the Transport Layer ONLY should be able to use Bro BinPac?

Thanks,
Pratik Inamdar

If what I said in my previous email is correct then why was I able to integrate RIP(Routing Information protocol) analyzer with bro? RIP is a network layer protocol which lied below Transport Layer.

Similarly, 6LoWPAN is another name for IPV6 and is used for Low powered devices. If I was able to integrate RIP, do you think I will be integrate 6LoWPAN?

Thanks,
Pratik Inamdar

It is as I said - there is a straightforward way to implement everything above TCP/UDP with BinPac. RIP is not below the transport layer - it uses UDP as its transport protocol.

Johanna

I see! So you mean to say that no matter which layer does the protocol itself lies. If that protocol uses a port number (TCP/UDP) for transportation of its packets then ONLY I can use BinPac to write an analyzer for it.

Thanks,
Pratik Inamdar