I want to write an analyzer to detect EtherCat traffic, which is encapsulated in layer 2 (like ARP). I wanted use the BinPAC language to create this analyzer, but I found out that BinPAC only supports protocols that are encapsulated in TCP/UDP. (correct me if I’m wrong )
Now I’m thinking about writing that analyzer without BinPAC, but I’m not really sure where to start. Can anyone give me a few hints or could tell me his/her experience in writing a new protocol analyzer with C++ for Bro?
Yeah, BinPAC isn't a good tool for layer 2 protocols. Generally Bro's
support for layer 2 analysis lacks behind the upper layers of the
stack, it doesn't have as much abstraction / APIs in place for adding
new analyzers.
That said, looking at ARP is actually a good starting point. See
analyzer/protocol/arp/ARP.cc, the main work happens there in
ARP_Analyzer::NextPacket(). The method is called from
NetSessions::NextPacket() (in Sessions.cc) after ARP has been
identified in Packet::ProcessLayer2() (iosource/Packet.cc)
My first goal is to write some C++ code, so that EtherCat traffic will be detected. For someone with basic knowledge about C++, how much time will this take?