New layer 2 analyzer

Hi there,

I want to write an analyzer to detect EtherCat traffic, which is encapsulated in layer 2 (like ARP). I wanted use the BinPAC language to create this analyzer, but I found out that BinPAC only supports protocols that are encapsulated in TCP/UDP. (correct me if I’m wrong :slight_smile: )

Now I’m thinking about writing that analyzer without BinPAC, but I’m not really sure where to start. Can anyone give me a few hints or could tell me his/her experience in writing a new protocol analyzer with C++ for Bro?

Thank you and have a nice day!

-Dane

Yeah, BinPAC isn't a good tool for layer 2 protocols. Generally Bro's
support for layer 2 analysis lacks behind the upper layers of the
stack, it doesn't have as much abstraction / APIs in place for adding
new analyzers.

That said, looking at ARP is actually a good starting point. See
analyzer/protocol/arp/ARP.cc, the main work happens there in
ARP_Analyzer::NextPacket(). The method is called from
NetSessions::NextPacket() (in Sessions.cc) after ARP has been
identified in Packet::ProcessLayer2() (iosource/Packet.cc)

Does that help?

Robin

Yeah, I think that will help. Thank you.

My first goal is to write some C++ code, so that EtherCat traffic will be detected. For someone with basic knowledge about C++, how much time will this take?

Thanks

-Dane

Out of curiosity: Is the plugin interface for layer 2 protocols
mentioned in https://github.com/bro/bro/pull/76 still on the table?

Jan

Yes, still on the table, but nobody has started to work on in yet.

Robin

Hard to tell, your best approach is probably looking at the code and
seeing if you can follow pretty readily what's going on.

Robin