Problems in writing an analyzer for custom TCP-based protocol

Valerio,

As you probably know, BinPAC supports reading data in via two "modes" --
flowunit or datagram:

flowunit (https://www.bro.org/sphinx/components/binpac/README.html#id20):

When flowunit is used, the analyzer uses flow buffer to handle
incremental input and provide support for &oneline/&length. For
further detail on this, see Buffering.

datagram (https://www.bro.org/sphinx/components/binpac/README.html#id21):

Opposite to flowunit, by declaring data unit as datagram, flow buffer
is opted out. This results in faster parsing but no incremental input
or buffering support.

Additionally, there is a TCP reassembler that you can use to handle data
across multiple TCP packets.

From what you said below, it sounds like you would want flowunit parsing
and the TCP reassembler.

The MySQL analyzer might be a good example that you can reference:

https://github.com/bro/bro/tree/master/src/analyzer/protocol/mysql

Other analyzers that use the TCP reassembler are: DNP3, GSSAPI, IMAP,
KRB_TCP, Modbus, NTLM, RDP, RFB, SIP_TCP, SOCKS, SSH, SSL, Syslog and XMPP.

  --Vlad

Valerio <valerio.click@gmx.com> writes: