Protocol Analyzer


I am doing low level packet inspection using the tcp_packet event. I am
wondering if there is a way to inspect only the tcp payload if it
doesn't parse to any well-known tcp based application. For example, if
an application uses 20394/tcp for TLS, I would not want to see this
payload. However, if the application using 20394/tcp has a payload that
doesn't parse to anything Bro speaks, I would like to be able to inspect
this tcp payload.

Thanks in advance!

Hello Ben,

the easiest way to accomplish this is probably to look into the c$service
field - if it is empty, no analyzer has flagged that it can succesfully
parse the protocol yet.

This is, however, not perfect - c$service is populated by the
protocol_confirmation/violation. Thus, it will only be set after a parser
accepts that a connection actually "speaks" a protocol; so you will
probably get the first few pacjets for every connection - see
base/frameworks/dpd/main.bro for more details.

Apart from that, you can also check Analyzer::registered_ports for ports
where Bro always tries to attach a specific analyzer.

I hope this helps,

Thanks, Johanna! That gives me a place to start.