Hi all,
I am exploring how the SIP protocol analyzer works and it seems that SIP
analyzer does not extract SDP payload out of SIP messages.
I am trying to extend the SIP analyzer to extract such info and print it
in an additional field of the sip.log file.
Unfortunately, I am not able to see where the boolean variable
"sip_reply" accessed in sip-analyzer.pac:37 is actually defined and set.
The same holds for sip_request (sip-analyzer.pac:22), sip_header
(sip-analyzer.pac:53).
Can someone point me where and how these variables are populated?
best regards,
Valerio
Hello Valerio,
Unfortunately, I am not able to see where the boolean variable
"sip_reply" accessed in sip-analyzer.pac:37 is actually defined and set.
The same holds for sip_request (sip-analyzer.pac:22), sip_header
(sip-analyzer.pac:53).
Can someone point me where and how these variables are populated?
That is a tad tricky - the variables are populated in autogenerated code.
The easiest way to figure out whate exactly happens might be to look into
the code that is generated in the build/ directory after building bro is
done.
The in-a-nutshel variant is - since sip_reply is defined as an event, a
EventHandlerPtr variable named sip_reply is created. This variable is
populated automatically (by a call to the function internal_handler).
Performing an if (sip_reply) call will return true if the sip_reply event
is used somewhere in Bro scriptland and false otherwise.
Johanna
Hi Johanna,
thanks for the feedback, I'll dig into the compiled source code to
better understand what's going on.
However, even at high-level, I don't understand why it is necessary to
check for an event sip_reply whithin the sole function that is supposed
to generate that very event.
best regards,
Valerio
It is not strictly speaking necessary to do that. It reduces load a little bit - if there is no one listening for an event, there is no reason to create it.
This is especially interesting if generating the event involves actual processing of data.
Johanna