Undefined symbol while writing an analyzer

Zeek
1

Hey guys,

I would really appreciate some help on this.

I think I can reduce the source of the problem to two points:

  • A namespace problem. I have revised my code and does not find anything wrong. I’ll keep checking
  • A linkage problem:

To compile the plugin I followed the instructions of the “Writing Bro Plugins” documentation guide. In the Plugins.cc file instantiated of the Analyzer and included “Myprotocol.h”, which had been previously created with binpac_Quickstart’s start.py

However the Makefile and configure files were created with the “init-plugin” script. Do you know if I have to modify anything in the Makefile to build a protocol analyzer plugin?

Unfortunately in the “Writing Bro plugins” documentation page, the “Protocol Analyzers” section is empty…

Hope you can help me.

Best reagards!

2

Hi Luis,

binpac_quickstart has a --plugin option which should set up the skeleton
in much the same way init-plugin does. Try that, and please let me know
if you encounter issues with it.

  --Vlad

Luis Martin Liras <martin.liras@gmail.com> writes:

3

Thank you for your reply Vlad.

Unfortunately that was not the problem as I've been using this option from the beginning.

The problem was related with the linkage options. I was using the configure and Makefile files that the init-plugin --plugin script was giving me. BUT these 'configure' and 'Makefile' files are prepared for a simple plugin with simple functions. If you need to write an analyzer with thi --plugin option you need to modify the resulting CMakeLists.txt.

This is how it comes:

cmake_minimum_required(VERSION 2.8)
project(Plugin)
include(BroPlugin)
bro_plugin_begin(MyProt MyProt)
bro_plugin_cc(src/Plugin.cc)
bro_plugin_bif(src/events.bif)
bro_plugin_dist_files(README CHANGES COPYING VERSION)
bro_plugin_end()

and this is how it must be:

cmake_minimum_required(VERSION 2.8)
project(Plugin)
include(BroPlugin)
bro_plugin_begin(MyProt MyProt)
bro_plugin_bif(src/types.bif src/events.bif) <---
bro_plugin_cc(src/Plugin.cc src/MyProt.cc src/MyProt_pac.cc) <---
bro_plugin_dist_files(README CHANGES COPYING VERSION)
bro_plugin_end()

Apart from that, I had to add the different records in the init-bare.bro file and, weird enough, I had to modify the build/src/types.bif.netvar_h file to add the records I was using, maybe someone can explain me that.

Ah!, and do not reuse a type name that other analyzer is already using... it will give you a segmentation fault.

Now it works fine.

Thank you!