See if this helps: https://github.com/zeek/zeek/blob/master/testing/btest/plugins/protocol.bro
That may be the most compact tutorial on writing a protocol analyzer plugin. :) Robin On Wed, Mar 13, 2019 at 09:16 -0600, anthony kasza wrote: > Hello Zeek Devs, > > I would like to write a protocol analyzer and need some direction. I would > like to write something simple which works on TCP, similar to the ConnSize > analyzer. I would like my analyzer to be distributed as a plugin, similar > to MITRE's HTTP2 analyzer, so I am following the docs here: > https://docs.zeek.org/en/stable/devel/plugins.html > > However, the docs don't detail much beyond creating a built in function. A > colleague pointed me at this quickstart script for binpac: > https://github.com/grigorescu/binpac_quickstart > > The quickstart script seems to be intended for writing a protocol analyzer > which gets merged into the Zeek source. This is not how plugins operate. > > I'm looking for some guidance on how to proceed. Thanks in advance. > > -AK > _______________________________________________ > zeek-dev mailing list > zeek-dev@zeek.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev -- Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com _______________________________________________ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev