Zeek Spicy OSPF Packet Analyzer Update – v0.1.4

Hey Keith,
As you have written a packet analyser, can you please give me few pointers to make my goose protocol run?
I didn’t able to find how packet analyser is working, like in protocol analyser we give transport protocol and port, using which zeek will detect the packet for that protocol and pass it to corresponding spicy parser. What happens for packet analyser?
Below are my scripts, I am able to register the plugin and can see in zeek -NN without any error but It is not printing anything for the pcap, just getting packet_filter.log with an entry of default bpf filter IP or not IP. Can you please help me to understand where I am doing wrong here.
Thanks a lot!
spicy parser script
`biswa:~/zeek-spicy-goose/analyzer$ cat goose.spicy

module zeek_spicy_goose;
public type GOOSEPacket = unit {
appid: uint8;
pkt_len: uint16;
payload: bytes &eod;
};

spicy event
biswa:~/zeek-spicy-goose/analyzer$ cat goose.evt
packet analyzer spicy::GOOSE:
parse with zeek_spicy_goose::GOOSEPacket;

import zeek_spicy_goose;

on zeek_spicy_goose::GOOSEPacket -> event GOOSE::message($packet, self.appid, self.pkt_len);

zeek spicy script
biswa:~/zeek-spicy-goose/analyzer$ cat zeek_goose.spicy

module Zeek_zeek_spicy_goose;

import zeek_spicy_goose;
import zeek;

on zeek_spicy_goose::GOOSEPacket::%done {
zeek::confirm_protocol();
}

on zeek_spicy_goose::GOOSEPacket::%error {
zeek::reject_protocol(“error while parsing GOOSE record”);
}

Zeek script
biswa@dmz-ashish-new:~/zeek-spicy-goose/analyzer$ cat ../scripts/main.zeek
module GOOSE;

global goose_topic = “/topic/goose”;

global begin_time: time;
global total_time: interval;

export {
## Log stream identifier.
redef enum Log::ID += { GOOSE_LOG };

## Record type containing the column fields of the goose log.
type Info: record {
## Timestamp for when the activity happened.
ts: time &log &default=network_time();
appid: count &log &optional;
pkt_len: count &log &optional;
};

global GOOSE::message: event(pkt: raw_pkt_hdr, appid: count, pkt_len: count);

global analyzer_confirmation: event(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo);

global GOOSE::log_goose: event(rec: GOOSE::Info);

global log_GOOSE: event(rec: Info);
}

redef record raw_pkt_hdr += {
GOOSE: Info &optional;
};

event zeek_init() &priority=5
{
suspend_processing();
Broker::peer(addr_to_uri(127.0.0.1), 50000/tcp);

if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy_GOOSE”) )
if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name(“Ethernet”, 0x88ba, “spicy::GOOSE”) )
print “cannot register GOOSE Spicy analyzer”;

Log::create_stream(GOOSE::GOOSE_LOG, [$columns=Info, $ev=log_goose, $path=”goose”]);
}

#print this event per packet
event GOOSE::message(packet: raw_pkt_hdr, appid: count, pkt_len: count)
{
local info: Info = [$ts=network_time(), $appid=appid, $pkt_len=pkt_len];
print “Processing pcakets”, packet;
Log::write(GOOSE::GOOSE_LOG, info);
}

event Broker::peer_added(ep: Broker::EndpointInfo, msg: string)
{
print “PEER ADDED”, ep;
continue_processing();
}
#send this event over the broker
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{
if ( atype == Analyzer::ANALYZER_SPICY_GOOSE)
{
Broker::publish(goose_topic, analyzer_confirmation, atype, info);
}
}
`
PCAP file: https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/IEC61850/GOOSE/GOOSE.pcap