frederic heem wrote: > Actually, I'm looking for the almost the same feature: > The monitor asks tshark to be advised when a packet matches a filter. > As soon as tshark received such a packet, it signals the application that has > requested such packet.
That would be a special (trivial) case of my general concept: A filter and a tap which fires the alarm every time it is called. > Some work has already been done. Basicely, it uses the D-Bus protocol as the > IPC. Don't know D-Bus. At the first glance it looks like overkill to me, but why not. > At the moment, it is able to start and stop the capture, to set the > network interface and the capture filename. I did this simply via the command line args. I introduced additional command line args for the special taps. Style -z my_tap my_tap_arguments > What's remaining is setting the packet filter and signal the application when > such a packet is received. > Let me know if you're interested in collaborating on this project. > Frederic Heem Sure, i am! (Don't have the time to work full-time on it though) br, Lars Ruoff > >> From what i can see from a first glance, >> - snort provides nearly no means of decoding (and thus creating rules >> for) higher level protocols beyond transport layer? >> - snort's features for having user-defined decoding extensions are very >> limited? >> - i can't make rules that track conversations and do >> conversation-statefull statistics ? >> Wireshark provides all these features. >> Also, it is easy to add a new dissector to Wireshark in case i would >> like to detect issues on a proprietary protocol for example. >> Also, keep in mind that i want to save the *entire* network traffic that >> was going on at the time i had the problem, not only the packets i use >> for detection of the problem. >> But i don't want to log *all* network traffic over all time. >> >> Think of my RTP lost packets example again. If there is an easy way to >> do that with snort, i'd love to learn it. >> >> Lars >> >> frederic heem wrote: >>> Hi, >>> Did you have a look at www.snort.org ? It may be what you are looking >>> for. Frederic Heem. >>> >>> Alle 15:03, lunedì 30 ottobre 2006, Lars Ruoff ha scritto: >>>> Hi list, >>>> >>>> I wonder if Wireshark could be extended to provide real-time network >>>> issue detection and if there was any interest in the community to >>>> implement this feature. >>>> >>>> Let me explain. >>>> What i would like to have is the following: >>>> Wireshark (tshark to be precise) would be run from another application >>>> (let's call it the Monitor application). There would be a form of >>>> interprocess communication between Wireshark and the latter. >>>> Wireshark would capture packets, decode them and run certain analysis >>>> modules (console style "tap-listeners", as can be activated via the -z >>>> option). >>>> The analysis modules would be designed to detect alarm conditions that >>>> correspond to a certain network troubleshooting issue, for example, >>>> think of a module that monitors RTP voice conversations and reports >>>> whenever there is consecutive packet loss exceeding some threshold. >>>> Whenever an alarm condition is met, Wireshark would notify the Monitor >>>> application, and the latter would save the coresponding capture files. >>>> Wireshark would be run in multiple files option, but the Monitor would >>>> erase every written file after a while if no alarm condition has been >>>> met during that time. Only the capture files containing alarm conditions >>>> would be saved. >>>> The goal is to have the whole thing running over several days/weeks >>>> without filling up the HDD with unnecessary files. >>>> >>>> In fact i already have implemented an application that does just that! >>>> It was back on Ethereal 0.10.3 and i had to modify Ethereal in a few >>>> ways: - Include a form of interprocess communication with the calling >>>> Monitor. (was done using Windows IPC, certainly not a good choice, but >>>> it was the fastest possible way for me to do), including an ABI for the >>>> monitoring taps to use it. >>>> - Make Ethereal report whenever it switched to a new capture file. >>>> (- Mayeb other things i don't remember any more) >>>> >>>> Problems i had to cope with: >>>> - Ethereal was leaking memory which caused problems when running for >>>> several days. My workaround was to have Monitor relaunch Ethereal every >>>> now and then. >>>> >>>> Obviously, keeping up with Wireshark's release frequency is difficult >>>> for me. >>>> That is why i'm asking wether there would be interest in redesigning, >>>> adding and maintaining the Wireshark related part to the Wireshark >>>> source tree? >>>> >>>> best regards, >>>> Lars Ruoff >>>> _______________________________________________ >>>> Wireshark-dev mailing list >>>> Wireshark-dev@wireshark.org >>>> http://www.wireshark.org/mailman/listinfo/wireshark-dev >>> _________________________________________________________________________ >>> _____ >>> >>> --- NOTICE --- >>> >>> CONFIDENTIALITY - This email and any attachments are confidential >>> and are intended for the addressee only. If you have received >>> this message by mistake, please contact us immediately and then delete >>> the message from your system. You must not copy, distribute, disclose >>> or act upon the contents of this email. Thank you. >>> >>> PERSONAL DATA PROTECTION (Law by Decree 30.06.2003 n. 196) - >>> Personal and corporate data submitted will be used in a correct, >>> transparent and lawful manner. The data collected will be processed in >>> paper or computerized form for the performance of contractual and >>> lawful obligations as well as for the effective management of >>> business relationship. Data may be disclosed, in Italy or abroad, for the >>> purpose above mentioned to third parties which cooperate with Telsey, >>> agents, banks, factoring companies, credit recovering companies, credit >>> insurance companies, professional and consultants, and shipping >>> companies. In relation to the same purposes, data may be processed by >>> the following classes of executors or processors: management; >>> administration department; logistics and purchase department; sales >>> department; post sales department quality department; R&D department; IT >>> department; legal department. The data processor is Telsey S.p.A. >>> The data subject may exercise all the rights set forth in art. 7 of Law >>> by Decree 30.06.2003 n. 196 as reported in in the following link >>> http://www.telsey.it/privacy.jsp. >>> >>> _________________________________________________________________________ >>> _____ 798t8RfNa6Dl8Ilf >>> _______________________________________________ >>> Wireshark-dev mailing list >>> Wireshark-dev@wireshark.org >>> http://www.wireshark.org/mailman/listinfo/wireshark-dev >> _______________________________________________ >> Wireshark-dev mailing list >> Wireshark-dev@wireshark.org >> http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
