Wireshark-dev: Re: [Wireshark-dev] Wireshark and real-time network issue detection?
From: frederic heem <frederic.heem@xxxxxxxxx>
Date: Mon, 30 Oct 2006 17:03:23 +0200
Alle 15:32, lunedì 30 ottobre 2006, Lars Ruoff ha scritto: > Hi, > > frederic heem wrote: > > Hi, > > Did you have a look at www.snort.org ? It may be what you are looking > > for. > > I had a look at it (although a short one i admit). Fine, at least you've had a look a it. Actually, I'm looking for the almost the same feature: The monitor asks tshark to be advised when a packet matches a filter. As soon as tshark received such a packet, it signals the application that has requested such packet. Some work has already been done. Basicely, it uses the D-Bus protocol as the IPC. At the moment, it is able to start and stop the capture, to set the network interface and the capture filename. What's remaining is setting the packet filter and signal the application when such a packet is received. Let me know if you're interested in collaborating on this project. Frederic Heem > From what i can see from a first glance, > - snort provides nearly no means of decoding (and thus creating rules > for) higher level protocols beyond transport layer? > - snort's features for having user-defined decoding extensions are very > limited? > - i can't make rules that track conversations and do > conversation-statefull statistics ? > Wireshark provides all these features. > Also, it is easy to add a new dissector to Wireshark in case i would > like to detect issues on a proprietary protocol for example. > Also, keep in mind that i want to save the *entire* network traffic that > was going on at the time i had the problem, not only the packets i use > for detection of the problem. > But i don't want to log *all* network traffic over all time. > > Think of my RTP lost packets example again. If there is an easy way to > do that with snort, i'd love to learn it. > > Lars > > frederic heem wrote: > > Hi, > > Did you have a look at www.snort.org ? It may be what you are looking > > for. Frederic Heem. > > > > Alle 15:03, lunedì 30 ottobre 2006, Lars Ruoff ha scritto: > >> Hi list, > >> > >> I wonder if Wireshark could be extended to provide real-time network > >> issue detection and if there was any interest in the community to > >> implement this feature. > >> > >> Let me explain. > >> What i would like to have is the following: > >> Wireshark (tshark to be precise) would be run from another application > >> (let's call it the Monitor application). There would be a form of > >> interprocess communication between Wireshark and the latter. > >> Wireshark would capture packets, decode them and run certain analysis > >> modules (console style "tap-listeners", as can be activated via the -z > >> option). > >> The analysis modules would be designed to detect alarm conditions that > >> correspond to a certain network troubleshooting issue, for example, > >> think of a module that monitors RTP voice conversations and reports > >> whenever there is consecutive packet loss exceeding some threshold. > >> Whenever an alarm condition is met, Wireshark would notify the Monitor > >> application, and the latter would save the coresponding capture files. > >> Wireshark would be run in multiple files option, but the Monitor would > >> erase every written file after a while if no alarm condition has been > >> met during that time. Only the capture files containing alarm conditions > >> would be saved. > >> The goal is to have the whole thing running over several days/weeks > >> without filling up the HDD with unnecessary files. > >> > >> In fact i already have implemented an application that does just that! > >> It was back on Ethereal 0.10.3 and i had to modify Ethereal in a few > >> ways: - Include a form of interprocess communication with the calling > >> Monitor. (was done using Windows IPC, certainly not a good choice, but > >> it was the fastest possible way for me to do), including an ABI for the > >> monitoring taps to use it. > >> - Make Ethereal report whenever it switched to a new capture file. > >> (- Mayeb other things i don't remember any more) > >> > >> Problems i had to cope with: > >> - Ethereal was leaking memory which caused problems when running for > >> several days. My workaround was to have Monitor relaunch Ethereal every > >> now and then. > >> > >> Obviously, keeping up with Wireshark's release frequency is difficult > >> for me. > >> That is why i'm asking wether there would be interest in redesigning, > >> adding and maintaining the Wireshark related part to the Wireshark > >> source tree? > >> > >> best regards, > >> Lars Ruoff > >> _______________________________________________ > >> Wireshark-dev mailing list > >> Wireshark-dev@xxxxxxxxxxxxx > >> http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > > _________________________________________________________________________ > >_____ > > > > --- NOTICE --- > > > > CONFIDENTIALITY - This email and any attachments are confidential > > and are intended for the addressee only. If you have received > > this message by mistake, please contact us immediately and then delete > > the message from your system. You must not copy, distribute, disclose > > or act upon the contents of this email. Thank you. > > > > PERSONAL DATA PROTECTION (Law by Decree 30.06.2003 n. 196) - > > Personal and corporate data submitted will be used in a correct, > > transparent and lawful manner. The data collected will be processed in > > paper or computerized form for the performance of contractual and > > lawful obligations as well as for the effective management of > > business relationship. Data may be disclosed, in Italy or abroad, for the > > purpose above mentioned to third parties which cooperate with Telsey, > > agents, banks, factoring companies, credit recovering companies, credit > > insurance companies, professional and consultants, and shipping > > companies. In relation to the same purposes, data may be processed by > > the following classes of executors or processors: management; > > administration department; logistics and purchase department; sales > > department; post sales department quality department; R&D department; IT > > department; legal department. The data processor is Telsey S.p.A. > > The data subject may exercise all the rights set forth in art. 7 of Law > > by Decree 30.06.2003 n. 196 as reported in in the following link > > http://www.telsey.it/privacy.jsp. > > > > _________________________________________________________________________ > >_____ 798t8RfNa6Dl8Ilf > > _______________________________________________ > > Wireshark-dev mailing list > > Wireshark-dev@xxxxxxxxxxxxx > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-dev
- Follow-Ups:
- Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- From: Lars Ruoff
- Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- References:
- [Wireshark-dev] Wireshark and real-time network issue detection?
- From: Lars Ruoff
- Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- From: frederic heem
- Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- From: Lars Ruoff
- [Wireshark-dev] Wireshark and real-time network issue detection?
- Prev by Date: Re: [Wireshark-dev] Help understanding Epan's dissectors
- Next by Date: Re: [Wireshark-dev] [patch] YMSG dissector update
- Previous by thread: Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- Next by thread: Re: [Wireshark-dev] Wireshark and real-time network issue detection?
- Index(es):