Wireshark-users: Re: [Wireshark-users] Wireshark capture filters
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Mar 2007 12:21:49 -0700
Michael Bann wrote:

I am looking into the possibility of using wireshark terminal (still called "tethereal" on my computer) for some basic security automation.

In what fashion are you thinking of using it?

You might want to, for example, look at snort:

	http://www.snort.org/

as it might be a much better fit for security automation. (Wireshark/TShark are designed as network traffic analyzers to let people look at traffic, not as automated analyzers running in the background - snort is more designed for the latter function.)

The problem is two-fold.

- First, I need to know how feasible it would be to have possibly around 1000 capture filters. They would all be of the form "dst host <dst ip> and src host <src ip> and not ether dst host <dst host ether>". Suppose it could be considered an arp poisoning test. Would that many rules grind tethereal to a halt?

It could take a while for libpcap's compiler to generate code for that, but that's only done when you start tcpdump/tethereal/tshark/etc..

A filter that big might be too big for some OS kernels that support BPF in the kernel (BSD-flavored OSes including OS X, newer Linux systems, Digital/Tru64 UNIX), so it might have to be done in userland, which means all packets would be copied to userland, not just packets that match the filter, and the filtering done in libpcap.

The BPF interpreter should be reasonably efficient, but I don't know at what point it would take a significant chunk of time.

- Secondly, how can i load capture filters from a file (using tethereal in my case). I have some capture filters saved in the cfilter file, but they don't seem to be getting loaded. (of the form "filter" <actual filter line>\n)

With tethereal/tshark, the only way would be to do

	tshark -f `cat file` ...

on UN*X, which only works if your kernel and shell allow enough characters in command-line arguments.

If you just want to capture raw traffic (not decoded traffic) to a file, you could also use tcpdump/WinDump:

	tcpdump -F file_with_filter -s 0 -w file_to_write_to