Wireshark-users: Re: [Wireshark-users] Removing [TCP segment of a reassembled PDU] and HTTP Conti
On Oct 2, 2009, at 5:05 AM, Domingo J. Ponce wrote:
I only need this in Tshark and not Wireshark. I use tshark Live to
view
any incoming attacks (SYN Floods, ACK, Flood, UDP, Floods)
Would a tool such as Snort, or some other intrusion detection system,
be better for that? Wireshark really isn't designed to be, or
intended to be, an IDS, and probably couldn't be made into a good IDS
without making it less good as a protocol analyzer. (Wireshark/TShark
do very detailed analysis of packets, as that's what they're intended
to do; this means it probably does far more work than is necessary in
an IDS. It also reassembles packets made up from multiple lower-layer
packets, which currently can consume a significant amount of memory;
we can probably reduce that, although we'd have to change the way
reassembly is done to do that - fortunately, we can *probably* do that
without affecting the protocol dissectors that do reassembly.)
