Wireshark-users: Re: [Wireshark-users] Removing [TCP segment of a reassembled PDU] and HTTP Continuation or non-HTTP traffic

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 5 Oct 2009 10:24:21 -0700

On Oct 2, 2009, at 5:05 AM, Domingo J. Ponce wrote:

I only need this in Tshark and not Wireshark. I use tshark Live to view

any incoming attacks (SYN Floods, ACK, Flood, UDP, Floods)

Would a tool such as Snort, or some other intrusion detection system, be better for that? Wireshark really isn't designed to be, or intended to be, an IDS, and probably couldn't be made into a good IDS without making it less good as a protocol analyzer. (Wireshark/TShark do very detailed analysis of packets, as that's what they're intended to do; this means it probably does far more work than is necessary in an IDS. It also reassembles packets made up from multiple lower-layer packets, which currently can consume a significant amount of memory; we can probably reduce that, although we'd have to change the way reassembly is done to do that - fortunately, we can *probably* do that without affecting the protocol dissectors that do reassembly.)