ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] Two ideas for new capabilities

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 19 Jun 2004 20:26:27 -0700
On Sat, Jun 19, 2004 at 10:45:51PM +0200, gregor.weiss@xxxxxxxx wrote:
> I would like to suggest two new capabilities ethereal/tethereal should have:
> 
> 1. When working in file-reading mode there is no need for using so much 
> memory. I would suggest that in that mode the buffers could be deleted when 
> they aren't used any more (they have been filtered and outputed) or at least 
> truncated to a small size and with a file offset that would indicate where in 
> the input file the packet can be re-read if needed.

Umm, that *is* what Ethereal does - and it's what Tethereal does, except
that Tethereal doesn't even bother to save the file offset, as it
doesn't ever re-read packets.

If packet reassembly is done, the reassembled packet data *is* saved. 
We could probably avoid doing that *if* we could efficiently randomly
access packets - even in gzipped files.  That form of random access is
not an easy thing to implement, however, so it's not necessarily going
to be added any time soon.  (It might be possible to, in Tethereal, free
the reassembled data once the packet is dissected.)

> 2. There could be a way of saying something like that: Filter out only
> packets that produced a lot of network trafic for a specified timeblock.
> This would allow someone to simply log down all DDOS attacks to the disk
> (assuming he has a faster hard drive than network card - so that it can
> be written in time). 
> The best would be if you could specify the size of the time interval that 
> interests you and how many packets need to be sent in it that they are 
> filtered out. For example more than 2000 packets in 1 minute would indicate 
> strange activities in a not-actively used subnetwork that isn't capable of 
> transfering large files.

I assume you mean that it should continuously capture traffic but only
start saving it when the traffic rate gets above some threshold, and
stop once the rate drops below that threshold.

That'd be useful, but whether that's something that should be done in
Ethereal or Tethereal is another matter; it might belong in an IDS, such
as Snort or Prelude, instead.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube