There are two filetypes (sort of...) that I was wondering how difficult it
might be to get ethereal to handle (and what good it might do...)
One, which is perhaps the most novel, is handling packet dumps from cisco
routers. On a Cisco router, if you issue the command "debug ip packet
{access-list #} dump", it will start dumping the hex representation of the
full packets which match the access-list #. If you have your syslog set to
debug level, it will actually log these to a syslog server. It seems that
it shouldn't be *terribly* difficult to write a parser that reads in a
syslog file, gets the time/date stamps from each syslog message, and the
data from the hexdump, and parses it into something that can be easily
displayed in ethereal. Anyone have any thoughts?
The second, which I'm wondering if it's usefull at all, is a parser for
snort's unified output file format. this format is *almost* identical to
libpcap, but has extra data added to each frame (stuff like which snort rule
caused this particular packet to get tagged). Now, it's probably fairly
trivial to write something to read in these files and display the standard
information. It's also fairly unecessary, as there are tools to "extract" a
libpcap-formatted file from a snort unified output file. However, if there
were a way to get ethereal to actually do something usefull with the extra
data (i.e., parse it out and show it in the protocol tree with the other
frame meta-information such as time, time_delta, time_relative, number,
pkt_len and cap_len), or even to have it treated almost as an encapsulation
protocol, then that could be very usefull.
Anyone think that either of these are interesting, usefull, both or neither?
Or am I completely barking up the wrong tree?
Thanks,
-Joe