[Lars Ruoff <Lars.Ruoff@xxxxxxxxxx>]

Hi,

frederic heem wrote:
> Hi,
> Did you have a look at www.snort.org ? It may be what you are looking 
for.

I had a look at it (although a short one i admit).
From what i can see from a first glance,
- snort provides nearly no means of decoding (and thus creating rules 
for) higher level protocols beyond transport layer?
- snort's features for having user-defined decoding extensions are very 
limited?
- i can't make rules that track conversations and do 
conversation-statefull statistics ?
Wireshark provides all these features.
Also, it is easy to add a new dissector to Wireshark in case i would 
like to detect issues on a proprietary protocol for example.
Also, keep in mind that i want to save the *entire* network traffic that 
was going on at the time i had the problem, not only the packets i use 
for detection of the problem.
But i don't want to log *all* network traffic over all time.

Think of my RTP lost packets example again. If there is an easy way to 
do that with snort, i'd love to learn it.

Lars


frederic heem wrote:
> Hi,
> Did you have a look at www.snort.org ? It may be what you are looking for.
> Frederic Heem.
>
>
> Alle 15:03, lunedì 30 ottobre 2006, Lars Ruoff ha scritto:
> > Hi list,
> >
> > I wonder if Wireshark could be extended to provide real-time network
> > issue detection and if there was any interest in the community to
> > implement this feature.
> >
> > Let me explain.
> > What i would like to have is the following:
> > Wireshark (tshark to be precise) would be run from another application
> > (let's call it the Monitor application). There would be a form of
> > interprocess communication between Wireshark and the latter.
> > Wireshark would capture packets, decode them and run certain analysis
> > modules (console style "tap-listeners", as can be activated via the -z
> > option).
> > The analysis modules would be designed to detect alarm conditions that
> > correspond to a certain network troubleshooting issue, for example,
> > think of a module that monitors RTP voice conversations and reports
> > whenever there is consecutive packet loss exceeding some threshold.
> > Whenever an alarm condition is met, Wireshark would notify the Monitor
> > application, and the latter would save the coresponding capture files.
> > Wireshark would be run in multiple files option, but the Monitor would
> > erase every written file after a while if no alarm condition has been
> > met during that time. Only the capture files containing alarm conditions
> > would be saved.
> > The goal is to have the whole thing running over several days/weeks
> > without filling up the HDD with unnecessary files.
> >
> > In fact i already have implemented an application that does just that!
> > It was back on Ethereal 0.10.3 and i had to modify Ethereal in a few ways:
> > - Include a form of interprocess communication with the calling Monitor.
> > (was done using Windows IPC, certainly not a good choice, but it was the
> > fastest possible way for me to do), including an ABI for the monitoring
> > taps to use it.
> > - Make Ethereal report whenever it switched to a new capture file.
> > (- Mayeb other things i don't remember any more)
> >
> > Problems i had to cope with:
> > - Ethereal was leaking memory which caused problems when running for
> > several days. My workaround was to have Monitor relaunch Ethereal every
> > now and then.
> >
> > Obviously, keeping up with Wireshark's release frequency is difficult
> > for me.
> > That is why i'm asking wether there would be interest in redesigning,
> > adding and maintaining the Wireshark related part to the Wireshark
> > source tree?
> >
> > best regards,
> > Lars Ruoff
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
> ______________________________________________________________________________
>
> --- NOTICE ---
>
> CONFIDENTIALITY - This  email  and  any  attachments  are confidential and are
> intended  for  the  addressee  only.   If  you  have  received this message by
> mistake,  please  contact us immediately and then delete the message from your
> system.  You  must  not copy, distribute, disclose or act upon the contents of
> this email. Thank you.
>
> PERSONAL DATA PROTECTION  (Law  by  Decree  30.06.2003  n. 196) - Personal and
> corporate  data  submitted  will  be used in a correct, transparent and lawful
> manner. The data collected will be processed in paper or computerized form for
> the performance of contractual  and  lawful  obligations  as  well  as for the
> effective management of business relationship. Data may be disclosed, in Italy
> or abroad, for the purpose above mentioned to third  parties  which  cooperate
> with Telsey, agents, banks, factoring companies,  credit recovering companies,
> credit  insurance  companies,  professional  and  consultants,  and   shipping
> companies. In relation to the same purposes, data  may  be  processed  by  the
> following  classes  of  executors  or  processors:  management; administration
> department; logistics  and  purchase  department; sales department; post sales
> department quality department; R&D department; IT department; legal department.
> The  data  processor  is  Telsey S.p.A.  The data subject may exercise all the
> rights set forth in art. 7 of Law by Decree 30.06.2003  n. 196 as reported  in
> in the following link http://www.telsey.it/privacy.jsp. 
>
> ______________________________________________________________________________
> 798t8RfNa6Dl8Ilf
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev