On Apr 14, 2009, at 7:20 AM, Mihai Bucicoiu wrote:
I was looking for something like iptables, I'll my own kernel module
if it's necessary, but I know that netfilter has some user-space
interface for this.
Wireshark is a network analyzer program, not a network filter front
end; its filtering language was not designed to generate ACL rules,
and there's no guarantee that a particular filter expression will ever
be able to be turned into an ACL rule (the filtering language was not
designed to be limited in its capabilities to what particular
firewalling mechanisms support).
What its ACL filter mechanism does is let you construct, based on the
*contents of a packet in a network trace*, filter rules that would
accept or reject the packet in question based on certain fields in the
packet (MAC address, IPv4 address, TCP or UDP port, IPv4 address, IPv4
address+port). It doesn't include any mechanism for applying those
filters, as
1) you might not be applying the filter on the machine on which
you're running Wireshark (it supports generating filter rules for
Cisco IOS)
and
2) even for filter types that are supported by the OS on which you're
running Wireshark, that requires more code and checks to determine
which particular type of filtering mechanism your OS has.
It sounds as if you're developing something that doesn't involve
captured packets at all, just taking an expression in one packet-
matching language (Wireshark's filter language) and attempting to turn
it into an expression in another packet-matching language (the
language for whatever packet filter mechanism you're using). There's
nothing Wireshark-specific about that - you're not using any of
Wireshark's inherent capabilities, as you're not generating the filter
expression from a captured packet's contents - so why are you choosing
to use Wireshark for this?