Wireshark-dev: Re: [Wireshark-dev] [ACL][firewall] how to

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 14 Apr 2009 10:13:53 -0700

On Apr 14, 2009, at 7:20 AM, Mihai Bucicoiu wrote:

I was looking for something like iptables, I'll my own kernel module if it's necessary, but I know that netfilter has some user-space interface for this.

Wireshark is a network analyzer program, not a network filter front end; its filtering language was not designed to generate ACL rules, and there's no guarantee that a particular filter expression will ever be able to be turned into an ACL rule (the filtering language was not designed to be limited in its capabilities to what particular firewalling mechanisms support).

What its ACL filter mechanism does is let you construct, based on the *contents of a packet in a network trace*, filter rules that would accept or reject the packet in question based on certain fields in the packet (MAC address, IPv4 address, TCP or UDP port, IPv4 address, IPv4 address+port). It doesn't include any mechanism for applying those filters, as

1) you might not be applying the filter on the machine on which you're running Wireshark (it supports generating filter rules for Cisco IOS)

and

2) even for filter types that are supported by the OS on which you're running Wireshark, that requires more code and checks to determine which particular type of filtering mechanism your OS has.

It sounds as if you're developing something that doesn't involve captured packets at all, just taking an expression in one packet- matching language (Wireshark's filter language) and attempting to turn it into an expression in another packet-matching language (the language for whatever packet filter mechanism you're using). There's nothing Wireshark-specific about that - you're not using any of Wireshark's inherent capabilities, as you're not generating the filter expression from a captured packet's contents - so why are you choosing to use Wireshark for this?