On Apr 14, 2009, at 2:26 PM, Mihai Bucicoiu wrote:
I know some of the wireshark test, and in this first 2 months step I
only what to implemnt just the simple ones. Validating MAC
addresses, IP , port , ICMP and established sessions. I know that it
is possible to filter traffic by this syntax. The reason for
choosing Wireshark was that everyone can write on the filter toolbar
"ymsg", and then add a rule to block this traffic, and only
technical peoples can make a iptable/cisco ACL to block it.
The filter "ymsg" matches all packets that Wireshark identifies as
Yahoo Messenger packets.
Wireshark identifies as Yahoo Messenger packets TCP segments that
begin with "YMSG" - *AND* any subsequent TCP segments that continue
the last packet of the segment. It does *not* identify them based on
port numbers.
That would be difficult to turn into a filter rule in any case,
especially if your filter rules can't test packet content - and even
harder, given that there's no guarantee that all Yahoo Messenger
packets begin with "YMSG", as they might continue a Yahoo Messenger
packet split across TCP segments.
Furthermore, there's nothing in the filter expression code that even
knows about identifying Yahoo Messenger packets based on the contents
- the only way to know that's how it identifies packets as Yahoo
Messenger packets is to look at the source code of Wireshark's Yahoo
Messenger dissector.