Michael Bann wrote:
I am looking into the possibility of using wireshark terminal (still
called "tethereal" on my computer) for some basic security automation.
In what fashion are you thinking of using it?
You might want to, for example, look at snort:
http://www.snort.org/
as it might be a much better fit for security automation.
(Wireshark/TShark are designed as network traffic analyzers to let
people look at traffic, not as automated analyzers running in the
background - snort is more designed for the latter function.)
The problem is two-fold.
- First, I need to know how feasible it would be to have possibly
around 1000 capture filters. They would all be of the form "dst host
<dst ip> and src host <src ip> and not ether dst host <dst host ether>".
Suppose it could be considered an arp poisoning test. Would that many
rules grind tethereal to a halt?
It could take a while for libpcap's compiler to generate code for that,
but that's only done when you start tcpdump/tethereal/tshark/etc..
A filter that big might be too big for some OS kernels that support BPF
in the kernel (BSD-flavored OSes including OS X, newer Linux systems,
Digital/Tru64 UNIX), so it might have to be done in userland, which
means all packets would be copied to userland, not just packets that
match the filter, and the filtering done in libpcap.
The BPF interpreter should be reasonably efficient, but I don't know at
what point it would take a significant chunk of time.
- Secondly, how can i load capture filters from a file (using tethereal
in my case). I have some capture filters saved in the cfilter file, but
they don't seem to be getting loaded. (of the form "filter" <actual
filter line>\n)
With tethereal/tshark, the only way would be to do
tshark -f `cat file` ...
on UN*X, which only works if your kernel and shell allow enough
characters in command-line arguments.
If you just want to capture raw traffic (not decoded traffic) to a file,
you could also use tcpdump/WinDump:
tcpdump -F file_with_filter -s 0 -w file_to_write_to