Wireshark mailing list archives
Re: Removing [TCP segment of a reassembled PDU] and HTTP Continuation or non-HTTP traffic
From: Guy Harris <guy () alum mit edu>
Date: Mon, 5 Oct 2009 10:24:21 -0700
On Oct 2, 2009, at 5:05 AM, Domingo J. Ponce wrote:
I only need this in Tshark and not Wireshark. I use tshark Live to view any incoming attacks (SYN Floods, ACK, Flood, UDP, Floods)
Would a tool such as Snort, or some other intrusion detection system, be better for that? Wireshark really isn't designed to be, or intended to be, an IDS, and probably couldn't be made into a good IDS without making it less good as a protocol analyzer. (Wireshark/TShark do very detailed analysis of packets, as that's what they're intended to do; this means it probably does far more work than is necessary in an IDS. It also reassembles packets made up from multiple lower-layer packets, which currently can consume a significant amount of memory; we can probably reduce that, although we'd have to change the way reassembly is done to do that - fortunately, we can *probably* do that without affecting the protocol dissectors that do reassembly.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Removing [TCP segment of a reassembled PDU] and HTTP Continuation or non-HTTP traffic Guy Harris (Oct 05)