Hello and thanks for the reply. I'll try to answer your questions :
> > I've choose Wireshark because it is the most complex packet > > analyzer as far as I know. I'm not trying to turn it into another > > language, but to turn Wireshark language into a firewall language. > > What do you mean by "Wireshark language"? Do you mean the display > filter expression language? As indicated, it can do tests that are > far more complicated than what most if not all firewalls will support > (as they act on the results of a full Wireshark dissection of the > packet). I know some of the wireshark test, and in this first 2 months step I only what to implemnt just the simple ones. Validating MAC addresses, IP , port , ICMP and established sessions. I know that it is possible to filter traffic by this syntax. The reason for choosing Wireshark was that everyone can write on the filter toolbar "ymsg", and then add a rule to block this traffic, and only technical peoples can make a iptable/cisco ACL to block it. > > > I really liked the firewall add-on, and I would like to make it > > happen, not just to make an "iptables" rule, for example, but to > > really filter the packets. > > > By "filter the packets" do you mean "apply the filter directly, rather > than just show the filter expression and let a user add it to the > iptables rules"? sorry for the typing, that's what I'm thinking about. > > > > I'll try to descripe how do I see the "Wireshark firewall", maybe > > if you are interesting in this, you can help me implementing it. > > As far as I see, a Firewall has deny, permit rules and some attacks > > fingerprints. The first 2 steps are the one that interests me, maybe > > one CISCO .sdf importing in Wireshark would be the next nexp. I > > would like to create some filters, directly in the linux kernel, > > based on the Wireshark dissector packets. What I mean by this, is > > that you give some packet fingerprint to the kernel, tell him to > > deny/accept and he does the trick for you. > > So what we have now in Wireshark is a mechanism that, based on the > contents of a packet, lets you choose which fields of the packet to > use in a filter expression (from a small list), and generates a filter > testing that field or fields for the value or values they have, using > one of the filter syntaxes it knows. > > Do you just want to have an option to take one of those filters and > directly add it to the list of filters in the Linux/*BSD/Mac OS X > kernel, rather than having to copy it and add it to the kernel's > filter list separately, or do you also want to make the code that > *generates* filters more sophisticated? for the begging just the filter, copy the filter in the kernel , and creating a simple ACL for several ones. > (The two parts are separate - > you could add the ability to stuff a filter rule into the kernel > without changing the way the rules are generated, and you could add > some code to add more way to generate filters without adding the > ability to stuff those filter rules into the kernel.) Can you explain more for me ? I mean what rules are you talking about, the one in the user-space(wireshark) or the one in the kernel-space ? Best, Mihai
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
