On Apr 14, 2009, at 2:26 PM, Mihai Bucicoiu wrote: > I know some of the wireshark test, and in this first 2 months step I > only what to implemnt just the simple ones. Validating MAC > addresses, IP , port , ICMP and established sessions. I know that it > is possible to filter traffic by this syntax. The reason for > choosing Wireshark was that everyone can write on the filter toolbar > "ymsg", and then add a rule to block this traffic, and only > technical peoples can make a iptable/cisco ACL to block it.
The filter "ymsg" matches all packets that Wireshark identifies as Yahoo Messenger packets. Wireshark identifies as Yahoo Messenger packets TCP segments that begin with "YMSG" - *AND* any subsequent TCP segments that continue the last packet of the segment. It does *not* identify them based on port numbers. That would be difficult to turn into a filter rule in any case, especially if your filter rules can't test packet content - and even harder, given that there's no guarantee that all Yahoo Messenger packets begin with "YMSG", as they might continue a Yahoo Messenger packet split across TCP segments. Furthermore, there's nothing in the filter expression code that even knows about identifying Yahoo Messenger packets based on the contents - the only way to know that's how it identifies packets as Yahoo Messenger packets is to look at the source code of Wireshark's Yahoo Messenger dissector. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
