Re: Removing [TCP segment of a reassembled PDU] and HTTP Continuation or non-HTTP traffic

[Guy Harris <guy () alum mit edu>]

On Oct 2, 2009, at 5:05 AM, Domingo J. Ponce wrote:

> I only need this in Tshark and not Wireshark. I use tshark Live to  
> view
> any incoming attacks (SYN Floods, ACK, Flood, UDP, Floods)

Would a tool such as Snort, or some other intrusion detection system,  
be better for that?  Wireshark really isn't designed to be, or  
intended to be, an IDS, and probably couldn't be made into a good IDS  
without making it less good as a protocol analyzer.  (Wireshark/TShark  
do very detailed analysis of packets, as that's what they're intended  
to do; this means it probably does far more work than is necessary in  
an IDS.  It also reassembles packets made up from multiple lower-layer  
packets, which currently can consume a significant amount of memory;  
we can probably reduce that, although we'd have to change the way  
reassembly is done to do that - fortunately, we can *probably* do that  
without affecting the protocol dissectors that do reassembly.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe