This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark as IDS for event logging?

0

Dear Developer's and User's of Wireshark,

Wireshark is a great application for network monitoring and sniffing. It can decode almost all protocols available from Ethernet,IP even to the WSN's protocols such as 802.15.4,6LOWPAN .. etc.

In order to find an attack, we need to monitor the network ( src, dest address and the invalid packets nature ). So is it possible for an application or plugin developed for wireshark, to use it for detecting attack event's?

And possibly develop an low-level Intrusion Detection System?? Does it exist in some or other way?

I just need to monitor the src address, and if it's flooding or not!

asked 17 Jul '12, 06:13

prabhakaran's gravatar image

prabhakaran
6113
accept rate: 0%


2 Answers:

2

Note that Wireshark (and TShark) both keep data structures used in the dissection process, to keep track of requests and matching responses (for example, some protocols don't carry enough information in a response to decode the response, so you need to find the request to which it's a response to get information such as the request code), do packet reassembly, and so on.

This means that the memory requirements of Wireshark and TShark increase as more packets are captured or read, so the memory used by Wireshark and TShark will increase over time.

They also do a very detailed dissection of packets, which might be more than is needed for an IDS.

This makes it not ideal as an intrusion detection system; that's not a function for which it was designed. It might be better to use programs designed to act as intrusion detection systems for that purpose, such as as Snort and Bro.

answered 17 Jul '12, 13:57

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

@Guy Harris : Thank you for your answer. I think it's appropriate.

In the existing IDS, they support very limited protocols. And they follow their own data structure's such that, we cannot use the existing wireshark protocol dissector's with them. And I wanted to develop an IDS for WSN's. That's why i wanted to know whether any plugins have been developed keeping this in mind.

Anyway thanks for your response. If someone got some idea. please dont wait to post your opinion!

(17 Jul '12, 14:12) prabhakaran

1

I just need to monitor the src address, and if it's flooding or not!

if you need just that, wireshark would be kind of "overkill", as you spend a lot of CPU time dissecting packets while you just want the src ip and a summary about the packet rate within a defined timeslice.

If you really need just that, I recommend some tutorials about libpcap programming. With that knowledge you can write your own little tool that does exactly what you need, without the "hassle" of dissecting packets (but also without the benefit of it).

http://www.tcpdump.org/pcap.html
http://undergraduate.csse.uwa.edu.au/units/CITS3231/reading/libpcap-programming.pdf

Regards
Kurt

answered 17 Jul '12, 15:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Jul '12, 16:18

@Kurt : Thanks for your Opinion. I will have a look at it. The libpcap programming document was very good! thanks for sharing.

(18 Jul '12, 05:40) prabhakaran

you're welcome. Good luck.

(18 Jul '12, 07:03) Kurt Knochner ♦