Wireshark · Wireshark-dev: Re: [Wireshark-dev] [ACL][firewall] how to

[Guy Harris <guy@xxxxxxxxxxxx>]

On Apr 14, 2009, at 2:26 PM, Mihai Bucicoiu wrote:

> I know some of the wireshark test, and in this first 2 months step I  
> only what to implemnt just the simple ones. Validating MAC  
> addresses, IP , port , ICMP and established sessions. I know that it  
> is possible to filter traffic by this syntax. The reason for  
> choosing Wireshark was that everyone can write on the filter toolbar  
> "ymsg", and then add a rule to block this traffic, and only  
> technical peoples can make a iptable/cisco ACL to block it.

The filter "ymsg" matches all packets that Wireshark identifies as  
Yahoo Messenger packets.

Wireshark identifies as Yahoo Messenger packets TCP segments that  
begin with "YMSG" - *AND* any subsequent TCP segments that continue  
the last packet of the segment.  It does *not* identify them based on  
port numbers.

That would be difficult to turn into a filter rule in any case,  
especially if your filter rules can't test packet content - and even  
harder, given that there's no guarantee that all Yahoo Messenger  
packets begin with "YMSG", as they might continue a Yahoo Messenger  
packet split across TCP segments.

Furthermore, there's nothing in the filter expression code that even  
knows about identifying Yahoo Messenger packets based on the contents  
- the only way to know that's how it identifies packets as Yahoo  
Messenger packets is to look at the source code of Wireshark's Yahoo  
Messenger dissector.