Currently,
tshark is called multiple times in order to extract specific types of traffic with no prior knowledge of whether or not that type of traffic is included within the PCAP.
PAS-9 implements generation of a list of destination IP/Port pairs. So the latter could now be used to be a little more intelligent about when we run tshark.
For example, if neither port 5222 or 5269 has been observed, there's probably no point in running the XMPP search.
Although there might be XMPP traffic going to another port, the use of tshark's dissectors means we probably still wouldn't get a match anyway.
It's not too big an issue at the moment, but the more traffic classes get added to the script, the longer a run is going to take if we try and extract information on everything all the time.
If this is implemented though, there should be a flag which can be used to tell the script to check everything regardless of the ports it thinks it has seen.
Activity