########################################################################################## PAS-11: Call TShark only if a relevant port has been observed ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - PCAP Handling - Processing Logic - Configuration Options Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: CommandLineArgs, Time Estimate: 45 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Currently, _tshark_ is called multiple times in order to extract specific types of traffic with no prior knowledge of whether or not that type of traffic is included within the PCAP. PAS-9 implements generation of a list of destination IP/Port pairs. So the latter could now be used to be a little more intelligent about when we run tshark. For example, if neither port 5222 or 5269 has been observed, there's probably no point in running the XMPP search. Although there might be XMPP traffic going to another port, the use of tshark's dissectors means we probably still wouldn't get a match anyway. It's not too big an issue at the moment, but the more traffic classes get added to the script, the longer a run is going to take if we try and extract information on everything all the time. If this is implemented though, there should be a flag which can be used to tell the script to check everything regardless of the ports it thinks it has seen. ----------------------------------------------------------------------------------------- Issue Relations ================ - is blocked by PAS-9: Unique list of IP/Ports - relates to PAS-24: Allow Manual Disabling of Certain Checks ----------------------------------------------------------------------------------------- Activity ==========