RealTime IT News

Defcon: Will Open Source Divashark Unseat Wireshark for CTP?


From the 'Maybe Next Year' files:

We all love open source Wireshark for packet capture right?

Apparently, that isn't always the case. Researcher Robert Deaton took the stage at Defcon to announce a new open source effort that could one day possibly unseat Wireshark.

Deaton said that every team at the Defcon CTP (Capture the Packet) contest uses Wireshark. That said he argued that in his view it's the wrong tool for the job.

In his view there is lots of noise in Wireshark, especially when looking for something simple like usr/pswrd, there is too much detail at the tcp level. So for example, one of the CTP challenges was to find a user's Reddit login which is possible with Wireshark, but it's unduly tedious.

"Do we really care about packet level details?," Deaton said. "Divashark a tool to make live network forensics easy, it gets you the info you care about as quickly as possible without getting bogged down in small details."

Deaton explained that Divashark will do the same type of capture as Wireshark and it automatically follows tcp and udp streams as they come in, then the packets are run though a port independent classifier. He added that the system has powerful abilities to filter traffic at an application level. The http dissector lets researcher filter by user-agent, or whatever url has been requested.

"Divashark will make a competition like CTP easier as it will no longer be about who can hunt through wireshark the fastest," Deaton said. "It could make CTP as a competition,  almost not a competition as everyone will be able to find almost every answer immediately."

There is however a catch.

Divashark was not done as of the time of Deaton's presentation, so he couldn't demo it. Also his project page, 

divashark.org/defcon was  not available. That said, Deaton pledged to have his code up within a few days and the code would be open source.

I for one am cautiously optimistic about this - I've spent my fair share of time in Wireshark and the opportunity to get an open source tool that will make that type of analysis easier is incredibly exciting.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.