File: ToDo

package info (click to toggle)
nwatch 0.03-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 204 kB
  • ctags: 120
  • sloc: perl: 1,202; makefile: 52
file content (114 lines) | stat: -rw-r--r-- 2,863 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 


0.01-


x use the output tag instead of test-output
x flush interval
x sample interval

x optionally evaluate output tag every save or at time of running the program
x (and optionally reset scanset each eval or each flush, or some other interval?)

x rework output_tag - one "global" output tag calculated only when scanset created

x restrict to interesting hosts only

x generic debug logging model for Packet.pm
x go over POD documentation
x factor out packet_handler functionality

x verify make_scanset changes ( default_state specification ) doesn't kill ngen


---------
0.02 and beyond-

make state machines self-pruning and garbage collected at end of sampling
interval so subsequent sampling intervals will correctly pick up new traffic
(if the same host/port combos are reused the state machines can already exist
and be in a do-nothing state)


fix manpage
 other than default interface may now be specified
 make clear that extended nmap machine-readable format data is saved to disk
 remove mention of port specs in manpage

add -accept-any-host paramter back so nwatch can be run with no parms
fix pod documentation formatting errors

x allow command-line specification of interface(s) to watch
allow watching of multiple interfaces?

refine and document packet field names & conventions

default logging profiles in nwatch (predefined sets of tuples)

periodic blank results file bug

use the prune method from nwatch
sort hosts properly (NDiff)
refine POD documentation

think of a better name!
spying model
x UDP
x filtered TCP

restrict to interesting ports only
abstract out Interface as a separate module
possibly rename class names to their upper-case counterparts


x Stateful model to replace simple rules
x  will enable:
x	detecting UDP ports,
x	filtered TCP ports, 
x	more complex rules based on multiple protocols at once
	triggers

improve protocol stack
  checksum calculations
  IP options parsing
  etc.

a better model for specifying interesting hosts/ports/protocols
  (probably for NDiff libraries, as well)

distributed watching, centralized results gathering
a model for detecting/storing/NDIffing non-IP protocols
proper destructors where necessary


allow pattern matching in field_path
better way to reference packet fields
	field_top( foo )   some field in a packet's top-layer protocol
	
	proto_isa( "*foo:bar" );
    	proto_isa( "*foo:bar*" );


remove absolute references the "ethernet:", instead field (".*ipv4:tcp..." );


first state eval in a statemachine
prune old state machines (method call in eval)

Packet::top


formal logging class with date stamping
fix broadcast address mistakenly being counted as regular host
fix/document mid-connection traffic not being picked up by tcp state machines


make filtered TCP and closed UDP ports properly detected at flush time rather
than when nwatch is exited.