Creating ACL entries in Wireshark

By stretch | Thursday, October 29, 2009 at 7:36 a.m. UTC

Wireshark is an awesome tool, and it seems like every time I use it I discover another little nugget of awesomeness. In this case, it was Wireshark's ability to generate ACL and firewall entries on the fly from a captured packet.

Let's assume we've captured some unauthorized traffic traversing the firewall: an IRC sesion. We can examine the capture with Wireshark to confirm that the traffic should be denied by the security policy, and automatically generate an ACL entry (ACE) to match the appropriate packets. First, select one of the packets from the suspect session:

select_packet.png

Then, navigate to Tools > Firewall ACL Rules.

ace_creation_dialog.png

Wireshark supports several types of syntax, including Cisco IOS standard and extended ACLs, IP Filter, IPFirewall, Net Filter, Packet Filter, and Windows Firewall. Selecting Cisco IOS (extended) offers several levels of granularity: we can filter the source or destination host, TCP port, or both. Additionally, we can toggle the Inbound switch to swap source and destination addresses, and the Deny switch to toggle between permit and deny actions.

ace_creation_dialog2.png

The generated syntax can then be copied and pasted directly into an ACL.

While veteran engineers may find this little more than a convenience feature, it can be an excellent learning tool for students to experiment with creating ACEs to match real-world traffic.

About the Author

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

Posted in Tips and Tricks

Comments

felix001 (guest) commented on Thursday, October 29, 2009 at 9:05 a.m. UTC

Nice article... i never looked into this feature but the IPtables options is pretty cool...

Marc Poljak (guest) commented on Thursday, October 29, 2009 at 9:23 a.m. UTC

Very cool!

RouteMap commented on Thursday, October 29, 2009 at 12:58 p.m. UTC

Cool. Always look forward to reading your articles.

Colby commented on Thursday, October 29, 2009 at 1:02 p.m. UTC

That is pretty cool.

Aaron (guest) commented on Thursday, October 29, 2009 at 1:43 p.m. UTC

While my old-school manner dictates that I do it by hand, I have used this feature to show non-network people some of the innards of ACLEs; it helps them understand why I tell them to provide IP addresses, protocols, and ports when requesting access through a firewall or router.

Great article!

shivlu jain (guest) commented on Saturday, October 31, 2009 at 1:20 a.m. UTC

really a nice article.

regards shivlu jain

Marek commented on Monday, November 2, 2009 at 2:47 a.m. UTC

Great article! This is a very cool feature...

Jon Langton (guest) commented on Thursday, November 5, 2009 at 4:41 p.m. UTC

Using Wireshark 1.0.7 on Ubuntu 9.04, this feature can be found in the Analyize>Firewall ACL Rules. Nice feature especially when writing IPtables rules or pf rules since I don't write these rules as often as router ACLs or firewall ACLs.

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
What is the maximum decimal value that can be expressed by eight bits?