Intuitive Display Filters for Wireshark
Advisor: Amy Csizmar Dalal
Background
Wireshark is an awesome tool for exploring and learning about computer networks. I use it extensively in CS 331, Computer Networks, as a way for students to see real network transactions in context and to match the reality with the concepts from the textbook and from lecture.
Wireshark has a bit of a steep learning curve. A network trace, in its purest form, contains all of the data at all of the layers between all of the hosts a given computer talks to — including broadcast and multicast data used for things like ARP, DHCP, service and resource discovery, etc. This means there's a lot of information to take in all at once, even for the simplest transactions.
Filters are invaluable in helping tame the chaos, limiting the displayed data to a more manageable subset. This allows the end user to concentrate on one set of source / destination addresses, one particular conversation, one application, etc.
Writing filters, to beginners (and, er, experts, sometimes) can feel like petitioning the Great Wizard of Oz. Syntax is finicky, there are few hints, and it's more trial and error than it should be. Practically, this means that I give students the “filter magic phrase” they'll need, and students stick to the patterns I give them. There's very little reflection on what the filter means, why this particular syntax is necessary to produce the desired results, and so on. This prevents students from exploring "what if" questions on their own, a practice that is extremely valuable to student learning. In this respect, my chosen tool hinders student learning.
I'd like students — CS 331 students, security students, anyone who's casually interested in networks, etc — to be able to specify filters in more natural and intuitive ways, so that they are not relying on me and/or random Internet searches to always provide the correct syntax. This Comps project aims to address this issue, by exploring ways to make filtering Wireshark data more intuitive.
The project
The goal of this project is to develop a mechanism for people (hobbyists, students learning about computer networks) to express ways to filter and display Wireshark data using natural language.
The filter mechanism should fulfill the following criteria:
- It should allow a user to specify the desired filter using rules which they express in plain language.
- It should highlight / prioritize / feature the most common filter rules that people want and use.
- It should translate the plain language rules into actual Wireshark filter syntax and communicate the translated filter to Wireshark.
There are three main high-level tasks you'll carry out in this project:
- Audience analysis and requirements gathering. Who is the target audience? What user roles do they occupy? Why does your intended audience use, or not use, Wireshark? How do they currently use Wireshark? What are their goals and main tasks? How do existing Wireshark display filters aid and/or hinder their goal-supporting tasks?
- Analyze the existing display filtering capabilities of Wireshark. What are the available filters? How do users build and express filters? What are the common stumbling blocks and errors users make when filtering data to be displayed?
- Develop and implement a more natural (possibly rules-based) language / mechanism for specifying filters. This could involve building a "filter translator" that outputs the correct syntax that the user then inputs into wireshark, or a UI wrapper / extension of Wireshark, or something similar.
Deliverables
- A mechanism for expressing Wireshark filters in more natural and intuitive language, implemented as an extension to Wireshark and/or a standalone helper tool.
- A usability analysis of the existing Wireshark display filter mechanism and the implemented mechanism.
Recommended experience
No specific experience is necessary. This project touches on several subfields of Computer Science -- CS education, HCI, networks and systems -- so it has something for everyone!
References/inspiration
More to be added later.