From a developer viewpoint, Look’n’Stop is a great personal firewall. Even their design may not very clearly for the normal user, but if you have enough background knowledge, it can be a powerful analyzer for the security threats.
- Look’n’Stop pass the packet data to our plugin through its API
- plugin fork a tshark process for dissect
- plugin dump the packet as libpcap format to tshark’s stdin
- tshark dissect the packet to protocol tree and output the XML to stdout
- plugin fetch the XML output and parse it with expat
- plugin popup a tree-based dialog and render the protocol tree
- popup dialog provide more feature, for example, save the packet as libpcap format
Combine those steps, we got a new dissector plugin
If you input a valid path, plugin will fetch the version and copyright from tshark, and save it to registry to reuse in future.