

0.01-


x use the output tag instead of test-output
x flush interval
x sample interval

x optionally evaluate output tag every save or at time of running the program
x (and optionally reset scanset each eval or each flush, or some other interval?)

x rework output_tag - one "global" output tag calculated only when scanset created

x restrict to interesting hosts only

x generic debug logging model for Packet.pm
x go over POD documentation
x factor out packet_handler functionality

x verify make_scanset changes ( default_state specification ) doesn't kill ngen


---------
0.02 and beyond-

make state machines self-pruning and garbage collected at end of sampling
interval so subsequent sampling intervals will correctly pick up new traffic
(if the same host/port combos are reused the state machines can already exist
and be in a do-nothing state)


fix manpage
 other than default interface may now be specified
 make clear that extended nmap machine-readable format data is saved to disk
 remove mention of port specs in manpage

add -accept-any-host paramter back so nwatch can be run with no parms
fix pod documentation formatting errors

x allow command-line specification of interface(s) to watch
allow watching of multiple interfaces?

refine and document packet field names & conventions

default logging profiles in nwatch (predefined sets of tuples)

periodic blank results file bug

use the prune method from nwatch
sort hosts properly (NDiff)
refine POD documentation

think of a better name!
spying model
x UDP
x filtered TCP

restrict to interesting ports only
abstract out Interface as a separate module
possibly rename class names to their upper-case counterparts


x Stateful model to replace simple rules
x  will enable:
x	detecting UDP ports,
x	filtered TCP ports, 
x	more complex rules based on multiple protocols at once
	triggers

improve protocol stack
  checksum calculations
  IP options parsing
  etc.

a better model for specifying interesting hosts/ports/protocols
  (probably for NDiff libraries, as well)

distributed watching, centralized results gathering
a model for detecting/storing/NDIffing non-IP protocols
proper destructors where necessary


allow pattern matching in field_path
better way to reference packet fields
	field_top( foo )   some field in a packet's top-layer protocol
	
	proto_isa( "*foo:bar" );
    	proto_isa( "*foo:bar*" );


remove absolute references the "ethernet:", instead field (".*ipv4:tcp..." );


first state eval in a statemachine
prune old state machines (method call in eval)

Packet::top


formal logging class with date stamping
fix broadcast address mistakenly being counted as regular host
fix/document mid-connection traffic not being picked up by tcp state machines


make filtered TCP and closed UDP ports properly detected at flush time rather
than when nwatch is exited.







