tcpdump mailing list archives
Re: about this mailing list
From: Eloy Paris <peloy () chapus net>
Date: Thu, 12 Jun 2008 17:56:55 -0400
On Wed, Jun 11, 2008 at 08:04:28PM -0700, Michael Bernstein wrote:
Thanks Guy. That response was excellent. Please excuse my naivety. Obviously, you know the deep down of how this program works and the why. Why do people want to develop programs based on libpcap when TCPdump and Wireshark exist. What is the benefit?
libpcap is a library for capturing packets. tcpdump and wireshark capture packets, dissect captured packets and provide a way for users to see dissection results and analysis of the dissection, so they do more than just capturing packets. However, other applications may want to do more than capturing, dissecting, and presenting results, like capturing packets and then taking some action, like sending a response back, or performing some type of analysis that tcpdump and wireshark can't do. Other applications may even want to do less than tcpdump and wireshark do. See http://www.tcpdump.org/related.html for a list of related projects, some of which use libpcap for some function. The beauty of libpcap is that it allows you to capture packets in a portable way, i.e. a program written to read packets using libpcap will build on any of the supported platforms, with no change. The bottom line is that the impact and benefits of libpcap are huge. We're fortunate to have such a wonderful piece of software, especially with that price tag. Cheers, Eloy Paris-
--- On Wed, 6/11/08, Guy Harris <guy () alum mit edu> wrote: From: Guy Harris <guy () alum mit edu> Subject: Re: [tcpdump-workers] about this mailing list To: tcpdump-workers () lists tcpdump org Date: Wednesday, June 11, 2008, 10:57 PM On Jun 11, 2008, at 7:32 PM, Michael Bernstein wrote: > I think mainly all IPS/IDS are based on TCPdump filters and > translation into IDS rules. I don't think that's the case, at least if it's "all IPS/IDS" rather than "most IPS/IDS". A quick look at the "community" rules for Snort CURRENT seem to indicate that you can, for example, do PCRE (Perl- Compatible Regular Expression) matching in rules (see community- imap.rules), which is more than can be done with BPF's simple capabilities (which were conceived with the goal that a simple in- kernel interpreter can execute BPF programs, allowing packets to be discarded before being copied up to the application). I suspect not even "most IPS/IDS" limit their packet inspection to what can be done with a BPF program. > What is it that this tcpdump-workers list aims at? What are you > trying to achieve that TCPdump doesn't already address in the program? If by "the program" you mean "the computer program named 'tcpdump'", then one thing this list is trying to achieve is the same thing that *any* mailing list about *any* piece of software tries to achieve - provide a place where users can ask questions of other users of the program, as well as the developers of the program, questions about how to use the program, questions about why the program behaves in a particular way, and the like. It's also a place where developers can ask other developers about the right way to add new features or fix bugs (with Wireshark, for example, there are separate wireshark-users and wireshark-dev lists; there's only one list for tcpdump, which is used for both). In addition, because the original developers of tcpdump took its low- level traffic capture code and put it into the libpcap library, and the current developers also develop libpcap, and because no libpcap mailing list has been created, it's also a list for people writing programs that use libpcap, as well as for people working on libpcap. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- about this mailing list Michael Bernstein (Jun 11)
- Re: about this mailing list Guy Harris (Jun 11)
- Re: about this mailing list Michael Bernstein (Jun 12)
- Re: about this mailing list Eloy Paris (Jun 12)
- Re: about this mailing list Guy Harris (Jun 12)
- Re: about this mailing list Michael Bernstein (Jun 13)
- Re: about this mailing list Jesse Kempf (Jun 13)
- Re: about this mailing list Michael Bernstein (Jun 12)
- Re: about this mailing list Guy Harris (Jun 11)