Re: about this mailing list

[Michael Bernstein <mb_jobs () yahoo com>]

Thanks Guy. That response was excellent. Please excuse my naivety.

Obviously, you know the deep down of how this program works and the why.
Why do people want to develop programs based on libpcap when TCPdump and Wireshark exist. What is the benefit?

Thanks.
Michael
CCIE Security #16395


--- On Wed, 6/11/08, Guy Harris <guy () alum mit edu> wrote:
From: Guy Harris <guy () alum mit edu>
Subject: Re: [tcpdump-workers] about this mailing list
To: tcpdump-workers () lists tcpdump org
Date: Wednesday, June 11, 2008, 10:57 PM

On Jun 11, 2008, at 7:32 PM, Michael Bernstein wrote:

> I think mainly all IPS/IDS are based on TCPdump filters and  
> translation into IDS rules.

I don't think that's the case, at least if it's "all
IPS/IDS" rather  
than "most IPS/IDS".  A quick look at the "community" rules
for Snort  
CURRENT seem to indicate that you can, for example, do PCRE (Perl- 
Compatible Regular Expression) matching in rules (see community- 
imap.rules), which is more than can be done with BPF's simple  
capabilities (which were conceived with the goal that a simple in- 
kernel interpreter can execute BPF programs, allowing packets to be  
discarded before being copied up to the application).  I suspect not  
even "most IPS/IDS" limit their packet inspection to what can be done
 
with a BPF program.

> What is it that this tcpdump-workers list aims at? What are you  
> trying to achieve that TCPdump doesn't already address in the program?

If by "the program" you mean "the computer program named
'tcpdump'",  
then one thing this list is trying to achieve is the same thing that  
*any* mailing list about *any* piece of software tries to achieve -  
provide a place where users can ask questions of other users of the  
program, as well as the developers of the program, questions about how  
to use the program, questions about why the program behaves in a  
particular way, and the like.

It's also a place where developers can ask other developers about the  
right way to add new features or fix bugs (with Wireshark, for  
example, there are separate wireshark-users and wireshark-dev lists;  
there's only one list for tcpdump, which is used for both).

In addition, because the original developers of tcpdump took its low- 
level traffic capture code and put it into the libpcap library, and  
the current developers also develop libpcap, and because no libpcap  
mailing list has been created, it's also a list for people writing  
programs that use libpcap, as well as for people working on libpcap.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


      -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.