Re: about this mailing list

[Eloy Paris <peloy () chapus net>]

On Wed, Jun 11, 2008 at 08:04:28PM -0700, Michael Bernstein wrote:

> Thanks Guy. That response was excellent. Please excuse my naivety.
>
> Obviously, you know the deep down of how this program works and the
> why. Why do people want to develop programs based on libpcap when
> TCPdump and Wireshark exist. What is the benefit?

libpcap is a library for capturing packets. tcpdump and wireshark
capture packets, dissect captured packets and provide a way for users to
see dissection results and analysis of the dissection, so they do more
than just capturing packets.

However, other applications may want to do more than capturing,
dissecting, and presenting results, like capturing packets and then
taking some action, like sending a response back, or performing some
type of analysis that tcpdump and wireshark can't do. Other applications
may even want to do less than tcpdump and wireshark do.

See http://www.tcpdump.org/related.html for a list of related projects,
some of which use libpcap for some function.

The beauty of libpcap is that it allows you to capture packets in a
portable way, i.e. a program written to read packets using libpcap will
build on any of the supported platforms, with no change.

The bottom line is that the impact and benefits of libpcap are huge.
We're fortunate to have such a wonderful piece of software, especially
with that price tag.

Cheers,

Eloy Paris-

> --- On Wed, 6/11/08, Guy Harris <guy () alum mit edu> wrote:
> From: Guy Harris <guy () alum mit edu>
> Subject: Re: [tcpdump-workers] about this mailing list
> To: tcpdump-workers () lists tcpdump org
> Date: Wednesday, June 11, 2008, 10:57 PM
>
> On Jun 11, 2008, at 7:32 PM, Michael Bernstein wrote:
>
> > I think mainly all IPS/IDS are based on TCPdump filters and  
> > translation into IDS rules.
>
> I don't think that's the case, at least if it's "all
> IPS/IDS" rather  
> than "most IPS/IDS".  A quick look at the "community" rules
> for Snort  
> CURRENT seem to indicate that you can, for example, do PCRE (Perl- 
> Compatible Regular Expression) matching in rules (see community- 
> imap.rules), which is more than can be done with BPF's simple  
> capabilities (which were conceived with the goal that a simple in- 
> kernel interpreter can execute BPF programs, allowing packets to be  
> discarded before being copied up to the application).  I suspect not  
> even "most IPS/IDS" limit their packet inspection to what can be done
>  
> with a BPF program.
>
> > What is it that this tcpdump-workers list aims at? What are you  
> > trying to achieve that TCPdump doesn't already address in the program?
>
> If by "the program" you mean "the computer program named
> 'tcpdump'",  
> then one thing this list is trying to achieve is the same thing that  
> *any* mailing list about *any* piece of software tries to achieve -  
> provide a place where users can ask questions of other users of the  
> program, as well as the developers of the program, questions about how  
> to use the program, questions about why the program behaves in a  
> particular way, and the like.
>
> It's also a place where developers can ask other developers about the  
> right way to add new features or fix bugs (with Wireshark, for  
> example, there are separate wireshark-users and wireshark-dev lists;  
> there's only one list for tcpdump, which is used for both).
>
> In addition, because the original developers of tcpdump took its low- 
> level traffic capture code and put it into the libpcap library, and  
> the current developers also develop libpcap, and because no libpcap  
> mailing list has been created, it's also a list for people writing  
> programs that use libpcap, as well as for people working on libpcap.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
>
>       -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.