tcpdump mailing list archives
Re: about this mailing list
From: Michael Bernstein <mb_jobs () yahoo com>
Date: Wed, 11 Jun 2008 20:04:28 -0700 (PDT)
Thanks Guy. That response was excellent. Please excuse my naivety. Obviously, you know the deep down of how this program works and the why. Why do people want to develop programs based on libpcap when TCPdump and Wireshark exist. What is the benefit? Thanks. Michael CCIE Security #16395 --- On Wed, 6/11/08, Guy Harris <guy () alum mit edu> wrote: From: Guy Harris <guy () alum mit edu> Subject: Re: [tcpdump-workers] about this mailing list To: tcpdump-workers () lists tcpdump org Date: Wednesday, June 11, 2008, 10:57 PM On Jun 11, 2008, at 7:32 PM, Michael Bernstein wrote: > I think mainly all IPS/IDS are based on TCPdump filters and > translation into IDS rules. I don't think that's the case, at least if it's "all IPS/IDS" rather than "most IPS/IDS". A quick look at the "community" rules for Snort CURRENT seem to indicate that you can, for example, do PCRE (Perl- Compatible Regular Expression) matching in rules (see community- imap.rules), which is more than can be done with BPF's simple capabilities (which were conceived with the goal that a simple in- kernel interpreter can execute BPF programs, allowing packets to be discarded before being copied up to the application). I suspect not even "most IPS/IDS" limit their packet inspection to what can be done with a BPF program. > What is it that this tcpdump-workers list aims at? What are you > trying to achieve that TCPdump doesn't already address in the program? If by "the program" you mean "the computer program named 'tcpdump'", then one thing this list is trying to achieve is the same thing that *any* mailing list about *any* piece of software tries to achieve - provide a place where users can ask questions of other users of the program, as well as the developers of the program, questions about how to use the program, questions about why the program behaves in a particular way, and the like. It's also a place where developers can ask other developers about the right way to add new features or fix bugs (with Wireshark, for example, there are separate wireshark-users and wireshark-dev lists; there's only one list for tcpdump, which is used for both). In addition, because the original developers of tcpdump took its low- level traffic capture code and put it into the libpcap library, and the current developers also develop libpcap, and because no libpcap mailing list has been created, it's also a list for people writing programs that use libpcap, as well as for people working on libpcap. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- about this mailing list Michael Bernstein (Jun 11)
- Re: about this mailing list Guy Harris (Jun 11)
- Re: about this mailing list Michael Bernstein (Jun 12)
- Re: about this mailing list Eloy Paris (Jun 12)
- Re: about this mailing list Guy Harris (Jun 12)
- Re: about this mailing list Michael Bernstein (Jun 13)
- Re: about this mailing list Jesse Kempf (Jun 13)
- Re: about this mailing list Michael Bernstein (Jun 12)
- Re: about this mailing list Guy Harris (Jun 11)