Ask HN: Opensource alternatives to tcpdump?
Hello,
I've nothing wrong about tcpdump and it's related ecosystem, but I was curious about the topic today.
Do you recommend any alternative ecosystem, approach, or tool (and why), for network traffic analysis, to possibly replace tcpdump nowadays?
Thanks.
11 comments
[ 2.7 ms ] story [ 39.4 ms ] thread:>
It's hard to believe that 99% of opensource based network analysis is relying in a single alternative. There use to ve CVEs and RCE announcements from time to time for libpcap. Maybe we're in front of just another perfect target. A widely used, security related, main column.
Someone knows if the codebase is well audited, specially on changes, new protocols, etc?
Is there any difference, running tcpdump/libpcap in linux or let's say, do it in openbsd, if there is a libpcap 0day?
As an alternative, just open a raw socket directly (or use any of the ringbuffer-ish alternatives - look at what tcpdump=libpcap does for your OS). Working directly with raw sockets can make perfect sense, but you may still want to use libpcap to compile your BPF (i.e. traffic filters).
http://www.ntop.org/products/packet-capture/pf_ring/
I think does not rely in libpcap.
Also did find some python which can read pcap files but does not use libpcap.
It's hard to find tested/adopted alternatives.
I misread the question as implying that it was not open source.
When I used Solaris, I used "snoop" which is now open source through illumos.
I love HN, I have learned so much on here. I'm pleased to be able to contribute.
In 2003, the first parts were added, bpf write filters and descriptor locking, this considerably limits the scope of access to bpf writers and byte packet parsers.
http://marc.info/?l=openbsd-cvs&m=106684834031056&w=2
By 2004, initial privilege separation support was already committed to tcpdump(1) by Can E. Acar and Otto Moerbeek.
http://marc.info/?l=openbsd-cvs&m=107531986114887&w=2
With the introduction of pledge in 2015; the privilege separation work had been further refined, with the packet parser limited to now just stdio operations, unable to read/write files or open network connections.
http://marc.info/?l=openbsd-cvs&m=144383352229927&w=2
http://marc.info/?l=openbsd-cvs&m=146908579408853&w=2
So, tcpdump is a fine network security analysis tool.. on OpenBSD today.