Ask HN: Opensource alternatives to tcpdump?

4 points by txutxu ↗ HN
Hello,

I've nothing wrong about tcpdump and it's related ecosystem, but I was curious about the topic today.

Do you recommend any alternative ecosystem, approach, or tool (and why), for network traffic analysis, to possibly replace tcpdump nowadays?

Thanks.

11 comments

[ 2.7 ms ] story [ 39.4 ms ] thread
libPCAP?

:>

Unless it's some case sensitive trick, I'm looking for alternatives to it.

It's hard to believe that 99% of opensource based network analysis is relying in a single alternative. There use to ve CVEs and RCE announcements from time to time for libpcap. Maybe we're in front of just another perfect target. A widely used, security related, main column.

Someone knows if the codebase is well audited, specially on changes, new protocols, etc?

Is there any difference, running tcpdump/libpcap in linux or let's say, do it in openbsd, if there is a libpcap 0day?

Wireshark offers a different query language.

As an alternative, just open a raw socket directly (or use any of the ringbuffer-ish alternatives - look at what tcpdump=libpcap does for your OS). Working directly with raw sockets can make perfect sense, but you may still want to use libpcap to compile your BPF (i.e. traffic filters).

Just to clarify the context, TCPdump is open source: http://www.tcpdump.org/#source

I misread the question as implying that it was not open source.

Sorry, if you have some suggestion in howto make it clearer, please, let me know.
Between tcpdump and Wireshark, my network analysis needs as a sysadmin are covered.

When I used Solaris, I used "snoop" which is now open source through illumos.

Didn't notice about snoop, thanks!
You are welcome. :)

I love HN, I have learned so much on here. I'm pleased to be able to contribute.

OpenBSD's tcpdump(1) is fork of tcpdump.org, a lot of early work went into adding security features to bpf to facilitate implementation of privilege dropping/separation in bpf programs.

In 2003, the first parts were added, bpf write filters and descriptor locking, this considerably limits the scope of access to bpf writers and byte packet parsers.

http://marc.info/?l=openbsd-cvs&m=106684834031056&w=2

By 2004, initial privilege separation support was already committed to tcpdump(1) by Can E. Acar and Otto Moerbeek.

http://marc.info/?l=openbsd-cvs&m=107531986114887&w=2

With the introduction of pledge in 2015; the privilege separation work had been further refined, with the packet parser limited to now just stdio operations, unable to read/write files or open network connections.

http://marc.info/?l=openbsd-cvs&m=144383352229927&w=2

http://marc.info/?l=openbsd-cvs&m=146908579408853&w=2

So, tcpdump is a fine network security analysis tool.. on OpenBSD today.

This responds pretty well to other commentary of mine. Thanks.