
Ask HN: Opensource alternatives to tcpdump? - txutxu
Hello,<p>I&#x27;ve nothing wrong about tcpdump and it&#x27;s related ecosystem, but I was curious about the topic today.<p>Do you recommend any alternative ecosystem, approach, or tool (and why), for network traffic analysis, to possibly replace tcpdump nowadays?<p>Thanks.
======
brynet
OpenBSD's tcpdump(1) is fork of tcpdump.org, a lot of early work went into
adding security features to bpf to facilitate implementation of privilege
dropping/separation in bpf programs.

In 2003, the first parts were added, bpf write filters and descriptor locking,
this considerably limits the scope of access to bpf writers and byte packet
parsers.

[http://marc.info/?l=openbsd-
cvs&m=106684834031056&w=2](http://marc.info/?l=openbsd-
cvs&m=106684834031056&w=2)

By 2004, initial privilege separation support was already committed to
tcpdump(1) by Can E. Acar and Otto Moerbeek.

[http://marc.info/?l=openbsd-
cvs&m=107531986114887&w=2](http://marc.info/?l=openbsd-
cvs&m=107531986114887&w=2)

With the introduction of pledge in 2015; the privilege separation work had
been further refined, with the packet parser limited to now just stdio
operations, unable to read/write files or open network connections.

[http://marc.info/?l=openbsd-
cvs&m=144383352229927&w=2](http://marc.info/?l=openbsd-
cvs&m=144383352229927&w=2)

[http://marc.info/?l=openbsd-
cvs&m=146908579408853&w=2](http://marc.info/?l=openbsd-
cvs&m=146908579408853&w=2)

So, tcpdump is a fine network security analysis tool.. on OpenBSD today.

~~~
txutxu
This responds pretty well to other commentary of mine. Thanks.

------
JoachimSchipper
Wireshark offers a different query language.

As an alternative, just open a raw socket directly (or use any of the
ringbuffer-ish alternatives - look at what tcpdump=libpcap does for your OS).
Working directly with raw sockets can make perfect sense, but you may still
want to use libpcap to compile your BPF (i.e. traffic filters).

~~~
txutxu
Did find this:

[http://www.ntop.org/products/packet-
capture/pf_ring/](http://www.ntop.org/products/packet-capture/pf_ring/)

I think does not rely in libpcap.

Also did find some python which can read pcap files but does not use libpcap.

It's hard to find tested/adopted alternatives.

------
atsaloli
Between tcpdump and Wireshark, my network analysis needs as a sysadmin are
covered.

When I used Solaris, I used "snoop" which is now open source through illumos.

~~~
txutxu
Didn't notice about snoop, thanks!

~~~
atsaloli
You are welcome. :)

I love HN, I have learned so much on here. I'm pleased to be able to
contribute.

------
brudgers
Just to clarify the context, TCPdump is open source:
[http://www.tcpdump.org/#source](http://www.tcpdump.org/#source)

I _misread_ the question as implying that it was not open source.

~~~
txutxu
Sorry, if you have some suggestion in howto make it clearer, please, let me
know.

------
superflit
libPCAP?

:>

~~~
txutxu
Unless it's some case sensitive trick, I'm looking for alternatives to it.

It's hard to believe that 99% of opensource based network analysis is relying
in a single alternative. There use to ve CVEs and RCE announcements from time
to time for libpcap. Maybe we're in front of just another perfect target. A
widely used, security related, main column.

Someone knows if the codebase is well audited, specially on changes, new
protocols, etc?

Is there any difference, running tcpdump/libpcap in linux or let's say, do it
in openbsd, if there is a libpcap 0day?

