[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Deep Packet Inspection

squid with ssl_bump


On Mon, Aug 20, 2018 at 12:48 AM Cindy-Sue Causey <butterflybytes@gmail.com> wrote:
On 8/19/18, Reco <recoverym4n@gmail.com> wrote:
>       Hi.
> On Sun, Aug 19, 2018 at 09:03:10PM +0300, Eero Volotinen wrote:
>> snort
> Intrusion detection. Unsuitable for traffic shaping or filtering.
>> and suricata.
> Utilizes NFQUEUE. Friends do not let friends to copy network packets
> from kernelspace to userspace and back.

DISCLAIMER: I am NOT versed in this, but that didn't stop me from
trying "apt-cache search packet sniffing". Ended up with ngrep:

"ngrep strives to provide most of GNU grep's common features, applying
them to the network layer.  ngrep is a pcap-aware tool that will allow
you to specify extended regular expressions to match against data
payloads of packets.  It currently recognizes TCP, UDP and ICMP across
Ethernet, PPP, SLIP and null interfaces, and understands bpf filter
logic in the same fashion as more common packet sniffing tools, such
as tcpdump and snoop."

Yes, I can see that description is very specific about what it touches
which means it might be otherwise limited. That or it's keyword
stuffing. Yay, go them if it's keyword happy because that does help
users find potentially helpful packages in amongst the 10,000 (?) or
so. :)

I decided I've surely messed the whole concept up in my head so I used
some of ngrep's stuffing/description, namely "bpf", and searched

netsniff-ng: "netsniff-ng is a high performance Linux network sniffer
for packet inspection. It can be used for protocol analysis, reverse
engineering or network debugging. The gain of performance is reached
by 'zero-copy' mechanisms, so that the kernel does not need to copy
packets from kernelspace to userspace."

Does NOT need to copy packets from kernelspace to userspace.

YES, I know. Overall, it still might not do the OP's job that's
needed, but it used the SAME words I just read above in Reco's
response. That put it at least in the ballpark in my head since it's
talking about packet inspection. Developer wrote a description that
addressed a concern they knew knowledgeable users would have about
this topic.

So here it is for that reason plus that it did use "packet
inspection", too. Sorry, no specific mention of "deep" according to
one last query tried before posting.

Ngrep stayed because I liked how it said it "will allow you to specify
extended regular expressions to match against data payloads of
packets". That makes it sound like it might have basic offerings that
wouldn't fit everyone's needs. I decided that might not stop someone
who knows how to roll out what they really need if they have a good,
base Debian package as a template. :)

Cindy :)
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Reply to: