On 8/19/18, Reco <recovery...@gmail.com> wrote: > Hi. > > On Sun, Aug 19, 2018 at 09:03:10PM +0300, Eero Volotinen wrote: >> snort > > Intrusion detection. Unsuitable for traffic shaping or filtering. > >> and suricata. > > Utilizes NFQUEUE. Friends do not let friends to copy network packets > from kernelspace to userspace and back.
DISCLAIMER: I am NOT versed in this, but that didn't stop me from trying "apt-cache search packet sniffing". Ended up with ngrep: "ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop." Yes, I can see that description is very specific about what it touches which means it might be otherwise limited. That or it's keyword stuffing. Yay, go them if it's keyword happy because that does help users find potentially helpful packages in amongst the 10,000 (?) or so. :) I decided I've surely messed the whole concept up in my head so I used some of ngrep's stuffing/description, namely "bpf", and searched again: netsniff-ng: "netsniff-ng is a high performance Linux network sniffer for packet inspection. It can be used for protocol analysis, reverse engineering or network debugging. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace." Does NOT need to copy packets from kernelspace to userspace. YES, I know. Overall, it still might not do the OP's job that's needed, but it used the SAME words I just read above in Reco's response. That put it at least in the ballpark in my head since it's talking about packet inspection. Developer wrote a description that addressed a concern they knew knowledgeable users would have about this topic. So here it is for that reason plus that it did use "packet inspection", too. Sorry, no specific mention of "deep" according to one last query tried before posting. Ngrep stayed because I liked how it said it "will allow you to specify extended regular expressions to match against data payloads of packets". That makes it sound like it might have basic offerings that wouldn't fit everyone's needs. I decided that might not stop someone who knows how to roll out what they really need if they have a good, base Debian package as a template. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
