I recently watched a video of
a great talk on
the early days of pcap by Steve McCanne. The bit on how
the filtering language was designed - around the 26 minute mark but
you might want to start at 20 minutes if you're unfamiliar with BPF -
was one of the best stories about creating a new "little
language" I've heard.
But that got me thinking a bit. This language is a tool that I use
daily, that I'm generally happy with, but that also drives me
absolutely crazy sometimes. This post is an attempt to look at some
classes of problems that the pcap filtering language fails on, why
those deficiencies exist, and why I continue using it even despite the
Just to be clear, libpcap is an amazing piece of software. It was
originally written for one purpose, and it really is my fault that I
end up too often using it for a different one. There's three very
different use cases that I have for a packet filtering language
(others may have more).
- Small and simple filters to pick out a specific slice of traffic
(single protocol, single flow, or single host). I believe it's fair
to say that this is what the language was originally designed for.
- Potentially complex filters for classifying traffic with real-time
constraints and with no state, usually when using the filters for
configuration rather than as an exploratory tool. This is where pcap
is clumsy even when it generally works.
- Offline analysis at higher protocol layers that'd benefit also
benefit from tracking the high level protocol state between packets.
You can sometimes coerce pcap to work for this use case, but it's
super-awkward. It's also worth noting that features that are
beneficial for this use case would not be welcome in the
others. (Being able to run an arbitrary PCRE regexp on the packet
payload? Great when doing offline analysis, unacceptable for
I try to do the third case with tools better suited for that, and only
have a couple of complaints (e.g. VLAN support) on on first
case. Mostly the pain comes from the middle case. So as we start the
tour of annoyances, keep in mind that I'll often complain about a tool
not doing a job it wasn't meant for.
... Continue reading ...