The Official Wireshark Blog

The evolution of system introspection from BPF to Wireshark to Falco

Categories: Security
Tags: ebpf falco history libpcap snort
Falco, an open source innovation, was conceived with the vision of crafting a flexible and robust rules engine atop the Sysdig libraries. This initiative aimed to furnish a potent tool for the detection of aberrant behaviors and intrusions within modern applications, akin to the Snort paradigm but tailored to the realm of system calls and finely tuned for cloud environments. Nevertheless, it’s important to recognize that Falco and Wireshark represent distinct facets of this evolutionary process. Falco offers ongoing surveillance akin to Snort, while Wireshark specializes in interactive endpoint network traffic analysis. Introduction 🔗Part of this journey has been the emergence of cloud-native apps. From the early days of BPF (Berkley Packet Filter) and libpcap (a portable C/C++ library for network traffic capture), which laid the foundation for network packet analysis, to the familiar graphical user interface of Wireshark, our understanding of network data has undergone profound changes. This article embarks on a journey through this transformation, shedding light on how tcpdump and libpcap sparked an explosion of packet-based analysis and runtime security tools exemplified by Wireshark and Snort. Wireshark, Snort, Nmap, Kismet, ngrep, and a bunch of other tools started at around the same time and are all evolutionary branches of tcpdump and libpcap.

Wireshark Is 25: The email that started it all and the lessons learned along the way

Categories: Announcement
25 years ago, I sent this email, which ended up changing the course of my life From: Gerald Combs - Unicom Communications <gerald [at] … > To: gtk-list [at] redhat . com Subject: ANNOUNCE: Ethereal 0.2.0 Date: Tue, 14 Jul 1998 21:47:01 -0500 (CDT) Ethereal is a network analyzer that lets you capture and interactively browse the contents of Ethernet frames. Packet data can be read from a file, or live from a local network interface. More information, including the source distribution, can be found at http://ethereal.zing.org . Comments and patches are welcome. I remember being nervous and excited at the time, wondering what the reaction would be. I had spent the previous few months working on a protocol analyzer, which was something I needed at work. There are a couple of things to note: the name wasn’t Wireshark (we changed the name in 2006) and at the time of this email, protocol analyzers were rare, you could even say a precious thing. Back then, if you wanted to see what was happening on your network, command line tools like tcpdump and snoop were available at no cost, but if you wanted a GUI analyzer, you had to pay for a product that might cost the equivalent of a luxury car.

Announcing the Wireshark Foundation

Categories: Announcement
Tags: foundation
The thing that I most love about working on Wireshark is our community. Our users, educators, and developers have a passion for packets and protocols, and their work is important – modern society runs on computer networks and those networks need to be reliable, fast, and secure. I’m grateful that my employers and other sponsors have ensured that the community has had the resources to grow and thrive over the years. This is why I’m beyond thrilled to announce that the Wireshark community now has a permanent home: the Wireshark Foundation. The foundation is a 501(c)(3) nonprofit and will host SharkFest, our developer and user conference, help to facilitate Wireshark’s development, and promote analysis and troubleshooting education. The project leadership and I have been working on this for a long time, and many other people have generously given their time and expertise in order to make this happen. In particular I’d like to thank the following people for helping to make this a reality: the Wireshark core development team for providing much needed support and advice, and for making all of this possible.

Recent Posts

Categories

Tags