Tcpdump new command line¶
The tcpdump tool has been around for two decades, and for most of that time, it has permitted examination of things other than TCP packets.
People have often suggested that it should have a new name that reflects how universal things are.
The interface to it has pretty much exhausted all 26 upper and lower case letters. A good number of these
are wasted because different Unix vendors added their own extensions in the 1990s, before a unified open source project was created.
In addition, it is often desireable to embed the dissector from tcpdump in other programs. An effort was undertaken to
convert the dissectors in tcpdump into a library --- libnetdissect. This would be linked to a program "tcpdump", which
would have the compatible interface. It would also be linked to another program, likely called "pktdump", which would
have a new command line interface with new defaults. The new program would promise not to change the output text format.
A related issue is that the understanding of how to skip the layer-2 header information that is stored into pcap format
files is currently contained in the tcpdump program, rather than in the libpcap library. The result is that other programs
usually can not work with arbitrary pcap files, because they can not find the layer-3 offset. Moving that code around
would be of great benefit to a number of projects.
Finally, an effort occured in the mid-2000s to create a new format for network captures, which resulted in the "ntar"
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html --- tcpdump never managed to interface to this new format.
We invite one (or two cooperating) students to decide how much of this they want to do. We believe that there is more
than one summer's worth of effort here.