Wireshark-dev: Re: [Wireshark-dev] Wireshark User's Guide: Minor addition to Appendix
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 29 Mar 2012 21:33:20 -0400
On Mar 29, 2012, at 2:32 PM, Daniel Borkmann wrote:

> Hi Ulf, Richard and Ed,
> 
> I saw that you've put some related tools of Wireshark into Appendix D
> of your guide (http://www.wireshark.org/docs/wsug_html_chunked/AppTools.html).
> I was wondering if it is possible to place a page with Wireshark and
> netsniff-ng (http://netsniff-ng.org/) into this section?

That section lists tools that are part of the Wireshark distribution; netsniff-ng isn't part of the Wireshark distribution, so it wouldn't go in that section.

The document should probably point people to the Tools page from the Wireshark Wiki:

	http://wiki.wireshark.org/Tools

which lists netsniff-ng, rather than itself mentioning third-party tols.  That way, the list of third-party tools is a bit more fluid than a user's manual, and can be updated as new tools arrive.

> We have heard from our users that some of them switched from Wireshark to
> netsniff-ng when it comes to the need of a higher performance when
> capturing pcap files.

Was that "higher performance than Wireshark" (Wireshark does GUI work when capturing, even if you *aren't* doing an "Update list of packets in real time" capture) or "higher performance than dumpcap" (dumpcap is the program that Wireshark and TShark run to capture packets, and can also be run as a capture tool on its own; it's not a GUI program, and needn't do any per-packet I/O to the user)?

> netsniff-ng is a high performance networking toolkit that uses
> zero-copy for capturing (and replaying) network packets.

As does, of course, dumpcap (and thus Wireshark and TShark), if running with libpcap 1.0 or later (tcpdump and snort and any other program that uses libpcap for packet capture also use zero-copy if they're running with libpcap 1.0 or later).