Martina Tomisova writes: > > For those who haven't used ngrep (and for the larger picture), what's > > the difference between this utility and tshark or snoop? What does it > > do that those things don't do, or when might you choose to use one > > over the other? > > > > A quick read through the documentation makes it look mostly equivalent > > to tshark and snoop ... > > You can see more at this page: http://ngrep.sourceforge.net/usage.html > > The main advantage of ngrep is that you can easily define (using regular > expressions) which packets do you want to catch.
This is an interesting case. If we were trying to build a coherent system, I'd strongly argue that the minimal extra bit of matching syntax and functionality that's added here (above the other estabilished utilities) ought to be integrated as an extension to at least wireshark, so that the user wouldn't just have ngrep's primitive output format, but would also have access to the more powerful display that wireshark provides. Though there are useful tasks that it can perform, having ngrep as a stand-alone utility makes little sense to me, as it doesn't quite function as a stream filter for packets, so it's an architectural point solution rather than a building block. (It seems one couldn't do the rough equivalent of "ngrep | wireshark" to compose these two things together.) But if all we're doing is integrating random things that someone found useful somewhere, then I guess architectural matters about how it all fits together are much less important. We'll just end up with a profusion of similar-but-not-quite-the-same features with functional gaps between them. So, drive on. I've finished with my concern. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
