Exclusive Interview with Packet Capture Innovators – Part I

Here is an exclusive interview with trios – Steven McCanne, Gerald Combs, Loris Degioanni – who brought in the “Packet Capture Innovation” with their revolutionary creations (libpcap/tcpdump, wireshark, winpcap).

One cannot imagine nightmare of network administrator without Wireshark and all those great network applications would not have seen light of the day if there was not libpcap/winpcap. In short these 3 folks simply revolutionized the field of packet capture in turn bringing new light to computer networking field itself.

It gives us immense pleasure to bring forth the ‘exclusive interview’ with these packet capture innovators featuring the real story behind their creations – it is an interesting insight coming straight from the heart of heroes.



It is one thing to become billionaire and it is altogether great achievement to be hailed as heroes by those millions of fans! Now trios continue to enjoy their work together under one roof – Riverbed Technology, bringing in more innovations on the global space.


In the first part, we present before you the the interview with “Steven McCanne” who started this packet capture revolution with his Libpcap/TcpDump.


Steven McCanne – Creator of TcpDump/Lipcap
CTO and Executive Vice President
Riverbed Technology


SecurityXploded(SX): What prompted you to create Libpcap?
Steven McCanne (SM): After TCPDUMP was mostly done, I started working on a few other packet capture applications, and instead of cutting and pasting code from TCPDUMP into each new application, I realized it would work better to create a library. That is when I thought other people might want to use it. So we released it as a standalone library call libcap on the LBL ftp server.


SX: I thought it was Libpcap first, then came the tool Tcpdump !
SM: We created TCPDUMP first, and then extracted all of the packet capture code into Libpcap.

SX: Were there any challenging situations during development of Libpcap, and if so, can you share your experience?
SM: There were two big challenges. First, designing the TCPDUMP filtering language – so it was easy to use and intuitive – turned out to be more difficult than we anticipated. It took me a few tries to finally get it right. Van Jacobson, who I worked for at LBL, challenged me to make my initial design simpler for the user, which made it harder for me to implement. I’ve held on to this lesson throughout my career and it has served me well: It’s easy to make things hard. It’s hard to make things easy. And I’d rather do the latter.

The second challenge was designing the optimization algorithms for the very rich control flow graphs that were generated by the language parser. Because packet filters typically involve complex logical expressions, the resulting control flow graphs tended to be very verbose and littered with inefficiencies. After I implemented a bunch of well-known optimization algorithms as a post-processing stage to the code generator, the resulting BPF filter programs were still inefficient. As a result, I came up with some interesting new algorithms for data flow analysis that worked much better. We published this work a few years later in the SIGCOMM conference.

SX: What was your reaction on first release of Libpcap? And what was the initial community response/support around Libpcap?
SM: In the beginning, most downloads of libpcap were from people who needed it to build TCPDUMP. It took a while before libpcap was widely adopted in other tools. Once it became more widespread, more community support emerged and the download traffic increased. After I moved onto academia and my colleagues at LBL moved on to other projects, some other leaders in the community stepped up and created TCPDUMP.org, taking over maintenance of the project.
SX: Though a complex underlying technology, Libpcap is extremely simple and lovely to use. What makes this so?
SM: I like to think we spent a lot of time trying to make the system – and especially the filter language – easy to use. I suppose it is the recognition I mentioned earlier that it is worth the extra effort to make things easy for the end user.

SX: How do you feel being the creator of first tool (TCPDUMP) that started this #Packetcap revolution?
SM: I’m humbled by its success. I was just an inexperienced college kid when I did most of the work, so it is fun to see that my software has stood the test of time, and has been incorporated into so many diverse systems across the technology landscape.

SX: How has being the creator of Libpcap/ TCPDUMP helped in your career, especially at Riverbed Technology?
SM: I think more important, here, than being the co-creator of libpcap and TCPDUMP was my experience working with and learning from Van Jacobson, the group leader of the research team I was on at LBL. Van is a brilliant network architect and protocol designer and is extraordinarily creative. I learned many important skills from him around system design, protocol architecture, technical abstraction, and so forth. Maybe the most important lesson me was the importance of story telling in technology, that is, how to explain a piece of research or a technical concept with metaphor, abstraction and pictures on the whiteboard. The years I spent learning from Van, as well as my PhD advisor Martin Vetterli, have been hugely impactful in my career overall. And of course, all of this has been pivotal for me at Riverbed both in formulating the founding technology concepts for the company as well as in my day-to-day interactions with our brilliant engineering and product teams.

SX: How do you feel working together with other folks (Loris and Gerald) from the #Packetcap revolution?
SM: We’re having a ton of fun. We all have very complementary talents and have huge amounts of respect for one another. I’m really excited about our future because I think we’ll continue to innovate and make some truly great progress in the field over the coming years.

SX: We have a lot of readers who use your tools. What is your message to all those huge fans of Libpcap/TCPDUMP?
SM: Thank you for all of your support!


Till now –  I was under the impression that it was Libpcap first and then came the Tcpdump !


Next Part: Exclusive Interview with Packet Capture Innovators – Part II (Gerald Combs – Wireshark)

Similar posts
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]
  • Advanced Malware Analysis Training Se...   Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 1) Reversing & Decrypting Communications of HeartBeat RAT This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting The [...]

Leave a Reply

Our Company

Follow us on Facebook

Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list