The journey that led to the creation of open-source Sysdig and Falco traces its roots to packet capture—a domain where many of the original developers had honed their expertise over the years. This deep connection to network traffic analysis, combined with inspiration from technologies like BPF, libpcap, tcpdump, and Snort, laid the groundwork for innovations that extended packet capture principles into the evolving worlds of containers and cloud security.
Wireshark is a well-known network analysis tool that uses libpcap, a user-level library for capturing and filtering packets. At its core, Wireshark relies on libpcap—a versatile library that manages live packet capture, filtering, and file handling. Libpcap became a foundation for countless tools, providing a generic interface that could be extended to fit various needs. Snort, for instance, built a rule engine for network intrusion detection directly on top of libpcap, leveraging its packet capture capabilities to detect and prevent suspicious network activity.
