Welcome! You're looking at the manual for Netdude, the NETwork DUmp data Displayer and Editor. Thanks for reading this.
Netdude is a GUI application that allows users to inspect and edit trace files
in situations that previously would have required writing code. Technically
speaking, Netdude is a front-end to the libnetdude packet manipulation library.
tcpdump trace files and corresponding tcpdump output are currently one of the
standard means for handling captured network traffic, illustrating networking
issues and testing networking applications with canned traffic streams.
This requires handling tcpdump trace files that often are large
(i.e., don't fit into physical memory), complex, and hard to inspect.
Non-trivial manipulation of these files is usually done in code.
Using the Netdude GUI, users can
Edit traces of arbitrary size in a scalable fashion — Netdude never loads more than a configurable maximum number of packets into memory at any time.
Edit multiple traces at the same time, making it easy to move packets from one trace to a different one.
Modify every field in protocol headers for which a protocol plugin provides support. These modifications can be applied to either only individually selected packets, packets currently in memory, or all packets in the trace, including the ones not currently loaded.
Filter packets by using filter plugins. Netdude 0.4.8 ships with a BPF filter plugin that allows you to use the standard BPF filter language to define your filters.
Inspect and edit raw packet content using Netdude's payload editor in either hex or ASCII mode — whichever is more convenient for the payload you are editing.
Move packets around, duplicate them, remove them from traces.
See the tcpdump output updating instantly according to the modifications
you're making.
Conveniently use the clipboard to select lines from the tcpdump
output for situations when you need the tcpdump output only (e.g.,
when writing documentation, papers or emails).
Protocol Plugins: these provide an easy interface the a packet's protocol data. They can display packet data in any way they see fit. The protocol plugins that ship with Netdude all use the familiar tabular display of header fields and use buttons to allow the user to inspect values and make modifications. Protocol plugins get registered in Netdude's protocol registry automatically; all you need to do is implement a set of callbacks (in OO lingo this would be "provide an implementation of an interface"). This set of callbacks provides support for both state-free and stateful protocols.
Functionality Plugins: If the problem isn't support for a protocol but the need to do something that Netdude currently cannot do, you can write a plugin providing that feature. Those plugins support a single big entry point that gets called from a menu item and can do anything you desire, be that correcting checksums, anonymizing data, statistical analysis etc.
Filter Plugins: These are a variation of functionality plugins. Netdude provides a filtering framework, which filter plugins can use to register their own, new filter code. Filters can be stateful (say, drop all incomplete TCP connections) or stateless (say, drop everything that does not go to or from TCP port 80).
The Netdude framework provides a solid set of features that allows you to
inspect and edit packet traces. In case Netdude doesn't have off-the-shelf
support for
functionality you need, it is easy to code a plugin or a standalone tool
using libnetdude
that will do what you need, in much less code compared
to the amount necessary when writing yet another packet mangling tool at
the libpcap level.
First of all, Netdude is not competing against Ethereal. Ethereal is a network protocol analyzer. Ethereal is great for inspecting traces and supports tons of protocols. However, it is not intended for trace file manipulation. It does not provide the familiar tcpdump output. It doesn't provide flexibility in presentations of the protocol content. It doesn't handle large traces particularly well. Netdude and Ethereal share some overlap in functionality, but this is for user convenience only.
Netdude is not a live network component per se. Older versions of Netdude provided a dialog that allowed customizable live packet capture. This dialog has been removed in the 0.4 release because it is a great example of functionality that does not need to be in the core but should rather be a feature plugin. Netdude itself also does not provide any facilities to inject packets into a network, although again, plugins could be coded for this purpose.
For more details, please refer to the Freenix 2004 paper on Netdude that presents the design and implementation of the entire framework.