It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.
The original code was written by Wietse Venema in 1990 to monitor a cracker's activities on the Unix workstations at the Department of Math and Computer Science at the Eindhoven University of Technology.
When compared to host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of runtime ACL reconfiguration (i.e., services don't have to be reloaded or restarted) and a generic approach to network administration.
This makes it easy to use for anti-worm scripts, such as DenyHosts or Fail2ban, to add and expire client-blocking rules, when excessive connections and/or many failed login attempts are encountered.
While originally written to protect TCP and UDP accepting services, examples of usage to filter on certain ICMP packets exist too, such as 'pingd' – the userspace ping request responder.