netsniff-ng is a free

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by

zero-copy In computer science, zero-copy refers to techniques that enable data transfer between memory spaces without requiring the CPU to copy the data. By avoiding redundant copying, zero-copy methods minimize CPU usage and memory bandwidth, leading ...

mechanisms for network packets (RX_RING, TX_RING), so that the

Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...

does not need to copy packets from kernel space to

user space A modern computer operating system usually uses virtual memory to provide separate address spaces or regions of a single address space, called user space and kernel space. This separation primarily provides memory protection and hardware prote ...

via

system call In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...

s such as recvmsg(). libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Overview

netsniff-ng was initially created as a network sniffer with support of the

packet- mmap interface for

network packet In telecommunications and computer networking, a network packet is a formatted unit of Data (computing), data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''Payload ...

s, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance,

Gigabit Ethernet In computer networking, Gigabit Ethernet (GbE or 1 GigE) is the term applied to transmitting Ethernet frames at a rate of a gigabit per second. The most popular variant, 1000BASE-T, is defined by the IEEE 802.3ab standard. It came into use in ...

wire-speed has been reached with netsniff-ng's trafgen. The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is

free software Free software, libre software, libreware sometimes known as freedom-respecting software is computer software distributed open-source license, under terms that allow users to run the software for any purpose as well as to study, change, distribut ...

and has been released under the terms of the

GNU General Public License The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...

version 2. The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP

tunnel A tunnel is an underground or undersea passageway. It is dug through surrounding soil, earth or rock, or laid under water, and is usually completely enclosed except for the two portals common at each end, though there may be access and ve ...

, a

Berkeley Packet Filter The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to da ...

compiler In computing, a compiler is a computer program that Translator (computing), translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primaril ...

, networking statistic tools, an autonomous system trace route and more: * netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format * trafgen: a zero-copy wire-rate traffic generator * mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI * bpfc: a

(BPF) compiler * ifpps: a top-like kernel networking statistics tool * flowtop: a top-like netfilter connection tracking tool with Geo-IP information * curvetun: a lightweight multiuser

IP tunnel An IP tunnel is an Internet Protocol (IP) network communications channel between two networks. It is used to transport another network protocol by Encapsulation (networking), encapsulation of its packet (information technology), packets. IP tun ...

based on

elliptic-curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modula ...

* astraceroute: an autonomous system trace route utility with Geo-IP information Distribution specific packages are available for all major operating system distributions such as

Debian Debian () is a free and open-source software, free and open source Linux distribution, developed by the Debian Project, which was established by Ian Murdock in August 1993. Debian is one of the oldest operating systems based on the Linux kerne ...

or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit, GRML Linux, Security Onion, and to the Network Security Toolkit. The netsniff-ng toolkit is also used in academia.

Basic commands working in netsniff-ng

In these examples, it is assumed that is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. . * For geographical AS TCP SYN probe trace route to a website: *: * For kernel networking statistics within

promiscuous mode In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rath ...

: *: * For high-speed network packet traffic generation, ''trafgen.txf'' is the packet configuration: *: * For compiling a

''fubar.bpf'': *: * For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination): *: * For efficiently dumping network traffic in a pcap file: *:

Platforms

The netsniff-ng toolkit currently runs only on

systems. Its developers decline a port to

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

References

{{Reflist

External links

Official netsniff-ng website
Free network management software Free network-related software Free software programmed in C Linux-only free software Network analyzers Unix network-related software

Overview

Basic commands working in netsniff-ng

Platforms

See also

References

External links