Harman Patil (Editor)

Netsniff ng

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Original author(s)
  
Daniel Borkmann

Initial release
  
December, 2009

Netsniff-ng

Developer(s)
  
Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others

Stable release
  
0.5.8 / April 29, 2014; 2 years ago (2014-04-29)

Preview release
  
0.5.9-rc4 / September 1, 2014; 2 years ago (2014-09-01)

Repository
  
github.com/netsniff-ng/netsniff-ng

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg(). libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Contents

Overview

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen. The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:

  • netsniff-ng, a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
  • trafgen, a zero-copy wire-rate traffic generator
  • mausezahn, a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
  • bpfc, a Berkeley Packet Filter compiler
  • ifpps, a top-like kernel networking statistics tool
  • flowtop, a top-like netfilter connection tracking tool with Geo-IP information
  • curvetun, a lightweight multiuser IP tunnel based on elliptic curve cryptography
  • astraceroute, an autonomous system trace route utility with Geo-IP information

    • Distribution specific packages are available for all major operating system distributions such as Debian or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit, GRML Linux, SecurityOnion, and to the Network Security Toolkit. The netsniff-ng toolkit is also used in academia.

    Basic commands working in netsniff-ng

    In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g., --in ( -i ), --out ( -o ), --dev ( -d ).

  • For geographical AS TCP SYN probe trace route to a website:
    • astraceroute -d eth0 -N -S -H <host e.g., netsniff-ng.org>
  • For kernel networking statistics within promiscuous mode:
    • ifpps -d eth0 -p
  • For high-speed network packet traffic generation, trafgen.txf is the packet configuration:
    • trafgen -d eth0 -c trafgen.txf
  • For compiling a Berkeley Packet Filter fubar.bpf:
    • bpfc fubar.bpf
  • For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):
    • flowtop
  • For efficiently dumping network traffic in a pcap file:
    • netsniff-ng -i eth0 -o dump.pcap -s -b 0

    Platforms

    The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.

    References

    Netsniff-ng Wikipedia
    (Text) CC BY-SA