Netsniff-ng explained
| netsniff-ng toolkit |
| Author: | Daniel Borkmann |
| Developer: | Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others |
| Operating System: | Linux |
| Released: | December, 2009 |
| Programming Language: | C |
| Language: | English |
| License: | GPLv2[1] |
| Website: | http://www.netsniff-ng.org/ |
netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING),[2] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg.[3] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.
Overview
netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen.[4] [5] The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.
The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:[6]
- netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
- trafgen: a zero-copy wire-rate traffic generator
- mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
- bpfc: a Berkeley Packet Filter (BPF) compiler
- ifpps: a top-like kernel networking statistics tool
- flowtop: a top-like netfilter connection tracking tool with Geo-IP information
- curvetun: a lightweight multiuser IP tunnel based on elliptic-curve cryptography
- astraceroute: an autonomous system trace route utility with Geo-IP information
Distribution specific packages are available for all major operating system distributions such as Debian[7] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit,[8] GRML Linux, Security Onion,[9] and to the Network Security Toolkit.[10] The netsniff-ng toolkit is also used in academia.[11] [12]
Basic commands working in netsniff-ng
In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. --in (-i), --out (-o), --dev (-d).
- For geographical AS TCP SYN probe trace route to a website:
astraceroute -d eth0 -N -S -H
ifpps -d eth0 -p
- For high-speed network packet traffic generation,
trafgen.txf is the packet configuration:
trafgen -d eth0 -c trafgen.txf
bpfc fubar.bpf
- For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):
flowtop
- For efficiently dumping network traffic in a pcap file:
netsniff-ng -i eth0 -o dump.pcap -s -b 0
Platforms
The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.[13]
See also
External links
Notes and References
- Web site: netsniff-ng license. GitHub. 20 December 2021. 24 December 2021. https://web.archive.org/web/20211224021428/https://github.com/netsniff-ng/netsniff-ng/blob/master/COPYING. live.
- Web site: 6 November 2011. Description of the Linux packet-mmap mechanism. 21 December 2021. https://web.archive.org/web/20211221071741/https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Documentation/networking/packet_mmap.rst. live.
- Web site: 6 November 2011. netsniff-ng homepage, abstract, zero-copy. https://web.archive.org/web/20160908021235/http://netsniff-ng.org/. 8 September 2016. live.
- Web site: 6 November 2011. Network Security Toolkit Article about trafgen's performance capabilities. 14 February 2022. https://web.archive.org/web/20220214182334/https://wiki.networksecuritytoolkit.org/nstwiki/index.php/LAN_Ethernet_Maximum_Rates%2C_Generation%2C_Capturing_%26_Monitoring. live.
- Web site: 6 November 2011. Developer's blog about trafgen's performance. 16 October 2011. https://web.archive.org/web/20120425143231/http://blog.cryptoism.org/1318763742.html. 25 April 2012.
- Web site: 16 February 2018. netsniff-ng README. GitHub. 22 January 2022. https://web.archive.org/web/20220122214552/https://github.com/netsniff-ng/netsniff-ng/blob/master/README. live.
- Web site: netsnif-ng in Debian . 2024-06-12 . 2021-12-21 . https://web.archive.org/web/20211221053200/https://packages.debian.org/testing/netsniff-ng . live .
- Web site: 6 November 2011. Xplico support of netsniff-ng. 21 December 2021. https://web.archive.org/web/20211221053643/https://www.xplico.org/archives/944. live.
- Web site: 16 December 2012. Security Onion 12.04 RC1 available now!.
- Web site: 6 November 2011. Network Security Toolkit adds netsniff-ng. 24 June 2021. https://web.archive.org/web/20210624185425/https://www.networksecuritytoolkit.org/nstpro/news/news.html. live.
- Web site: 7 November 2011. netsniff-ng's trafgen at University of Napoli Federico II. dead. https://web.archive.org/web/20111110154303/http://www.grid.unina.it/software/ITG/link.php. 10 November 2011.
- Web site: 7 November 2011. netsniff-ng's trafgen at Columbia University. 26 August 2021. https://web.archive.org/web/20210826120926/http://www.cs.columbia.edu/~hgs/internet/traffic-generator.html. live.
- Web site: netsniff-ng FAQ declining a port to Microsoft Windows. 21 June 2015. 13 June 2021. https://web.archive.org/web/20210613132504/http://netsniff-ng.org/faq.html#d14. live.
