Original author(s) | Daniel Borkmann |
---|---|
Developer(s) | Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others |
Initial release | December, 2009 |
Stable release | 0.6.8[1]
/ 11 January 2021 |
Repository | https://github.com/netsniff-ng/netsniff-ng |
Written in | C |
Operating system | Linux |
Available in | English |
Type | |
License | GPLv2[2] |
Website | http://netsniff-ng.org[3] |
netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING),[4] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg()
.[5] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.
netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen.[6][7] The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.
The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:[8]
Distribution specific packages are available for all major operating system distributions such as Debian[9] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit,[10] GRML Linux, SecurityOnion,[11] and to the Network Security Toolkit.[12] The netsniff-ng toolkit is also used in academia.[13][14]
In these examples, it is assumed that eth0
is the used network interface.
Programs in the netsniff-ng suite accept long options, e.g. --in ( -i ), --out ( -o ), --dev ( -d )
.
astraceroute -d eth0 -N -S -H <host e.g., netsniff-ng.org>
ifpps -d eth0 -p
trafgen.txf
is the packet configuration:trafgen -d eth0 -c trafgen.txf
bpfc fubar.bpf
flowtop
netsniff-ng -i eth0 -o dump.pcap -s -b 0
The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.[15]