netsniff-ng(8)

NAME

netsniff-ng - a high performance network sniffer for packet inspection

SYNOPSIS

netsniff-ng [-d device] [-f filter] [-b cpu] [-B cpu] [-P pid] [-L log]
[-S af_unix] [-DHnsv]

DESCRIPTION

netsniff-ng is a high performance Linux network sniffer for packet inspection. Basically, it is similar to tcpdump, but it doesn't need a syscall per packet. Instead, it uses an memory mapped area within kernelspace for accessing packets without copying them to userspace ("zero-copy" mechanism), so during high bandwidth less packet drops than on standard libpcap-based sniffers will occur.

netsniff-ng is useful for protocol analysis and reverse engineering, network debugging, measurement of performance throughput or network statistics creation of incoming packets on central network nodes like routers or firewalls.

NOTE

If you try to create custom socket filters with tcpdump -dd, you have to edit the ret opcode of the resulting filter, otherwise your payload will be cut off:

0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060

The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do not change it, the kernel will take 0x00000060 as buffer length and packets larger than 96 Byte will be cut off (filled with zero Bytes)!

OPTIONS

-d device
For instance, use `eth0' or `wlan0' as the packet capturing network device.
-f filter
Use a specific Berkeley Packet Filter program to filter incoming packets.
Have a look at the given examples in: /etc/netsniff-ng/rules
-D Run netsniff-ng in daemon mode, options -P, -L and -S are
required, too.
Note: To gather statistics during runtime without the unix domain socket inode, just send SIGUSR1 to netsniff-ng.
-P pidfile
Used to define the pidfile. In most cases you can define it as /var/run/netsniff-ng.pid.
-L logfile
Used to define the logfile. In most cases you can define it as /var/log/netsniff-ng.log.
-S inode
Used to define the unix domain socket inode. In most cases you can define it as /tmp/netsniff-ng.uds.
-b CPU Force system scheduler to schedule netsniff-ng only on specific
CPUs. Parameters could be 0 for using only CPU0, 0,1 for using CPU0 and CPU1 or even 0-4 for using a whole CPU range. If you have a customized init process that leaves out a special CPU you could bind netsniff-ng on that free CPU for maximal performance. On the other hand, you can avoid scheduling netsniff-ng on CPUs which are reserved for other critical tasks.
-B CPU Force system scheduler to not schedule netsniff-ng on specific
CPUs. Parameter syntax is equivalent to -b.
-H Do not put netsniff-ng in high-priorized mode. Normally, net
sniff-ng will be scheduled with high priority thus it may make use of the full CPUs timeslice. You can avoid this by setting -H.
-n This option sets netsniff-ng in non-blocking mode. If the
RX_RING is empty for several reasons, netsniff-ng will be put to sleep and wait for new incoming packages. By setting -n netsniff-ng will spin (with 100% CPU usage) in non-blocking mode. This might be faster, but could slow down other processes.
-s Do not print captured packets to stdout (silent mode). That
switch can be changes during runtime by sending SIGUSR2 to toggle verbose/silent mode.
-v Prints versioning information.

AUTHOR

(C) 2009, 2010, by Daniel Borkmann and Emmanuel Roullit

For bug reports, questions, code contributions, cool hacks and all the rest:
<danborkmann@googlemail.com>

Leipzig University of Applied SciJanuary 2010 netsniff-ng(8)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout