GitHub - 3rl/netsniff-ng: netsniff-ng toolkit, the packet sniffing beast, staging tree

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 1,435 Commits
Documentation		Documentation
contrib		contrib
src		src
.gitattributes		.gitattributes
.gitignore		.gitignore
.mailmap		.mailmap
AUTHORS		AUTHORS
CHANGELOG		CHANGELOG
CODING		CODING
COPYING		COPYING
HACKING		HACKING
INSTALL		INSTALL
MAINTAINER		MAINTAINER
MIRRORS		MIRRORS
README		README
README.curvetun		README.curvetun
REPORTING-BUGS		REPORTING-BUGS
THANKS		THANKS
TODO		TODO
VERSION		VERSION

Repository files navigation

//////////////////////////////////////////////////////////////////////////////

                    netsniff-ng - the packet sniffing beast

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

                                      .      .
                                     /(      )\
                                   .' {______} '.
                                    \ ^,    ,^ /
 netsniff-ng is a free, performant   |'O\  /O'|   _.<0101011>--
 Linux network analyzer and          > `'  '` <  /
 networking toolkit.                 ) ,.==., (  |
                                    (|/--~~--\|)-'
 Release: 2011-xx-xx               /
                                  (      ___
 Web: http://netsniff-ng.org       \__.=|___E

The gain of performance is reached by 'zero-copy' mechanisms, so that the
kernel does not need to copy packets from kernelspace to userspace and vice
versa.

For this purpose netsniff-ng is libpcap independent, but nevertheless supports
the pcap file format for capturing, replaying and performing offline-analysis
of pcap dumps. Furthermore we are focussing on building a robust, clean and
secure analyzer and utilities that complete netsniff-ng as a support for the
the daily work of system administrators, networking engineers, researchers or
security specialists.

The netsniff-ng toolkit [1] currently consists of the following utilities:

  * netsniff-ng: the 'zero-copy' sniffer, pcap capturer and replayer itself
  * warp: an ARP cache poisoning utility (todo)
  * trafgen: a high performance 'zero-copy' network packet generator
  * ifpps: a top-like kernel networking and system statistics tool
  * curvetun: a lightweight curve25519-based multiuser IP tunnel
  * ashunt: an Autonomous System trace route and ISP testing utility
  * flowtop: a top-like netfilter connection tracking tool
  * bpfc: a tiny Berkeley Packet Filter compiler supporting Linux extensions

The netsniff-ng toolkit is an Open Source project covered by the GNU General 
Public License. For any questions or feedback about netsniff-ng you are welcome
to leave us a message to <workgroup@netsniff-ng.org> or to our mailing list
at <netsniff-ng@googlegroups.com> (Note: you have to register first). This
project is purely non-commercial and will always stay that way! The current
project status can be considered as "working". In general, all tools have been
tested by us to a great extend including their command-line options. In fact,
many of our tools are used in production systems. However, we give no guarantee
that our tools are free of bugs! If you spot some issues, contact us as
described in REPORTING-BUGS.

Also, have a look at our FAQ [2] for answering your questions. Furthermore,
we have a development blog [3] where we sometimes drop some interesting things
or news for the outside world! A public repository of the old stable releases
(which you probably do not want to have a look at), can be found here [4].

By the way, some notes on zero-copy ... You might want to have NAPI drivers [5]
enabled in your kernel to reduce interrupt load and for high-speed (= relative
to the CPU speed) PCAP dumping and replay, a fast SSD isn't too bad either,
and make sure to use netsniff-ngs scatter/gather or mmap I/O options. Next to
this, (and this refers to packet generation as well), a 10-Gbit/s-Ethernet
NIC, an appropriate amount of RAM and a fast CPU is recommended. Furthermore,
you should bind the netsniff-ng tools to a specific CPU via commandline option
(i.e. --bind 0). Some further recommendations can be found in [6] [8]. Also,
Eric Dumazets BPF Just-in-Time compiler can speed up the critical path [7].

You might want to have a look at INSTALL, HACKING, CODING and COPYING, too.
Happy packet hacking!

[1] http://netsniff-ng.org/
[2] http://netsniff-ng.org/faq.html
[3] http://dev.netsniff-ng.org/
[4] http://pub.netsniff-ng.org/
[5] http://www.linuxfoundation.org/collaborate/workgroups/networking/napi
[6] http://datatag.web.cern.ch/datatag/howto/tcp.html
[7] http://thread.gmane.org/gmane.linux.network/191115
    Kernel build option:
      CONFIG_HAVE_BPF_JIT=y
      CONFIG_BPF_JIT=y
[8] http://bit.ly/3XbBrM