netsniff-ng

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING),^[2] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg().^[3] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen.^[4][5] The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:^[6]

• netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
• trafgen: a zero-copy wire-rate traffic generator
• mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
• bpfc: a Berkeley Packet Filter (BPF) compiler
• ifpps: a top-like kernel networking statistics tool
• flowtop: a top-like netfilter connection tracking tool with Geo-IP information
• curvetun: a lightweight multiuser IP tunnel based on elliptic-curve cryptography
• astraceroute: an autonomous system trace route utility with Geo-IP information

Distribution specific packages are available for all major operating system distributions such as Debian^[7] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit,^[8] GRML Linux, Security Onion,^[9] and to the Network Security Toolkit.^[10] The netsniff-ng toolkit is also used in academia.^[11][12]

In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. --in ( -i ), --out ( -o ), --dev ( -d ).

• For geographical AS TCP SYN probe trace route to a website:

  astraceroute -d eth0 -N -S -H ⟨host e.g., netsniff-ng.org⟩

• For kernel networking statistics within promiscuous mode:

  ifpps -d eth0 -p

• For high-speed network packet traffic generation, trafgen.txf is the packet configuration:

  trafgen -d eth0 -c trafgen.txf

• For compiling a Berkeley Packet Filter fubar.bpf:

  bpfc fubar.bpf

• For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):

  flowtop

• For efficiently dumping network traffic in a pcap file:

  netsniff-ng -i eth0 -o dump.pcap -s -b 0

The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.^[13]

• Comparison of packet analyzers
• OpenVPN
• Packet generator
• Tcpdump
• Traceroute
• Traffic generation model
• Wireshark
• Xplico

• Official netsniff-ng website