netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING),[3] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg().[4] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

netsniff-ng toolkit
Original author(s)Daniel Borkmann
Developer(s)Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others
Initial releaseDecember, 2009
Stable release
0.6.8[1] / 11 January 2021; 3 years ago (11 January 2021)
Repositoryhttps://github.com/netsniff-ng/netsniff-ng
Written inC
Operating systemLinux
Available inEnglish
Type
LicenseGPLv2[2]
Websitehttp://www.netsniff-ng.org/

Overview

edit

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen.[5][6] The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:[7]

  • netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
  • trafgen: a zero-copy wire-rate traffic generator
  • mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
  • bpfc: a Berkeley Packet Filter (BPF) compiler
  • ifpps: a top-like kernel networking statistics tool
  • flowtop: a top-like netfilter connection tracking tool with Geo-IP information
  • curvetun: a lightweight multiuser IP tunnel based on elliptic-curve cryptography
  • astraceroute: an autonomous system trace route utility with Geo-IP information

Distribution specific packages are available for all major operating system distributions such as Debian[8] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit,[9] GRML Linux, Security Onion,[10] and to the Network Security Toolkit.[11] The netsniff-ng toolkit is also used in academia.[12][13]

Basic commands working in netsniff-ng

edit

In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. --in ( -i ), --out ( -o ), --dev ( -d ).

  • For geographical AS TCP SYN probe trace route to a website:
astraceroute -d eth0 -N -S -H <host e.g., netsniff-ng.org>
ifpps -d eth0 -p
  • For high-speed network packet traffic generation, trafgen.txf is the packet configuration:
trafgen -d eth0 -c trafgen.txf
bpfc fubar.bpf
  • For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):
flowtop
  • For efficiently dumping network traffic in a pcap file:
netsniff-ng -i eth0 -o dump.pcap -s -b 0

Platforms

edit

The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.[14]

See also

edit

References

edit
  1. ^ "Release 0.6.8". 11 January 2021. Retrieved 13 January 2021.
  2. ^ "netsniff-ng license". GitHub. Archived from the original on 24 December 2021. Retrieved 20 December 2021.
  3. ^ "Description of the Linux packet-mmap mechanism". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
  4. ^ "netsniff-ng homepage, abstract, zero-copy". Archived from the original on 8 September 2016. Retrieved 6 November 2011.
  5. ^ "Network Security Toolkit Article about trafgen's performance capabilities". Archived from the original on 14 February 2022. Retrieved 6 November 2011.
  6. ^ "Developer's blog about trafgen's performance". 16 October 2011. Archived from the original on 25 April 2012. Retrieved 6 November 2011.
  7. ^ "netsniff-ng README". GitHub. Archived from the original on 22 January 2022. Retrieved 16 February 2018.
  8. ^ "netsnif-ng in Debian". Archived from the original on 2021-12-21. Retrieved 2024-06-12.
  9. ^ "Xplico support of netsniff-ng". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
  10. ^ "Security Onion 12.04 RC1 available now!". Retrieved 16 December 2012.
  11. ^ "Network Security Toolkit adds netsniff-ng". Archived from the original on 24 June 2021. Retrieved 6 November 2011.
  12. ^ "netsniff-ng's trafgen at University of Napoli Federico II". Archived from the original on 10 November 2011. Retrieved 7 November 2011.
  13. ^ "netsniff-ng's trafgen at Columbia University". Archived from the original on 26 August 2021. Retrieved 7 November 2011.
  14. ^ "netsniff-ng FAQ declining a port to Microsoft Windows". Archived from the original on 13 June 2021. Retrieved 21 June 2015.
edit