Netsniff-ng

{{Infobox software

| name = netsniff-ng toolkit

| logo = Netsniff-ng small.png

| screenshot = Astraceroute Mushoku Tensei screenshot.png

| caption = Screenshot of astraceroute trace for the website of Mushoku Tensei

| author = Daniel Borkmann

| developer = Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others

| operating_system = Linux

| released = December, 2009

| latest release version = {{wikidata|property|reference|P348}}

| latest release date = {{start date and age|{{wikidata|qualifier|P348|P577}}}}

| latest preview version =

| latest preview date =

| genre = {{ubl|Network management|Network engineering|Computer security}}

| programming language = C

| language = English

| license = GPLv2{{cite web|url=https://github.com/netsniff-ng/netsniff-ng/blob/master/COPYING|title=netsniff-ng license|website=GitHub|access-date=20 December 2021|archive-date=24 December 2021|archive-url=https://web.archive.org/web/20211224021428/https://github.com/netsniff-ng/netsniff-ng/blob/master/COPYING|url-status=live}}

| website = http://www.netsniff-ng.org/

| repo = {{wikidata|property|reference|P1324}}

}}

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING),{{cite web|accessdate=6 November 2011|title=Description of the Linux packet-mmap mechanism|url=https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Documentation/networking/packet_mmap.rst|archive-date=21 December 2021|archive-url=https://web.archive.org/web/20211221071741/https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Documentation/networking/packet_mmap.rst|url-status=live}} so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg().{{cite web|accessdate=6 November 2011|title=netsniff-ng homepage, abstract, zero-copy|url=http://netsniff-ng.org|archive-url=https://web.archive.org/web/20160908021235/http://netsniff-ng.org/|archive-date=8 September 2016|url-status=live}} libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Overview

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen.{{cite web|accessdate=6 November 2011|url=http://wiki.networksecuritytoolkit.org/nstwiki/index.php/LAN_Ethernet_Maximum_Rates,_Generation,_Capturing_%26_Monitoring|title=Network Security Toolkit Article about trafgen's performance capabilities|date=4 November 2011 |archive-date=14 February 2022|archive-url=https://web.archive.org/web/20220214182334/https://wiki.networksecuritytoolkit.org/nstwiki/index.php/LAN_Ethernet_Maximum_Rates%2C_Generation%2C_Capturing_%26_Monitoring|url-status=live}}{{cite web|accessdate=6 November 2011|url=http://blog.cryptoism.org/1318763742.html|title=Developer's blog about trafgen's performance|date=16 October 2011|archive-url=https://web.archive.org/web/20120425143231/http://blog.cryptoism.org/1318763742.html|archive-date=25 April 2012}} The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more:{{cite web|accessdate=16 February 2018|title=netsniff-ng README|website=GitHub|url=https://github.com/netsniff-ng/netsniff-ng/blob/master/README|archive-date=22 January 2022|archive-url=https://web.archive.org/web/20220122214552/https://github.com/netsniff-ng/netsniff-ng/blob/master/README|url-status=live}}

netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
trafgen: a zero-copy wire-rate traffic generator
mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
bpfc: a Berkeley Packet Filter (BPF) compiler
ifpps: a top-like kernel networking statistics tool
flowtop: a top-like netfilter connection tracking tool with Geo-IP information
curvetun: a lightweight multiuser IP tunnel based on elliptic-curve cryptography
astraceroute: an autonomous system trace route utility with Geo-IP information

Distribution specific packages are available for all major operating system distributions such as Debian{{cite web |url=https://packages.debian.org/testing/netsniff-ng |title=netsnif-ng in Debian |access-date=2024-06-12 |archive-date=2021-12-21 |archive-url=https://web.archive.org/web/20211221053200/https://packages.debian.org/testing/netsniff-ng |url-status=live }} or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit,{{cite web|accessdate=6 November 2011|title=Xplico support of netsniff-ng|url=http://www.xplico.org/archives/944|archive-date=21 December 2021|archive-url=https://web.archive.org/web/20211221053643/https://www.xplico.org/archives/944|url-status=live}} GRML Linux, Security Onion,{{cite web|accessdate=16 December 2012|title=Security Onion 12.04 RC1 available now!|url=http://securityonion.blogspot.com/2012/12/security-onion-1204-rc1-available-now.html}} and to the Network Security Toolkit.{{cite web|accessdate=6 November 2011|title=Network Security Toolkit adds netsniff-ng|url=http://www.networksecuritytoolkit.org/nstpro/news/news.html|archive-date=24 June 2021|archive-url=https://web.archive.org/web/20210624185425/https://www.networksecuritytoolkit.org/nstpro/news/news.html|url-status=live}} The netsniff-ng toolkit is also used in academia.{{cite web|accessdate=7 November 2011|title=netsniff-ng's trafgen at University of Napoli Federico II|url=http://www.grid.unina.it/software/ITG/link.php|url-status=dead|archive-url=https://web.archive.org/web/20111110154303/http://www.grid.unina.it/software/ITG/link.php|archive-date=10 November 2011}}{{cite web|accessdate=7 November 2011|title=netsniff-ng's trafgen at Columbia University|url=https://www.cs.columbia.edu/~hgs/internet/traffic-generator.html|archive-date=26 August 2021|archive-url=https://web.archive.org/web/20210826120926/http://www.cs.columbia.edu/~hgs/internet/traffic-generator.html|url-status=live}}

Basic commands working in netsniff-ng

In these examples, it is assumed that {{mono|eth0}} is the used network interface.

Programs in the netsniff-ng suite accept long options, e.g. {{mono|--in ( -i ), --out ( -o ), --dev ( -d )}}.

For geographical AS TCP SYN probe trace route to a website:
: {{pre|

astraceroute -d eth0 -N -S -H {{angbr|host e.g., netsniff-ng.org}}

}}

For kernel networking statistics within promiscuous mode:
: {{pre|

ifpps -d eth0 -p

}}

For high-speed network packet traffic generation, trafgen.txf is the packet configuration:
: {{pre|

trafgen -d eth0 -c trafgen.txf

}}

For compiling a Berkeley Packet Filter fubar.bpf:
: {{pre|

bpfc fubar.bpf

}}

For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):
: {{pre|

flowtop

}}

For efficiently dumping network traffic in a pcap file:
: {{pre|

netsniff-ng -i eth0 -o dump.pcap -s -b 0

}}

Platforms

The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows.{{cite web|url=http://netsniff-ng.org/faq.html#d14|title=netsniff-ng FAQ declining a port to Microsoft Windows|accessdate=21 June 2015|archive-date=13 June 2021|archive-url=https://web.archive.org/web/20210613132504/http://netsniff-ng.org/faq.html#d14|url-status=live}}