1NETSNIFF-NG(8) netsniff-ng toolkit NETSNIFF-NG(8)
2
6 netsniff-ng - the packet sniffing beast
7
9 netsniff-ng { [options] [filter-expression] }
10
12 netsniff-ng is a fast, minimal tool to analyze network packets, capture
13 pcap files, replay pcap files, and redirect traffic between interfaces
14 with the help of zero-copy packet(7) sockets. netsniff-ng uses both
15 Linux specific RX_RING and TX_RING interfaces to perform zero-copy.
16 This is to avoid copy and system call overhead between kernel and user
17 address space. When we started working on netsniff-ng, the pcap(3)
18 library did not use this zero-copy facility.
19 netsniff-ng is Linux specific, meaning there is no support for other
21 operating systems. Therefore we can keep the code footprint quite mini‐
22 mal and to the point. Linux packet(7) sockets and its RX_RING and
23 TX_RING interfaces bypass the normal packet processing path through the
24 networking stack. This is the fastest capturing or transmission per‐
25 formance one can get from user space out of the box, without having to
26 load unsupported or non-mainline third-party kernel modules. We explic‐
27 itly refuse to build netsniff-ng on top of ntop/PF_RING. Not because we
28 do not like it (we do find it interesting), but because of the fact
29 that it is not part of the mainline kernel. Therefore, the ntop project
30 has to maintain and sync out-of-tree drivers to adapt them to their
31 DNA. Eventually, we went for untainted Linux kernel, since its code has
32 a higher rate of review, maintenance, security and bug fixes.
33 netsniff-ng also supports early packet filtering in the kernel. It has
35 support for low-level and high-level packet filters that are translated
36 into Berkeley Packet Filter instructions.
37 netsniff-ng can capture pcap files in several different pcap formats
39 that are interoperable with other tools. It has different pcap I/O
40 methods supported (scatter-gather, mmap(2), read(2), and write(2)) for
41 efficient to-disc capturing. netsniff-ng is also able to rotate pcap
42 files based on data size or time intervals, thus, making it a useful
43 backend tool for subsequent traffic analysis.
44 netsniff-ng itself also supports analysis, replaying, and dumping of
46 raw 802.11 frames. For online or offline analysis, netsniff-ng has a
47 built-in packet dissector for the current 802.3 (Ethernet), 802.11*
48 (WLAN), ARP, MPLS, 802.1Q (VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4,
49 ICMPv6, IGMP, TCP and UDP, including GeoIP location analysis. Since
50 netsniff-ng does not establish any state or perform reassembly during
51 packet dissection, its memory footprint is quite low, thus, making net‐
52 sniff-ng quite efficient for offline analysis of large pcap files as
53 well.
54 Note that netsniff-ng is currently not multithreaded. However, this
56 does not prevent you from starting multiple netsniff-ng instances that
57 are pinned to different, non-overlapping CPUs and f.e. have different
58 BPF filters attached. Likely that at some point in time your harddisc
59 might become a bottleneck assuming you do not rotate such pcaps in ram
60 (and from there periodically scheduled move to slower medias). You can
61 then use mergecap(1) to transform all pcaps into a single large pcap.
62 Thus, netsniff-ng then works multithreaded eventually.
63 netsniff-ng can also be used to debug netlink traffic.
65
67 -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
68 Defines an input device. This can either be a networking device, a pcap
69 file or stdin (“-”). In case of a pcap file, the pcap type (“-D”
70 option) is determined automatically by the pcap file magic. In case of
71 stdin, it is assumed that the input stream is a pcap file. If the pcap
72 link type is Netlink and pcap type is default format (usec or nsec),
73 then each packet will be wrapped with pcap cooked header [2].
74 -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
76 Defines the output device. This can either be a networking device, a
77 pcap file, a folder, a trafgen(8) configuration file or stdout (“-”).
78 In the case of a pcap file that should not have the default pcap type
79 (0xa1b2c3d4), the additional option “-T” must be provided. If a direc‐
80 tory is given, then, instead of a single pcap file, multiple pcap files
81 are generated with rotation based on maximum file size or a given
82 interval (“-F” option). Optionally, sending the SIGHUP signal to the
83 netsniff-ng process causes a premature rotation of the file. A trafgen
84 configuration file can currently only be specified if the input device
85 is a pcap file. To specify a pcap file as the output device, the file
86 name must have “.pcap” as its extension. If stdout is given as a
87 device, then a trafgen configuration will be written to stdout if the
88 input device is a pcap file, or a pcap file if the input device is a
89 networking device. In case if the input device is a Netlink monitor
90 device and pcap type is default (usec or nsec) then each packet will be
91 wrapped with pcap cooked header [2] to keep Netlink family number
92 (Kuznetzov's and netsniff-ng pcap types already contain family number
93 in protocol number field).
94 -C <id>, --fanout-group <id>
96 If multiple netsniff-ng instances are being started that all have the
97 same packet fanout group id, then the ingress network traffic being
98 captured is being distributed/load-balanced among these group partici‐
99 pants. This gives a much better scaling than running multiple netsniff-
100 ng processes without a fanout group parameter in parallel, but only
101 with a BPF filter attached as a packet would otherwise need to be
102 delivered to all such capturing processes, instead of only once to such
103 a fanout member. Naturally, each fanout member can have its own BPF
104 filters attached.
105 -K <hash|lb|cpu|rnd|roll|qm>, --fanout-type <hash|lb|cpu|rnd|roll|qm>
107 This parameter specifies the fanout discipline, in other words, how the
108 captured network traffic is dispatched to the fanout group members.
109 Options are to distribute traffic by the packet hash (“hash”), in a
110 round-robin manner (“lb”), by CPU the packet arrived on (“cpu”), by
111 random (“rnd”), by rolling over sockets (“roll”) which means if one
112 socket's queue is full, we move on to the next one, or by NIC hardware
113 queue mapping (“qm”).
114 -L <defrag|roll>, --fanout-opts <defrag|roll>
116 Defines some auxiliary fanout options to be used in addition to a given
117 fanout type. These options apply to any fanout type. In case of
118 “defrag”, the kernel is being told to defragment packets before deliv‐
119 ering to user space, and “roll” provides the same roll-over option as
120 the “roll” fanout type, so that on any different fanout type being used
121 (e.g. “qm”) the socket may temporarily roll over to the next fanout
122 group member in case the original one's queue is full.
123 -f, --filter <bpf-file|-|expr>
125 Specifies to not dump all traffic, but to filter the network packet
126 haystack. As a filter, either a bpfc(8) compiled file/stdin can be
127 passed as a parameter or a tcpdump(1)-like filter expression in quotes.
128 For details regarding the bpf-file have a look at bpfc(8), for details
129 regarding a tcpdump(1)-like filter have a look at section “filter exam‐
130 ple” or at pcap-filter(7). A filter expression may also be passed to
131 netsniff-ng without option “-f” in case there is no subsequent option
132 following after the command-line filter expression.
133 -t, --type <type>
135 This defines some sort of filtering mechanisms in terms of addressing.
136 Possible values for type are “host” (to us), “broadcast” (to all),
137 “multicast” (to group), “others” (promiscuous mode) or “outgoing” (from
138 us).
139 -F, --interval <size|time>
141 If the output device is a folder, with “-F”, it is possible to define
142 the pcap file rotation interval either in terms of size or time. Thus,
143 when the interval limit has been reached, a new pcap file will be
144 started. As size parameter, the following values are accepted
145 “<num>KiB/MiB/GiB”; As time parameter, it can be “<num>s/sec/min/hrs”.
146 -J, --jumbo-support
148 By default, in pcap replay or redirect mode, netsniff-ng's ring buffer
149 frames are a fixed size of 2048 bytes. This means that if you are
150 expecting jumbo frames or even super jumbo frames to pass through your
151 network, then you need to enable support for that by using this option.
152 However, this has the disadvantage of performance degradation and a
153 bigger memory footprint for the ring buffer. Note that this doesn't
154 affect (pcap) capturing mode, since tpacket in version 3 is used!
155 -R, --rfraw
157 In case the input or output networking device is a wireless device, it
158 is possible with netsniff-ng to turn this into monitor mode and create
159 a mon<X> device that netsniff-ng will be listening on instead of
160 wlan<X>, for instance. This enables netsniff-ng to analyze, dump, or
161 even replay raw 802.11 frames.
162 -n <0|uint>, --num <0|uint>
164 Process a number of packets and then exit. If the number of packets is
165 0, then this is equivalent to infinite packets resp. processing until
166 interrupted. Otherwise, a number given as an unsigned integer will
167 limit processing.
168 -P <name>, --prefix <name>
170 When dumping pcap files into a folder, a file name prefix can be
171 defined with this option. If not otherwise specified, the default pre‐
172 fix is “dump-” followed by a Unix timestamp. Use “--prefex ""” to set
173 filename as seconds since the Unix Epoch e.g. 1369179203.pcap
174 -T <pcap-magic>, --magic <pcap-magic>
176 Specify a pcap type for storage. Different pcap types with their vari‐
177 ous meta data capabilities are shown with option “-D”. If not otherwise
178 specified, the pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-
179 capable pcap format, is used. Pcap files with swapped endianness are
180 also supported.
181 -D, --dump-pcap-types
183 Dump all available pcap types with their capabilities and magic numbers
184 that can be used with option “-T” to stdout and exit.
185 -B, --dump-bpf
187 If a Berkeley Packet Filter is given, for example via option “-f”, then
188 dump the BPF disassembly to stdout during ring setup. This only serves
189 for informative or verification purposes.
190 -r, --rand
192 If the input and output device are both networking devices, then this
193 option will randomize packet order in the output ring buffer.
194 -M, --no-promisc
196 The networking interface will not be put into promiscuous mode. By
197 default, promiscuous mode is turned on.
198 -N, --no-hwtimestamp
200 Disable taking hardware time stamps for RX packets. By default, if the
201 network device supports hardware time stamping, the hardware time
202 stamps will be used when writing packets to pcap files. This option
203 disables this behavior and forces (kernel based) software time stamps
204 to be used, even if hardware time stamps are available.
205 -A, --no-sock-mem
207 On startup and shutdown, netsniff-ng tries to increase socket read and
208 write buffers if appropriate. This option will prevent netsniff-ng from
209 doing so.
210 -m, --mmap
212 Use mmap(2) as pcap file I/O. This is the default when replaying pcap
213 files.
214 -G, --sg
216 Use scatter-gather as pcap file I/O. This is the default when capturing
217 pcap files.
218 -c, --clrw
220 Use slower read(2) and write(2) I/O. This is not the default case any‐
221 where, but in some situations it could be preferred as it has a lower
222 latency on write-back to disc.
223 -S <size>, --ring-size <size>
225 Manually define the RX_RING resp. TX_RING size in “<num>KiB/MiB/GiB”.
226 By default, the size is determined based on the network connectivity
227 rate.
228 -k <uint>, --kernel-pull <uint>
230 Manually define the interval in micro-seconds where the kernel should
231 be triggered to batch process the ring buffer frames. By default, it is
232 every 10us, but it can manually be prolonged, for instance.
233 -b <cpu>, --bind-cpu <cpu>
235 Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's
236 IRQ CPU affinity to this CPU. This option should be preferred in combi‐
237 nation with “-s” in case a middle to high packet rate is expected.
238 -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
240 After ring setup drop privileges to a non-root user/group combination.
241 -H, --prio-high
243 Set this process as a high priority process in order to achieve a
244 higher scheduling rate resp. CPU time. This is however not the default
245 setting, since it could lead to starvation of other processes, for
246 example low priority kernel threads.
247 -Q, --notouch-irq
249 Do not reassign the NIC's IRQ CPU affinity settings.
250 -s, --silent
252 Do not enter the packet dissector at all and do not print any packet
253 information to the terminal. Just shut up and be silent. This option
254 should be preferred in combination with pcap recording or replay, since
255 it will not flood your terminal which causes a significant performance
256 degradation.
257 -q, --less
259 Print a less verbose one-line information for each packet to the termi‐
260 nal.
261 -X, --hex
263 Only dump packets in hex format to the terminal.
264 -l, --ascii
266 Only display ASCII printable characters.
267 -U, --update
269 If geographical IP location is used, the built-in database update mech‐
270 anism will be invoked to get Maxmind's latest database. To configure
271 search locations for databases, the file /etc/netsniff-ng/geoip.conf
272 contains possible addresses. Thus, to save bandwidth or for mirroring
273 of Maxmind's databases (to bypass their traffic limit policy), differ‐
274 ent hosts or IP addresses can be placed into geoip.conf, separated by a
275 newline.
276 -w, --cooked
278 Replace each frame link header with Linux "cooked" header [3] which
279 keeps info about link type and protocol. It allows to dump and dissect
280 frames captured from different link types when -i "any" was specified,
281 for example.
282 -V, --verbose
284 Be more verbose during startup i.e. show detailed ring setup informa‐
285 tion.
286 -v, --version
288 Show version information and exit.
289 -h, --help
291 Show user help and exit.
292
294 netsniff-ng
295 The most simple command is to just run “netsniff-ng”. This will start
296 listening on all available networking devices in promiscuous mode and
297 dump the packet dissector output to the terminal. No files will be
298 recorded.
299 netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
301 Capture TCP or UDP traffic from the networking device eth0 into the
302 pcap file named dump.pcap, which has netsniff-ng specific pcap exten‐
303 sions (see “netsniff-ng -D” for capabilities). Also, do not print the
304 content to the terminal and pin the process and NIC IRQ affinity to CPU
305 0. The pcap write method is scatter-gather I/O.
306 netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
308 Put the wlan0 device into monitoring mode and capture all raw 802.11
309 frames into the file dump.pcap. Do not dissect and print the content to
310 the terminal and pin the process and NIC IRQ affinity to CPU 0. The
311 pcap write method is scatter-gather I/O.
312 netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
314 Replay the pcap file dump.pcap which is read through mmap(2) I/O and
315 send the packets out via the eth0 networking device. Do not dissect and
316 print the content to the terminal and pin the process and NIC IRQ
317 affinity to CPU 0. Also, trigger the kernel every 1000us to traverse
318 the TX_RING instead of every 10us. Note that the pcap magic type is
319 detected automatically from the pcap file header.
320 netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
322 Redirect network traffic from the networking device eth0 to eth1 for
323 traffic that is destined for our host, thus ignore broadcast, multicast
324 and promiscuous traffic. Randomize the order of packets for the outgo‐
325 ing device and do not print any packet contents to the terminal. Also,
326 pin the process and NIC IRQ affinity to CPU 0.
327 netsniff-ng --in team0 --out /opt/probe/ -s -m --interval 100MiB -b 0
329 Capture on an aggregated team0 networking device and dump packets into
330 multiple pcap files that are split into 100MiB each. Use mmap(2) I/O as
331 a pcap write method, support for super jumbo frames is built-in (does
332 not need to be configured here), and do not print the captured data to
333 the terminal. Pin netsniff-ng and NIC IRQ affinity to CPU 0. The
334 default pcap magic type is 0xa1b2c3d4 (tcpdump-capable pcap).
335 netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
337 Capture network traffic on device vlan0 into a pcap file called
338 dump.pcap by using normal read(2), write(2) I/O for the pcap file
339 (slower but less latency). Also, after setting up the RX_RING for cap‐
340 ture, drop privileges from root to the user and group “bob”. Invoke the
341 packet dissector and print packet contents to the terminal for further
342 analysis.
343 netsniff-ng --in any --filter http.bpf -B --ascii -V
345 Capture from all available networking interfaces and install a low-
346 level filter that was previously compiled by bpfc(8) into http.bpf in
347 order to filter HTTP traffic. Super jumbo frame support is automati‐
348 cally enabled and only print human readable packet data to the termi‐
349 nal, and also be more verbose during setup phase. Moreover, dump a BPF
350 disassembly of http.bpf.
351 netsniff-ng --in dump.pcap --out dump.cfg --silent
353 Convert the pcap file dump.pcap into a trafgen(8) configuration file
354 dump.cfg. Do not print pcap contents to the terminal.
355 netsniff-ng -i dump.pcap -f beacon.bpf -o -
357 Convert the pcap file dump.pcap into a trafgen(8) configuration file
358 and write it to stdout. However, do not dump all of its content, but
359 only the one that passes the low-level filter for raw 802.11 from bea‐
360 con.bpf. The BPF engine here is invoked in user space inside of net‐
361 sniff-ng, so Linux extensions are not available.
362 cat foo.pcap | netsniff-ng -i - -o -
364 Read a pcap file from stdin and convert it into a trafgen(8) configura‐
365 tion file to stdout.
366 modprobe nlmon
368 ip link add type nlmon
369 ip link set nlmon0 up
370 netsniff-ng -i nlmon0 -o dump.pcap -s
371 ip link set nlmon0 down
372 ip link del dev nlmon0
373 rmmod nlmon
374 In this example, netlink traffic is being captured. If not already
375 done, a netlink monitoring device needs to be set up before it can be
376 used to capture netlink socket buffers (iproute2's ip(1) commands are
377 given for nlmon device setup and teardown). netsniff-ng can then make
378 use of the nlmon device as an input device. In this example a pcap file
379 with netlink traffic is being recorded.
380 netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-
382 cpu 0 --notouch-irq --silent --in em1 --out /var/cap/cpu0/ --interval
383 120sec
384 netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-
385 cpu 1 --notouch-irq --silent --in em1 --out /var/cap/cpu1/ --interval
386 120sec
387 Starts two netsniff-ng fanout instances. Both are assigned into the
388 same fanout group membership and traffic is splitted among them by
389 incoming cpu. Furthermore, the kernel is supposed to defragment possi‐
390 ble incoming fragments. First instance is assigned to CPU 0 and the
391 second one to CPU 1, IRQ bindings are not altered as they might have
392 been adapted to this scenario by the user a-priori, and traffic is cap‐
393 tured on interface em1, and written out in 120 second intervals as pcap
394 files into /var/cap/cpu0/. Tools like mergecap(1) will be able to merge
395 the cpu0/1 split back together if needed.
396
398 Files under /etc/netsniff-ng/ can be modified to extend netsniff-ng's
399 functionality:
400 * oui.conf - OUI/MAC vendor database
402 * ether.conf - Ethernet type descriptions
403 * tcp.conf - TCP port/services map
404 * udp.conf - UDP port/services map
405 * geoip.conf - GeoIP database mirrors
406
408 netsniff-ng supports both, low-level and high-level filters that are
409 attached to its packet(7) socket. Low-level filters are described in
410 the bpfc(8) man page.
411 Low-level filters can be used with netsniff-ng in the following way:
413 1. bpfc foo > bar
415 2. netsniff-ng -f bar
416 3. bpfc foo | netsniff-ng -i nlmon0 -f -
417 Here, foo is the bpfc program that will be translated into a netsniff-
419 ng readable “opcodes” file and passed to netsniff-ng through the -f
420 option.
421 Similarly, high-level filter can be either passed through the -f
423 option, e.g. -f "tcp or udp" or at the end of all options without the
424 “-f”.
425 The filter syntax is the same as in tcpdump(8), which is described in
427 the man page pcap-filter(7). Just to quote some examples from pcap-fil‐
428 ter(7):
429 host sundown
431 To select all packets arriving at or departing from sundown.
432 host helios and ˛t or ace
434 To select traffic between helios and either hot or ace.
435 ip host ace and not helios
437 To select all IP packets between ace and any host except helios.
438 net ucb-ether
440 To select all traffic between local hosts and hosts at Berkeley.
441 gateway snup and (port ftp or ftp-data)
443 To select all FTP traffic through Internet gateway snup.
444 ip and not net localnet
446 To select traffic neither sourced from, nor destined for, local hosts.
447 If you have a gateway to another network, this traffic should never
448 make it onto your local network.
449 tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
451 To select the start and end packets (the SYN and FIN packets) of each
452 TCP conversation that involve a non-local host.
453 tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
455 To select all IPv4 HTTP packets to and from port 80, that is to say,
456 print only packets that contain data, not, for example, SYN and FIN
457 packets and ACK-only packets. (IPv6 is left as an exercise for the
458 reader.)
459 gateway snup and ip[2:2] > 576
461 To select IP packets longer than 576 bytes sent through gateway snup.
462 ether[0] & 1 = 0 and ip[16] >= 224
464 To select IP broadcast or multicast packets that were not sent via Eth‐
465 ernet broadcast or multicast.
466 icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
468 To select all ICMP packets that are not echo requests or replies (that
469 is to say, not "ping" packets).
470
472 netsniff-ng supports a couple of pcap formats, visible through ``net‐
473 sniff-ng -D'':
474 tcpdump-capable pcap (default)
476 Pcap magic number is encoded as 0xa1b2c3d4 resp. 0xd4c3b2a1. As packet
477 meta data this format contains the timeval in microseconds, the origi‐
478 nal packet length and the captured packet length.
479 tcpdump-capable pcap with ns resolution
481 Pcap magic number is encoded as 0xa1b23c4d resp. 0x4d3cb2a1. As packet
482 meta data this format contains the timeval in nanoseconds, the original
483 packet length and the captured packet length.
484 Alexey Kuznetzov's pcap
486 Pcap magic number is encoded as 0xa1b2cd34 resp. 0x34cdb2a1. As packet
487 meta data this format contains the timeval in microseconds, the origi‐
488 nal packet length, the captured packet length, the interface index
489 (sll_ifindex), the packet's protocol (sll_protocol), and the packet
490 type (sll_pkttype).
491 netsniff-ng pcap
493 Pcap magic number is encoded as 0xa1e2cb12 resp. 0x12cbe2a1. As packet
494 meta data this format contains the timeval in nanoseconds, the original
495 packet length, the captured packet length, the timestamp hw/sw source,
496 the interface index (sll_ifindex), the packet's protocol (sll_proto‐
497 col), the packet type (sll_pkttype) and the hardware type (sll_hatype).
498 For further implementation details or format support in your applica‐
500 tion, have a look at pcap_io.h.
501
503 To avoid confusion, it should be noted that there is another network
504 analyzer with a similar name, called NetSniff, that is unrelated to the
505 netsniff-ng project.
506 For introducing bit errors, delays with random variation and more while
508 replaying pcaps, make use of tc(8) with its disciplines such as netem.
509 netsniff-ng does only some basic, architecture generic tuning on
511 startup. If you are considering to do high performance capturing, you
512 need to carefully tune your machine, both hardware and software. Sim‐
513 ply letting netsniff-ng run without thinking about your underlying sys‐
514 tem might not necessarily give you the desired performance. Note that
515 tuning your system is always a tradeoff and fine-grained balancing act
516 (throughput versus latency). You should know what you are doing!
517 One recommendation for software-based tuning is tuned(8). Besides that,
519 there are many other things to consider. Just to throw you a few things
520 that you might want to look at: NAPI networking drivers, tickless ker‐
521 nel, I/OAT DMA engine, Direct Cache Access, RAM-based file systems,
522 multi-queues, and many more things. Also, you might want to read the
523 kernel's Documentation/networking/scaling.txt file regarding technolo‐
524 gies such as RSS, RPS, RFS, aRFS and XPS. Also check your ethtool(8)
525 settings, for example regarding offloading or Ethernet pause frames.
526 Moreover, to get a deeper understanding of netsniff-ng internals and
528 how it interacts with the Linux kernel, the kernel documentation under
529 Documentation/networking/{packet_mmap.txt, filter.txt, multiqueue.txt}
530 might be of interest.
531 How do you sniff in a switched environment? I rudely refer to dSniff's
533 documentation that says:
534 The easiest route is simply to impersonate the local gateway, stealing
536 client traffic en route to some remote destination. Of course, the
537 traffic must be forwarded by your attacking machine, either by enabling
538 kernel IP forwarding or with a userland program that accomplishes the
539 same (fragrouter -B1).
540 Several people have reportedly destroyed connectivity on their LAN to
542 the outside world by ARP spoofing the gateway, and forgetting to enable
543 IP forwarding on the attacking machine. Do not do this. You have been
544 warned.
545 A safer option than ARP spoofing would be to use a "port mirror" func‐
547 tion if your switch hardware supports it and if you have access to the
548 switch.
549 If you do not need to dump all possible traffic, you have to consider
551 running netsniff-ng with a BPF filter for the ingress path. For that
552 purpose, read the bpfc(8) man page.
553 Also, to aggregate multiple NICs that you want to capture on, you
555 should consider using team devices, further explained in libteam resp.
556 teamd(8).
557 The following netsniff-ng pcap magic numbers are compatible with other
559 tools, at least tcpdump or Wireshark:
560 0xa1b2c3d4 (tcpdump-capable pcap)
562 0xa1b23c4d (tcpdump-capable pcap with ns resolution)
563 0xa1b2cd34 (Alexey Kuznetzov's pcap)
564 Pcap files with different meta data endianness are supported by net‐
566 sniff-ng as well.
567
569 When replaying pcap files, the timing information from the pcap packet
570 header is currently ignored.
571 Also, when replaying pcap files, demultiplexing traffic among multiple
573 networking interfaces does not work. Currently, it is only sent via the
574 interface that is given by the --out parameter.
575 When performing traffic capture on the Ethernet interface, the pcap
577 file is created and packets are received but without a 802.1Q header.
578 When one uses tshark, all headers are visible, but netsniff-ng removes
579 802.1Q headers. Is that normal behavior?
580 Yes and no. The way VLAN headers are handled in PF_PACKET sockets by
582 the kernel is somewhat “problematic” [1]. The problem in the Linux ker‐
583 nel is that some drivers already handle VLANs, others do not. Those who
584 handle it can have different implementations, such as hardware acceler‐
585 ation and so on. So in some cases the VLAN tag is even stripped before
586 entering the protocol stack, in some cases probably not. The bottom
587 line is that a "hack" was introduced in PF_PACKET so that a VLAN ID is
588 visible in some helper data structure that is accessible from the
589 RX_RING.
590 Then it gets really messy in the user space to artificially put the
592 VLAN header back into the right place. Not to mention the resulting
593 performance implications on all of libpcap(3) tools since parts of the
594 packet need to be copied for reassembly via memmove(3).
595 A user reported the following, just to demonstrate this mess: some
597 tests were made with two machines, and it seems that results depend on
598 the driver ...
599 AR8131:
601 ethtool -k eth0 gives "rx-vlan-offload: on"
602 - wireshark gets the vlan header
603 - netsniff-ng doesn't get the vlan header
604 ethtool -K eth0 rxvlan off
605 - wireshark gets a QinQ header even though no one sent QinQ
606 - netsniff-ng gets the vlan header
607 RTL8111/8168B:
609 ethtool -k eth0 gives "rx-vlan-offload: on"
610 - wireshark gets the vlan header
611 - netsniff-ng doesn't get the vlan header
612 ethtool -K eth0 rxvlan off
613 - wireshark gets the vlan header
614 - netsniff-ng doesn't get the vlan header
615 Even if we agreed on doing the same workaround as libpcap, we still
617 will not be able to see QinQ, for instance, due to the fact that only
618 one VLAN tag is stored in the kernel helper data structure. We think
619 that there should be a good consensus on the kernel space side about
620 what gets transferred to userland first.
621 Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in
623 support for hardware accelerated VLAN filtering, even though tags might
624 not be visible in the payload itself as reported here. However, the
625 filtering for VLANs works reliable if your NIC supports it. See bpfc(8)
626 for an example.
627 [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
629 [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html
630 [3] http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
631
633 netsniff-ng is licensed under the GNU GPL version 2.0.
634
636 netsniff-ng was originally written for the netsniff-ng toolkit by
637 Daniel Borkmann. Bigger contributions were made by Emmanuel Roullit,
638 Markus Amend, Tobias Klauser and Christoph Jaeger. It is currently
639 maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann
640 <dborkma@tik.ee.ethz.ch>.
641
643 trafgen(8), mausezahn(8), ifpps(8), bpfc(8), flowtop(8), astracer‐
644 oute(8), curvetun(8)
645
647 Manpage was written by Daniel Borkmann.
648
650 This page is part of the Linux netsniff-ng toolkit project. A descrip‐
651 tion of the project, and information about reporting bugs, can be found
652 at http://netsniff-ng.org/.
653Linux 03 March 2013 NETSNIFF-NG(8)