1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5 <title>netsniff-ng - manpage
</title>
7 <meta http-equiv=
"Content-Type" content=
"text/html; charset=utf-8">
8 <meta name=
"Robots" content=
"noarchive">
10 <link rel=
"Shortcut Icon" href=
"http://netsniff-ng.org/img/tiny-logo.png" type=
"image/png">
12 <style type=
"text/css">
13 dd
{ padding-bottom: 1.0em; }
16 <script type=
"text/javascript">
17 function InsertMail(mailnam
,mailsvr
,maildom
)
19 document
.write('<<a href="mailto:' + mailnam
+ '@' + mailsvr
+ '.'
20 + maildom
+ '">' + mailnam
+ '@' + mailsvr
+ '.' + maildom
+
35 <a href=
"http://netsniff-ng.org"><img src=
"http://netsniff-ng.org/img/logo.png" border=
"0" alt=
"netsniff-ng"></a>
39 <img src=
"http://netsniff-ng.org/img/logo2.png" border=
"0" alt=
"the packet sniffing beast">
46 <div xml:
lang=
"en" class=
"refentry" title=
"netsniff-ng" lang=
"en"><a id=
"id3020635"></a><div class=
"titlepage"></div><div class=
"refnamediv"><h2>Name
</h2><p>netsniff-ng — the packet sniffing beast
</p></div><div class=
"refsynopsisdiv" title=
"Synopsis"><a id=
"_synopsis"></a><h2>Synopsis
</h2><div class=
"blockquote"><blockquote class=
"blockquote"><div class=
"literallayout"><p><span class=
"emphasis"><em>netsniff-ng
</em></span> [-d netdev] [-p pcap-file] [-r pcap-file] [-i pcap-file]
<br />
47 [-f bpf-file] [-t pkt-type] [-b cpu-range] [-B cpu-range]
<br />
48 [-S ring-size] [-e regex] [-IMHQnsqlxCXNvh]
</p></div></blockquote></div></div><div class=
"refsect1" title=
"DESCRIPTION"><a id=
"_description"></a><h2>DESCRIPTION
</h2><p>netsniff-ng is is a free (GPL), performant Linux network sniffer for
49 packet inspection.
</p><p>The gain of performance is reached by
<span class=
"emphasis"><em>zero-copy
</em></span> mechanisms, so that
50 the kernel does not need to copy packets from kernelspace to userspace.
</p><p>For this purpose netsniff-ng is libpcap independent, but nevertheless
51 supports the pcap file format for capturing, replaying and performing
52 offline-analysis of pcap dumps. Furthermore we are focussing on building
53 a robust, clean and secure analyzer and utilities that complete
54 netsniff-ng as a support for penetration testing.
</p><p>netsniff-ng can be used for protocol analysis, reverse engineering and network
55 debugging.
</p></div><div class=
"refsect1" title=
"OPTIONS"><a id=
"_options"></a><h2>OPTIONS
</h2><div class=
"variablelist"><dl><dt><span class=
"term">
57 ,
</span><span class=
"term">
60 <netdev
> defines the packet capturing device. This can for instance
61 be a typical device like eth0 or wlan0. Running netsniff-ng without
62 a given device parameter, it looks for up and running networking
63 devices and selects the first device that has been found.
64 </dd><dt><span class=
"term">
66 ,
</span><span class=
"term">
67 --dump
<pcap-file
>
69 netsniff-ng stores the captured packets into the given
<pcap-file
>.
70 It understands the PCAP specification, so that dumps can be read or
71 postprocessed with other tools, too. Usually, this option should be
72 combined with --silent and --bind-cpu to win some performance.
73 </dd><dt><span class=
"term">
75 ,
</span><span class=
"term">
76 --replay
<pcap-file
>
78 The given
<pcap-file
> will be replayed via a memory mapped kernelspace
79 TX_RING. A BPF filter may be combined to only replay parts of the PCAP
81 </dd><dt><span class=
"term">
83 ,
</span><span class=
"term">
84 --read
<pcap-file
>
86 <pcap-file
> will be read in and printed to the console in order to
87 perform an offline analysis. Same here: a BPF may be combined to only
88 show relevant parts of the PCAP formatted file. Next to this, packet
89 printing that are enabled on the normal mode are supported, too.
90 </dd><dt><span class=
"term">
92 ,
</span><span class=
"term">
93 --filter
<bpf-file
>
95 Attaches a Berkeley Packet Filter to the socket in order to pre-filter
96 traffic within the kernel. Example files are given within
97 /etc/netsniff-ng/rules/. The section
<span class=
"emphasis"><em>BERKELEY PACKET FILTER
</em></span> describes
98 how to write filter files.
99 </dd><dt><span class=
"term">
101 ,
</span><span class=
"term">
102 --type
<pkt-type
>
104 A
<pkt-type
> specification allows to post-filter packets within userspace
105 context (therefore slower than BPF). The following types are supported:
106 host - only show incoming packets to our host,
107 broadcast - only show Broadcast packets,
108 multicast - only show Multicast packets,
109 others - only show packets from other hosts (promiscuous mode),
110 outgoing - only show outgoing packets from our host
111 </dd><dt><span class=
"term">
113 ,
</span><span class=
"term">
114 --bind-cpu
<cpu-range
>
116 Force system scheduler to schedule netsniff-ng only on specific CPUs.
117 Parameters may be
<span class=
"emphasis"><em>0</em></span> for using only CPU0,
<span class=
"emphasis"><em>0,
1</em></span> for using CPU0 and
118 CPU1 or even
<span class=
"emphasis"><em>0-
4</em></span> for using a whole CPU range. If you have a customized
119 init process that leaves out a special CPU you could bind netsniff-ng
120 on that free CPU for maximal performance. On the other hand, you can
121 avoid scheduling netsniff-ng on CPUs which are reserved for other
122 critical tasks. This can also be combined with taskset(
1) in order to
123 reschedule other processes on other CPUs to let netsniff-ng run on its
125 </dd><dt><span class=
"term">
127 ,
</span><span class=
"term">
128 --unbind-cpu
<cpu-range
>
130 Force system scheduler to not schedule netsniff-ng on specific CPUs.
131 The parameter syntax is equivalent to -b and also the semantics are
133 </dd><dt><span class=
"term">
135 ,
</span><span class=
"term">
136 --ring-size
<size
>
138 This manually sets the desired ring size for RX_RING or TX_RING. You
139 should only use this option, if you know what you are doing, because
140 choosing a ring size which is too large for your system, the kernel
141 does neither warn you nor throws an error. It simply kills other
142 processes to grab their space. The parameter can be defined in KB,
143 MB or GB as
<span class=
"emphasis"><em>10MB
</em></span> for a
10 Megabyte ring size.
144 </dd><dt><span class=
"term">
146 ,
</span><span class=
"term">
149 Shows information about available networking devices.
150 </dd><dt><span class=
"term">
152 ,
</span><span class=
"term">
155 Forbids the NIC to enter the promiscuous mode. The promiscuous mode is
156 activated by default. It is a configuration of a network card that makes
157 the card pass all traffic it receives to the central processing unit
158 rather than just frames addressed to it. Well, do not ask yourself why
159 you cannot see traffic by others within a switched network. Unlike old
160 hubs, switches are some kind of intelligent devices with internal ARP
161 tables for each port in order to reduce traffic load and prevent
162 sniffing other connections. If you really intent to sniff others traffic,
163 go read about ARP cache poisoning / MITM.
164 </dd><dt><span class=
"term">
166 ,
</span><span class=
"term">
169 This option prevents to automatically high priorize itself. Normally,
170 netsniff-ng will be scheduled with high priority thus it use the
172 </dd><dt><span class=
"term">
174 ,
</span><span class=
"term">
177 If netsniff-ng will be bound to a single CPU, say CPU0, then it
178 automatically rebinds the NIC interrupt affinity to that CPU, too for
179 a better performance. This feature is intended to be enabled on
180 non-wireless interfaces. notouch-irq forbids netsniff-ng to move the
182 </dd><dt><span class=
"term">
184 ,
</span><span class=
"term">
187 Lets netsniff-ng run in non-blocking mode. Generally, you won’t need
188 this feature very often unless there is some interest in performance
189 behaviour analysis. This will bypass the ring polling mechanism thus
190 CPU load will most certainly rise to
100 percent.
191 </dd><dt><span class=
"term">
193 ,
</span><span class=
"term">
196 Does not print packets to the terminal.
197 </dd><dt><span class=
"term">
199 ,
</span><span class=
"term">
202 Prints one-liner information summary per packet.
203 </dd><dt><span class=
"term">
205 ,
</span><span class=
"term">
208 Shows only the payload information of the packet.
209 </dd><dt><span class=
"term">
211 ,
</span><span class=
"term">
214 Shows only the payload information of the packet in hexadecimal format.
215 </dd><dt><span class=
"term">
217 ,
</span><span class=
"term">
220 Instead of printing packet in usual hex format, a copy-and-paste C like
221 format will be printed to the terminal.
222 </dd><dt><span class=
"term">
224 ,
</span><span class=
"term">
227 Shows not only the payload in hexadecimal format, but the whole packet.
228 </dd><dt><span class=
"term">
230 ,
</span><span class=
"term">
233 Shows only the packet header, not the payload.
234 </dd><dt><span class=
"term">
236 ,
</span><span class=
"term">
239 Regular expression printing is useful for grepping ASCII text out of
240 packets, say certain HTML code for instance. Beware, that this has a
241 impact on performance. Regular expressions that comply with the POSIX
242 extended regular expression format are allowed.
243 </dd><dt><span class=
"term">
245 ,
</span><span class=
"term">
248 Shows version number and exits.
249 </dd><dt><span class=
"term">
251 ,
</span><span class=
"term">
254 Shows help and exits.
255 </dd></dl></div></div><div class=
"refsect1" title=
"BERKELEY PACKET FILTER"><a id=
"_berkeley_packet_filter"></a><h2>BERKELEY PACKET FILTER
</h2><p>The Berkeley Packet Filter or BSD Packet Filter was first introduced in
1993
256 by Steven McCanne and Van Jacobson at the USENIX. Its purpose is to filter
257 packets within the kernel as early as possible, so that only the relevant
258 packets will be brought to the user-level process.
</p><p>The Linux kernel has adapted this feature, which nowadays is available in
259 PF_PACKET. BPF therefore uses a register-based filter-machine that is
260 efficient on todays RISCs. Since most applications of a packet filter reject
261 far more packets than they accept and, thus, good performance of the packet
262 filter is critical to good overall performance [
1]. This should also be kept
263 in mind during development of filters.
</p><p>If you don’t want to write your own filters, we currently ship some examples
264 within /etc/netsniff-ng/rules/ that can be used with netsniff-ngs -f option.
265 Furthermore
<span class=
"emphasis"><em>tcpdump -dd
</em></span> provides filter creation that netsniff-ng can read,
266 but be warned - most certainly you might need to edit the return value, which
267 defines the packet snaplen for your needs. Read section NOTES for more
268 information about this. In future versions netsniff-ng will also ship its own
269 filter compiler for a simple usage.
</p><p>If you are an advanced user and if you would like to have full control of what
270 should be filtered and what not, then writing your own filter could be a suitable
271 choice. Hence, in the following the language specification will be described
272 in short with given examples on how to use it.
</p><p>The BPF pseudo-machine consists of an accumulator, an index register (X), a
273 scratch memory store and an implicit program counter. Operations on this machine
274 can be categorized into (all the following refering to [
1]):
</p><div class=
"orderedlist"><ol class=
"orderedlist" type=
"1"><li class=
"listitem">
275 <span class=
"emphasis"><em>Load instructions:
</em></span>
276 Load instructions copy a value into the accumulator or index register. The
277 source can be an immediate value, packet data at a fixed offset, packet data
278 at a variable offset, the packet length, or the scratch memory store.
279 </li><li class=
"listitem">
280 <span class=
"emphasis"><em>Store instructions:
</em></span>
281 Store instructions copy either the accumulator or index register into the
282 scratch memory store.
283 </li><li class=
"listitem">
284 <span class=
"emphasis"><em>ALU instructions:
</em></span>
285 ALU instructions perform arithmetic or logic on the accumulator using the index
286 register or a constant as an operand.
287 </li><li class=
"listitem">
288 <span class=
"emphasis"><em>Branch instructions:
</em></span>
289 Branch instructions alter the flow of control, based on comparison test between
290 a constant or x register and the accumulator.
291 </li><li class=
"listitem">
292 <span class=
"emphasis"><em>Return instructions:
</em></span>
293 Return instructions terminate the filter and indicated what portion of the packet
294 to save. The packet is discarded entirely if the filter returns
0.
295 </li><li class=
"listitem">
296 <span class=
"emphasis"><em>Misc instructions:
</em></span>
297 Misc instructions comprise everything else - currently, register transfer
299 </li></ol></div><p>The instruction format is of fixed length that is defined as the following:
</p><pre class=
"literallayout">+-----------+------+------+------+
300 | opcode:
16 | jt:
8 | jf:
8 | k:
32 |
301 +-----------+------+------+------+
</pre><p>The opcode field indicates the instruction type and addressing modes. The jt
302 and jf fields are used by the conditional jump instructions and are the offsets
303 from the next instruction to the true and false targets. The K field is a generic
304 field used for various purposes.
</p><p>All values are
32 bit words.
</p><p>The Linux kernel has adapted this within linux/filter.h:
</p><pre class=
"literallayout">struct sock_filter { /* Filter block */
305 __u16 code; /* Actual filter code */
306 __u8 jt; /* Jump true */
307 __u8 jf; /* Jump false */
308 __u32 k; /* Generic multiuse field */
311 struct sock_fprog { /* Required for SO_ATTACH_FILTER. */
312 unsigned short len; /* Number of filter blocks */
313 struct sock_filter __user *filter;
314 };
</pre><p>The instruction set is similar to assembler syntax. There are several instruction
315 classes which are similar to the previous categorization:
</p><pre class=
"literallayout"> LD
0x00 Copy indicated value into accumulator
316 LDX
0x01 Copy indicated value into index register
317 ST
0x02 Copy accumulator value into the scratch memory store
318 STX
0x03 Copy index register value into the scratch memory store
319 ALU
0x04 Perform arithmetic or logic operation on the accumulator
320 JMP
0x05 Perform a branch instruction
321 RET
0x06 Return/exit from filter program
322 MISC
0x07 Data transfer between index register and accumulator
</pre><p>Next to classes, there are class-specific fields which are usually combined with
323 bitwise OR:
</p><p>LD/LDX specific fields:
</p><pre class=
"literallayout"> Size:
324 W
0x00 Unsigned Word (
32 Bit)
325 H
0x08 Unsigned Halfword (
16 Bit)
326 B
0x10 Unsigned Byte
</pre><pre class=
"literallayout"> Mode:
327 IMM
0x00 Literal value stored in K
328 ABS
0x20 Byte, halfword or word at offset K in the packet
329 IND
0x40 Byte, halfword or word at offset X + K in the packet
330 MEM
0x60 Word at offset K in the scratch memory store
331 LEN
0x80 Length of the packet
332 MSH
0xa0 4*([K]
&0xf): four times the value of the low four bits
333 of the byte at offset K in the packet
</pre><p>ALU/JMP operations perform the indicated operation using the accumulator and
334 operand, and store the result back into the accumulator. Division by zero
335 terminates the filter.
</p><p>ALU/JMP specific fields:
</p><pre class=
"literallayout"> Operation:
338 MUL
0x20 Multiplication
347 (Jump, to an offset by the current instruction + JT/JF +
1)
349 JA
0x00 Jump to the current instruction + K +
1
350 JEQ
0x10 Jump if K or X equals accumulator
351 JGT
0x20 Jump if K or X is greater than accumulator
352 JGE
0x30 Jump if K or X is greater or equals the accumulator
353 JSET
0x40 Jump if K or X bitwise AND the accumulator
> 0</pre><pre class=
"literallayout"> Source:
354 K
0x00 Value stored in K
355 X
0x08 Value stored in the index register
</pre><p>RET specific fields:
</p><pre class=
"literallayout"> Return val:
356 A
0x10 Value stored in the accumulator
357 K
0x00 Value stored in K
358 X
0x08 Value stored in the index register
</pre><p>The index register cannot use the packet addressing modes. Instead, a packet
359 value must be loaded into the accumulator and transferred to the index
360 register, via tax. This is not a common occurrence, as the index register is
361 used primarily to parse the variable length IP header, which can be loaded
362 directly via the
4*([k]
&0xf) addressing mode.
</p><p>MISC specific fields:
</p><pre class=
"literallayout"> Operation:
363 TAX
0x00 Transfer value from accumulator into index register
364 TXA
0x80 Transfer value from index register to accumulator
</pre><p>Example filter:
</p><p>netsniff-ngs filter parser treats all lines that doesn’t match a format of
365 <span class=
"emphasis"><em>{
0xYY, X, X,
0xYYYYYYYY },
</em></span> (X: decimal value, Y: hex value) as comments.
</p><p>/etc/netsniff-ng/rules/arp.bpf:
</p><pre class=
"literallayout">1: {
0x28,
0,
0,
0x0000000c },
366 2: {
0x15,
0,
1,
0x00000806 },
367 3: {
0x06,
0,
0,
0xffffffff },
368 4: {
0x06,
0,
0,
0x00000000 },
</pre><p>The first instruction line is a load instruction, because we have LD|H|ABS which
369 results in
0x28. So the
16 Bit valued halfword at the packet offset
0xc will be
370 copied into the accumulator. This is the Ethernet type field. Instruction line
2
371 belongs to the class JMP, more specific JMP|JEQ and takes the value which is stored
372 in K (
0x806, the Ethernet type identifier for ARP). If
0x806 equals the value that
373 has been loaded into the accumulator, the instruction pointer points to the current
374 instruction plus jt value (which is
0) plus
1. So we end up at instruction line
3,
375 which is the return opcode as RET|K. By using
0xffffffff as K, we tell the kernel
376 that we would like to have a packet snaplen of
0xffffffff, which means that we end
377 up with the complete (
<span class=
"emphasis"><em>uncut
</em></span>) packet.
0xffffffff will be replaced by the real packet
378 length if the kernel detects packets less than a length of
0xffffffff. Well, on the
379 other hand we would trap into the jf value if we don’t have an ARP packet. There, the
380 instruction pointer will point to line
4 where we tell the kernel to drop the packet.
381 The length of
0 simply means: Do not hand over the packet to the BPF attached socket.
</p><p>In pretty-print this filter looks like:
</p><pre class=
"literallayout">(
000) ldh [
12]
382 (
001) jeq #
0x806 jt
2 jf
3
384 (
003) ret #
0</pre><p>Source: [
1]
<a class=
"ulink" href=
"http://www.tcpdump.org/papers/bpf-usenix93.pdf" target=
"_top">http://www.tcpdump.org/papers/bpf-usenix93.pdf
</a></p></div><div class=
"refsect1" title=
"BARE-METAL PERFORMANCE"><a id=
"_bare_metal_performance"></a><h2>BARE-METAL PERFORMANCE
</h2><p>This section will provide some figures about the performance of the RX_RING
385 and TX_RING. An IBM HS21 Blade with
2 x Intel Xeon E5430 (
2.66GHz),
8 GB RAM,
386 Broadcom NetXtreme BCM5704S Gigabit Ethernet cards and a
2.6.31-
14 kernel
387 (Ubuntu Server
9.10) has been used for testing purpose. The IXIA
400 has been
388 used on the opposite side for traffic generation (Gigabit wire speed).
389 Date:
17 Sep
2010.
</p><p>TX_RING,
1GbE:
</p><p>The test was about flushing as much frames as possible of a fixed size. The
390 IXIA was the counterpart that showed the incoming figures. Figures have been
391 rounded to thousands.
</p><pre class=
"literallayout">Pkt size, TX_RING pps
398 1,
500 82,
000</pre><p>RX_RING,
1GbE:
</p><p>The test included the reception of frames into the ring buffer, a counter
399 increment per frame and the summation of the frame length. Figures have been
400 rounded to thousands.
</p><pre class=
"literallayout">64-Byte fixed
401 Pkt rate (IXIA), % of BW, RX_RING pps
403 175,
000 11.76 175,
000
404 250,
000 16.80 250,
000
405 500,
000 33.60 338,
000
406 1,
000,
000 67.20 354,
000
407 1,
488,
000 100.00 303,
000</pre><pre class=
"literallayout">250-Byte fixed
408 Pkt rate (IXIA), % of BW, RX_RING pps
409 100,
000 21.60 100,
000
410 175,
000 37.80 175,
000
411 250,
000 54.00 244,
000
412 463,
000 100.00 381,
000</pre><pre class=
"literallayout">500-Byte fixed
413 Pkt rate (IXIA), % of BW, RX_RING pps
414 100,
000 41.60 100,
000
415 175,
000 72.80 169,
000
416 240,
000 100.00 226,
000</pre><pre class=
"literallayout">1,
500-Byte fixed
417 Pkt rate (IXIA), % of BW, RX_RING pps
418 82,
000 100.00 82,
000</pre><pre class=
"literallayout">IMIX distribution (
64:
7,
570:
4,
1518:
1)
419 Pkt rate (IXIA), % of BW, RX_RING pps
420 100,
000 29.99 100,
000
421 175,
000 52.35 175,
000
422 250,
000 74.80 240,
000
423 334,
000 100.00 303,
000</pre><pre class=
"literallayout">Tolly distribution (
64:
55,
78:
5,
576:
17,
1518:
23)
424 Pkt rate (IXIA), % of BW, RX_RING pps
425 100,
000 40.50 100,
000
426 175,
000 70.90 174,
000
427 247,
000 100.00 193,
000</pre></div><div class=
"refsect1" title=
"EXAMPLES"><a id=
"_examples"></a><h2>EXAMPLES
</h2><p>Dump packets on eth0 into a file:
</p><pre class=
"literallayout">netsniff-ng --dev eth0 --dump out.pcap --silent --bind-cpu
0</pre><p>Replay a PCAP file via eth0:
</p><pre class=
"literallayout">netsniff-ng --dev eth0 --replay out.pcap --bind-cpu
0</pre><p>Only show ICQ related packets:
</p><pre class=
"literallayout">netsniff-ng --filter /etc/netsniff-ng/rules/icq.bpf
</pre><p>Show only packet headers of a PCAP file:
</p><pre class=
"literallayout">netsniff-ng --read out.pcap --no-payload
</pre><p>Show only packets that match a regular expression:
</p><pre class=
"literallayout">netsniff-ng --regex
"foo.*bar"</pre><p>Show only outgoing packets in hex format from wlan0:
</p><pre class=
"literallayout">netsniff-ng --dev wlan0 --all-hex --type outgoing
</pre></div><div class=
"refsect1" title=
"NOTES"><a id=
"_notes"></a><h2>NOTES
</h2><p>If you try to create custom socket filters with
<span class=
"emphasis"><em>tcpdump -dd
</em></span>, you have
428 to edit the
<span class=
"emphasis"><em>ret
</em></span> opcode of the resulting filter, otherwise your payload
429 will be cut off:
</p><p>0x6,
0,
0,
0xFFFFFFFF instead of
0x6,
0,
0,
0x00000060</p><p>The Linux kernel now takes skb→len instead of
0xFFFFFFFF. If you do not
430 change it, the kernel will take
0x00000060 as buffer length and packets
431 larger than
96 Byte will be cut off (filled with zero Bytes)!
</p><p>Read
<a class=
"ulink" href=
"http://dev.netsniff-ng.org/#4" target=
"_top">http://dev.netsniff-ng.org/#
4</a> for further technical details.
</p></div><div class=
"refsect1" title=
"LICENSE"><a id=
"_license"></a><h2>LICENSE
</h2><p>This program is distributed under the terms of the GNU General Public
432 License as published by the Free Software Foundation. See COPYING
433 for details on the License and the lack of warranty.
</p></div><div class=
"refsect1" title=
"AVAILABILITY"><a id=
"_availability"></a><h2>AVAILABILITY
</h2><p>The latest version of this program can be found at
434 <a class=
"ulink" href=
"http://pub.netsniff-ng.org/netsniff-ng/" target=
"_top">http://pub.netsniff-ng.org/netsniff-ng/
</a>.
</p></div><div class=
"refsect1" title=
"BUGS"><a id=
"_bugs"></a><h2>BUGS
</h2><p>Bugs, what bugs? ;-)
435 Okay, seriously …
</p><p>The TX_RING is part of the kernel since
2.6.31. Needs kind of a compatibility
436 mode for older kernels.
</p><p>Currently, we don’t have a BPF compiler built-in, so that either the user needs
437 to use filter definitions from /etc/netsniff-ng/rules, tcpdump -dd or write his
438 own filter by hand.
</p><p>Please send problems, bugs, questions, desirable enhancements, etc. to
439 <a class=
"ulink" href=
"mailto:bugs@netsniff-ng.org" target=
"_top">bugs@netsniff-ng.org
</a>.
</p></div><div class=
"refsect1" title=
"GIT"><a id=
"_git"></a><h2>GIT
</h2><p>git clone git://repo.or.cz/netsniff-ng.git
</p></div><div class=
"refsect1" title=
"AUTHOR"><a id=
"_author"></a><h2>AUTHOR
</h2><p>netsniff-ng was originally written by Daniel Borkmann (
<a class=
"ulink" href=
"mailto:daniel@netsniff-ng.org" target=
"_top">daniel@netsniff-ng.org
</a>).
</p><p>Current authors:
</p><p>Daniel Borkmann (
<a class=
"ulink" href=
"mailto:daniel@netsniff-ng.org" target=
"_top">daniel@netsniff-ng.org
</a>),
440 Emmanuel Roullit (
<a class=
"ulink" href=
"mailto:emmanuel@netsniff-ng.org" target=
"_top">emmanuel@netsniff-ng.org
</a>)
</p><p><a class=
"ulink" href=
"http://www.netsniff-ng.org/" target=
"_top">http://www.netsniff-ng.org/
</a></p><p>The manpage has been written by Daniel Borkmann.
</p></div><div class=
"refsect1" title=
"SEE ALSO"><a id=
"_see_also"></a><h2>SEE ALSO
</h2><p>bpf(
4), pcap(
3), tcpdump(
8)
</p></div><div class=
"refsect1" title=
"IN HONOREM"><a id=
"_in_honorem"></a><h2>IN HONOREM
</h2><p>To my alma mater:
</p><div class=
"blockquote"><blockquote class=
"blockquote"><div class=
"literallayout"><p>Leipzig University of Applied Science,
<br />
441 Faculty of Computer Science, Mathematics and Natural Sciences
</p></div></blockquote></div></div></div>
444 <a href=
"http://www.debian.org/"><img src=
"http://netsniff-ng.org/img/debian.png" border=
"0" alt=
"powered by Debian"></a>
445 <a href=
"http://www.vim.org/"><img src=
"http://netsniff-ng.org/img/vim.png" border=
"0" alt=
"powered by vim"></a>
446 <a href=
"http://www.anybrowser.org/campaign/"><img src=
"http://netsniff-ng.org/img/vt100.gif" border=
"0" alt=
"best viewed with vt100"></a>
447 <a href=
"http://eupat.ffii.org/"><img src=
"http://netsniff-ng.org/img/no_epatent.png" border=
"0" alt=
"no epatents"></a>
448 <a href=
"http://www.laquadrature.net/"><img src=
"http://netsniff-ng.org/img/qdn.png" border=
"0" alt=
"qdn"></a>
454 <table border=
"0" width=
"90%">
457 <address>Copyright (C)
2009,
2010 <a href=
"http://daniel.netsniff-ng.org">Daniel Borkmann
</a>
458 <script type=
"text/javascript">InsertMail("daniel", "netsniff-ng", "org");</script>
461 <a href=
"http://emmanuel.netsniff-ng.org">Emmanuel Roullit
</a>
462 <script type=
"text/javascript">InsertMail("emmanuel", "netsniff-ng", "org");</script>