1 .\" netsniff-ng - the packet sniffing beast
2 .\" Copyright 2013 Daniel Borkmann.
3 .\" Subject to the GPL, version 2.
4 .TH NETSNIFF-NG 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
6 netsniff-ng \- the packet sniffing beast
10 \fBnetsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] }
14 netsniff-ng is a fast, minimal tool to analyze network packets, capture
15 pcap files, replay pcap files, and redirect traffic between interfaces
16 with the help of zero-copy packet(7) sockets. netsniff-ng uses both Linux
17 specific RX_RING and TX_RING interfaces to perform zero-copy. This is to avoid
18 copy and system call overhead between kernel and user address space. When we
19 started working on netsniff-ng, the pcap(3) library did not use this
22 netsniff-ng is Linux specific, meaning there is no support for other
23 operating systems. Therefore we can keep the code footprint quite minimal and to
24 the point. Linux packet(7) sockets and its RX_RING and TX_RING interfaces
25 bypass the normal packet processing path through the networking stack.
26 This is the fastest capturing or transmission performance one can get from user
27 space out of the box, without having to load unsupported or non-mainline
28 third-party kernel modules. We explicitly refuse to build netsniff-ng on top of
29 ntop/PF_RING. Not because we do not like it (we do find it interesting), but
30 because of the fact that it is not part of the mainline kernel. Therefore, the
31 ntop project has to maintain and sync out-of-tree drivers to adapt them to their
32 DNA. Eventually, we went for untainted Linux kernel, since its code has a higher
33 rate of review, maintenance, security and bug fixes.
35 netsniff-ng also supports early packet filtering in the kernel. It has support
36 for low-level and high-level packet filters that are translated into Berkeley
37 Packet Filter instructions.
39 netsniff-ng can capture pcap files in several different pcap formats that
40 are interoperable with other tools. It has different pcap I/O methods supported
41 (scatter-gather, mmap(2), read(2), and write(2)) for efficient to-disc capturing.
42 netsniff-ng is also able to rotate pcap files based on data size or time
43 intervals, thus, making it a useful backend tool for subsequent traffic
46 netsniff-ng itself also supports analysis, replaying, and dumping of raw 802.11
47 frames. For online or offline analysis, netsniff-ng has a built-in packet
48 dissector for the current 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q
49 (VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4, ICMPv6, IGMP, TCP and UDP,
50 including GeoIP location analysis. Since netsniff-ng does not establish any
51 state or perform reassembly during packet dissection, its memory footprint is quite
52 low, thus, making netsniff-ng quite efficient for offline analysis of large
55 Note that netsniff-ng is currently not multithreaded. However, this does not
56 prevent you from starting multiple netsniff-ng instances that are pinned to
57 different, non-overlapping CPUs and f.e. have different BPF filters attached.
58 Likely that at some point in time your harddisc might become a bottleneck
59 assuming you do not rotate such pcaps in ram (and from there periodically
60 scheduled move to slower medias). You can then use mergecap(1) to transform
61 all pcaps into a single large pcap. Thus, netsniff-ng then works multithreaded
64 netsniff-ng can also be used to debug netlink traffic.
68 .SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
69 Defines an input device. This can either be a networking device, a pcap file
70 or stdin (\[lq]\-\[rq]). In case of a pcap file, the pcap type (\[lq]\-D\[rq]
71 option) is determined automatically by the pcap file magic. In case of stdin,
72 it is assumed that the input stream is a pcap file. If the pcap link type is
73 Netlink and pcap type is default format (usec or nsec), then each packet will
74 be wrapped with pcap cooked header [2].
76 .SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
77 Defines the output device. This can either be a networking device, a pcap file,
78 a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). In the case of a
79 pcap file that should not have the default pcap type (0xa1b2c3d4), the additional
80 option \[lq]\-T\[rq] must be provided. If a directory is given, then, instead of a
81 single pcap file, multiple pcap files are generated with rotation based on
82 maximum file size or a given interval (\[lq]\-F\[rq] option). Optionally,
83 sending the SIGHUP signal to the netsniff-ng process causes a premature rotation
84 of the file. A trafgen configuration file can currently only be specified if the
85 input device is a pcap file. To specify a pcap file as the output device, the
86 file name must have \[lq].pcap\[rq] as its extension. If stdout is given as a
87 device, then a trafgen configuration will be written to stdout if the input
88 device is a pcap file, or a pcap file if the input device is a networking
89 device. In case if the input device is a Netlink monitor device and pcap type
90 is default (usec or nsec) then each packet will be wrapped with pcap cooked
91 header [2] to keep Netlink family number (Kuznetzov's and netsniff-ng pcap types
92 already contain family number in protocol number field).
94 .SS -C <id>, --fanout-group <id>
95 If multiple netsniff-ng instances are being started that all have the same packet
96 fanout group id, then the ingress network traffic being captured is being
97 distributed/load-balanced among these group participants. This gives a much better
98 scaling than running multiple netsniff-ng processes without a fanout group parameter
99 in parallel, but only with a BPF filter attached as a packet would otherwise need
100 to be delivered to all such capturing processes, instead of only once to such a
101 fanout member. Naturally, each fanout member can have its own BPF filters attached.
103 .SS -K <hash|lb|cpu|rnd|roll|qm>, --fanout-type <hash|lb|cpu|rnd|roll|qm>
104 This parameter specifies the fanout discipline, in other words, how the captured
105 network traffic is dispatched to the fanout group members. Options are to distribute
106 traffic by the packet hash (\[lq]hash\[rq]), in a round-robin manner (\[lq]lb\[rq]),
107 by CPU the packet arrived on (\[lq]cpu\[rq]), by random (\[lq]rnd\[rq]), by rolling
108 over sockets (\[lq]roll\[rq]) which means if one socket's queue is full, we move on
109 to the next one, or by NIC hardware queue mapping (\[lq]qm\[rq]).
111 .SS -L <defrag|roll>, --fanout-opts <defrag|roll>
112 Defines some auxiliary fanout options to be used in addition to a given fanout type.
113 These options apply to any fanout type. In case of \[lq]defrag\[rq], the kernel is
114 being told to defragment packets before delivering to user space, and \[lq]roll\[rq]
115 provides the same roll-over option as the \[lq]roll\[rq] fanout type, so that on any
116 different fanout type being used (e.g. \[lq]qm\[rq]) the socket may temporarily roll
117 over to the next fanout group member in case the original one's queue is full.
119 .SS -f, --filter <bpf-file|-|expr>
120 Specifies to not dump all traffic, but to filter the network packet haystack.
121 As a filter, either a bpfc(8) compiled file/stdin can be passed as a parameter or
122 a tcpdump(1)-like filter expression in quotes. For details regarding the
123 bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter
124 have a look at section \[lq]filter example\[rq] or at pcap-filter(7). A filter
125 expression may also be passed to netsniff-ng without option \[lq]\-f\[rq] in case
126 there is no subsequent option following after the command-line filter expression.
128 .SS -t, --type <type>
129 This defines some sort of filtering mechanisms in terms of addressing. Possible
130 values for type are \[lq]host\[rq] (to us), \[lq]broadcast\[rq] (to all), \[lq]multicast\[rq] (to
131 group), \[lq]others\[rq] (promiscuous mode) or \[lq]outgoing\[rq] (from us).
133 .SS -F, --interval <size|time>
134 If the output device is a folder, with \[lq]\-F\[rq], it is possible to define the pcap
135 file rotation interval either in terms of size or time. Thus, when the interval
136 limit has been reached, a new pcap file will be started. As size parameter, the
137 following values are accepted \[lq]<num>KiB/MiB/GiB\[rq]; As time parameter,
138 it can be \[lq]<num>s/sec/min/hrs\[rq].
140 .SS -J, --jumbo-support
141 By default, in pcap replay or redirect mode, netsniff-ng's ring buffer frames
142 are a fixed size of 2048 bytes. This means that if you are expecting jumbo
143 frames or even super jumbo frames to pass through your network, then you need
144 to enable support for that by using this option. However, this has the
145 disadvantage of performance degradation and a bigger memory footprint for the
146 ring buffer. Note that this doesn't affect (pcap) capturing mode, since tpacket
147 in version 3 is used!
150 In case the input or output networking device is a wireless device, it is
151 possible with netsniff-ng to turn this into monitor mode and create a mon<X>
152 device that netsniff-ng will be listening on instead of wlan<X>, for instance.
153 This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames.
155 .SS -n <0|uint>, --num <0|uint>
156 Process a number of packets and then exit. If the number of packets is 0, then
157 this is equivalent to infinite packets resp. processing until interrupted.
158 Otherwise, a number given as an unsigned integer will limit processing.
160 .SS -P <name>, --prefix <name>
161 When dumping pcap files into a folder, a file name prefix can be defined with
162 this option. If not otherwise specified, the default prefix is \[lq]dump\-\[rq]
163 followed by a Unix timestamp. Use \[lq]\-\-prefex ""\[rq] to set filename as
164 seconds since the Unix Epoch e.g. 1369179203.pcap
166 .SS -T <pcap-magic>, --magic <pcap-magic>
167 Specify a pcap type for storage. Different pcap types with their various meta
168 data capabilities are shown with option \[lq]\-D\[rq]. If not otherwise
169 specified, the pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable
170 pcap format, is used. Pcap files with swapped endianness are also supported.
172 .SS -D, --dump-pcap-types
173 Dump all available pcap types with their capabilities and magic numbers that
174 can be used with option \[lq]\-T\[rq] to stdout and exit.
177 If a Berkeley Packet Filter is given, for example via option \[lq]\-f\[rq], then
178 dump the BPF disassembly to stdout during ring setup. This only serves for informative
179 or verification purposes.
182 If the input and output device are both networking devices, then this option will
183 randomize packet order in the output ring buffer.
186 The networking interface will not be put into promiscuous mode. By default,
187 promiscuous mode is turned on.
189 .SS -N, --no-hwtimestamp
190 Disable taking hardware time stamps for RX packets. By default, if the network
191 device supports hardware time stamping, the hardware time stamps will be used
192 when writing packets to pcap files. This option disables this behavior and
193 forces (kernel based) software time stamps to be used, even if hardware time
194 stamps are available.
196 .SS -A, --no-sock-mem
197 On startup and shutdown, netsniff-ng tries to increase socket read and
198 write buffers if appropriate. This option will prevent netsniff-ng from doing
202 Use mmap(2) as pcap file I/O. This is the default when replaying pcap files.
205 Use scatter-gather as pcap file I/O. This is the default when capturing
209 Use slower read(2) and write(2) I/O. This is not the default case anywhere, but in
210 some situations it could be preferred as it has a lower latency on write-back
213 .SS -S <size>, --ring-size <size>
214 Manually define the RX_RING resp. TX_RING size in \[lq]<num>KiB/MiB/GiB\[rq]. By
215 default, the size is determined based on the network connectivity rate.
217 .SS -k <uint>, --kernel-pull <uint>
218 Manually define the interval in micro-seconds where the kernel should be triggered
219 to batch process the ring buffer frames. By default, it is every 10us, but it can
220 manually be prolonged, for instance.
222 .SS -b <cpu>, --bind-cpu <cpu>
223 Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ
224 CPU affinity to this CPU. This option should be preferred in combination with
225 \[lq]\-s\[rq] in case a middle to high packet rate is expected.
227 .SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
228 After ring setup drop privileges to a non-root user/group combination.
231 Set this process as a high priority process in order to achieve a higher
232 scheduling rate resp. CPU time. This is however not the default setting, since
233 it could lead to starvation of other processes, for example low priority kernel
236 .SS -Q, --notouch-irq
237 Do not reassign the NIC's IRQ CPU affinity settings.
240 Do not enter the packet dissector at all and do not print any packet information
241 to the terminal. Just shut up and be silent. This option should be preferred in
242 combination with pcap recording or replay, since it will not flood your terminal
243 which causes a significant performance degradation.
246 Print a less verbose one-line information for each packet to the terminal.
249 Only dump packets in hex format to the terminal.
252 Only display ASCII printable characters.
255 If geographical IP location is used, the built-in database update
256 mechanism will be invoked to get Maxmind's latest database. To configure
257 search locations for databases, the file /etc/netsniff-ng/geoip.conf contains
258 possible addresses. Thus, to save bandwidth or for mirroring of Maxmind's
259 databases (to bypass their traffic limit policy), different hosts or IP
260 addresses can be placed into geoip.conf, separated by a newline.
263 Replace each frame link header with Linux "cooked" header [3] which keeps info
264 about link type and protocol. It allows to dump and dissect frames captured
265 from different link types when -i "any" was specified, for example.
268 Be more verbose during startup i.e. show detailed ring setup information.
271 Show version information and exit.
274 Show user help and exit.
279 The most simple command is to just run \[lq]netsniff-ng\[rq]. This will start
280 listening on all available networking devices in promiscuous mode and dump
281 the packet dissector output to the terminal. No files will be recorded.
283 .SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
284 Capture TCP or UDP traffic from the networking device eth0 into the pcap file
285 named dump.pcap, which has netsniff-ng specific pcap extensions (see
286 \[lq]netsniff-ng \-D\[rq] for capabilities). Also, do not print the content to
287 the terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write
288 method is scatter-gather I/O.
290 .SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
291 Put the wlan0 device into monitoring mode and capture all raw 802.11 frames
292 into the file dump.pcap. Do not dissect and print the content to the terminal
293 and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is
296 .SS netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
297 Replay the pcap file dump.pcap which is read through mmap(2) I/O and send
298 the packets out via the eth0 networking device. Do not dissect and print the
299 content to the terminal and pin the process and NIC IRQ affinity to CPU 0.
300 Also, trigger the kernel every 1000us to traverse the TX_RING instead of every
301 10us. Note that the pcap magic type is detected automatically from the pcap
304 .SS netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
305 Redirect network traffic from the networking device eth0 to eth1 for traffic
306 that is destined for our host, thus ignore broadcast, multicast and promiscuous
307 traffic. Randomize the order of packets for the outgoing device and do not
308 print any packet contents to the terminal. Also, pin the process and NIC IRQ
311 .SS netsniff-ng --in team0 --out /opt/probe/ -s -m --interval 100MiB -b 0
312 Capture on an aggregated team0 networking device and dump packets into multiple
313 pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write
314 method, support for super jumbo frames is built-in (does not need to be
315 configured here), and do not print the captured data to the terminal. Pin
316 netsniff-ng and NIC IRQ affinity to CPU 0. The default pcap magic type is
317 0xa1b2c3d4 (tcpdump-capable pcap).
319 .SS netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
320 Capture network traffic on device wlan0 into a pcap file called dump.pcap
321 by using normal read(2), write(2) I/O for the pcap file (slower but less
322 latency). Also, after setting up the RX_RING for capture, drop privileges
323 from root to the user and group \[lq]bob\[rq]. Invoke the packet dissector and print
324 packet contents to the terminal for further analysis.
326 .SS netsniff-ng --in any --filter http.bpf -B --ascii -V
327 Capture from all available networking interfaces and install a low-level
328 filter that was previously compiled by bpfc(8) into http.bpf in order to
329 filter HTTP traffic. Super jumbo frame support is automatically enabled and
330 only print human readable packet data to the terminal, and also be more
331 verbose during setup phase. Moreover, dump a BPF disassembly of http.bpf.
333 .SS netsniff-ng --in dump.pcap --out dump.cfg --silent
334 Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg.
335 Do not print pcap contents to the terminal.
337 .SS netsniff-ng -i dump.pcap -f beacon.bpf -o -
338 Convert the pcap file dump.pcap into a trafgen(8) configuration file and write
339 it to stdout. However, do not dump all of its content, but only the one that
340 passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine
341 here is invoked in user space inside of netsniff-ng, so Linux extensions
344 .SS cat foo.pcap | netsniff-ng -i - -o -
345 Read a pcap file from stdin and convert it into a trafgen(8) configuration
349 .SS ip link add type nlmon
350 .SS ip link set nlmon0 up
351 .SS netsniff-ng -i nlmon0 -o dump.pcap -s
352 .SS ip link set nlmon0 down
353 .SS ip link del dev nlmon0
355 In this example, netlink traffic is being captured. If not already done, a
356 netlink monitoring device needs to be set up before it can be used to capture
357 netlink socket buffers (iproute2's ip(1) commands are given for nlmon device
358 setup and teardown). netsniff-ng can then make use of the nlmon device as
359 an input device. In this example a pcap file with netlink traffic is being
362 .SS netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-cpu 0 --notouch-irq --silent --in em1 --out /var/cap/cpu0/ --interval 120sec
363 .SS netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-cpu 1 --notouch-irq --silent --in em1 --out /var/cap/cpu1/ --interval 120sec
364 Starts two netsniff-ng fanout instances. Both are assigned into the same fanout
365 group membership and traffic is splitted among them by incoming cpu. Furthermore,
366 the kernel is supposed to defragment possible incoming fragments. First instance
367 is assigned to CPU 0 and the second one to CPU 1, IRQ bindings are not altered as
368 they might have been adapted to this scenario by the user a-priori, and traffic
369 is captured on interface em1, and written out in 120 second intervals as pcap
370 files into /var/cap/cpu0/. Tools like mergecap(1) will be able to merge the cpu0/1
371 split back together if needed.
375 Files under /etc/netsniff-ng/ can be modified to extend netsniff-ng's
378 * oui.conf - OUI/MAC vendor database
379 * ether.conf - Ethernet type descriptions
380 * tcp.conf - TCP port/services map
381 * udp.conf - UDP port/services map
382 * geoip.conf - GeoIP database mirrors
386 netsniff-ng supports both, low-level and high-level filters that are
387 attached to its packet(7) socket. Low-level filters are described in
388 the bpfc(8) man page.
390 Low-level filters can be used with netsniff-ng in the following way:
393 2. netsniff-ng \-f bar
394 3. bpfc foo | netsniff-ng -i nlmon0 -f -
396 Here, foo is the bpfc program that will be translated into a netsniff-ng
397 readable \[lq]opcodes\[rq] file and passed to netsniff-ng through the \-f
400 Similarly, high-level filter can be either passed through the \-f option,
401 e.g. \-f "tcp or udp" or at the end of all options without the \[lq]\-f\[rq].
403 The filter syntax is the same as in tcpdump(8), which is described in
404 the man page pcap-filter(7). Just to quote some examples from pcap-filter(7):
407 To select all packets arriving at or departing from sundown.
409 .SS host helios and \(hot or ace\)
410 To select traffic between helios and either hot or ace.
412 .SS ip host ace and not helios
413 To select all IP packets between ace and any host except helios.
416 To select all traffic between local hosts and hosts at Berkeley.
418 .SS gateway snup and (port ftp or ftp-data)
419 To select all FTP traffic through Internet gateway snup.
421 .SS ip and not net localnet
422 To select traffic neither sourced from, nor destined for, local hosts. If you
423 have a gateway to another network, this traffic should never make it onto
426 .SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
427 To select the start and end packets (the SYN and FIN packets) of each TCP
428 conversation that involve a non-local host.
430 .SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
431 To select all IPv4 HTTP packets to and from port 80, that is to say, print only packets
432 that contain data, not, for example, SYN and FIN packets and ACK-only packets.
433 (IPv6 is left as an exercise for the reader.)
435 .SS gateway snup and ip[2:2] > 576
436 To select IP packets longer than 576 bytes sent through gateway snup.
438 .SS ether[0] & 1 = 0 and ip[16] >= 224
439 To select IP broadcast or multicast packets that were not sent via Ethernet
440 broadcast or multicast.
442 .SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
443 To select all ICMP packets that are not echo requests or replies
444 (that is to say, not "ping" packets).
448 netsniff-ng supports a couple of pcap formats, visible through ``netsniff-ng \-D'':
450 .SS tcpdump-capable pcap (default)
451 Pcap magic number is encoded as 0xa1b2c3d4 resp. 0xd4c3b2a1. As packet meta data
452 this format contains the timeval in microseconds, the original packet length and
453 the captured packet length.
455 .SS tcpdump-capable pcap with ns resolution
456 Pcap magic number is encoded as 0xa1b23c4d resp. 0x4d3cb2a1. As packet meta data
457 this format contains the timeval in nanoseconds, the original packet length and
458 the captured packet length.
460 .SS Alexey Kuznetzov's pcap
461 Pcap magic number is encoded as 0xa1b2cd34 resp. 0x34cdb2a1. As packet meta data
462 this format contains the timeval in microseconds, the original packet length,
463 the captured packet length, the interface index (sll_ifindex), the packet's
464 protocol (sll_protocol), and the packet type (sll_pkttype).
467 Pcap magic number is encoded as 0xa1e2cb12 resp. 0x12cbe2a1. As packet meta data
468 this format contains the timeval in nanoseconds, the original packet length,
469 the captured packet length, the timestamp hw/sw source, the interface index
470 (sll_ifindex), the packet's protocol (sll_protocol), the packet type (sll_pkttype)
471 and the hardware type (sll_hatype).
473 For further implementation details or format support in your application,
474 have a look at pcap_io.h.
477 To avoid confusion, it should be noted that there is another network
478 analyzer with a similar name, called NetSniff, that is unrelated to
479 the netsniff-ng project.
481 For introducing bit errors, delays with random variation and more
482 while replaying pcaps, make use of tc(8) with its disciplines such
485 netsniff-ng does only some basic, architecture generic tuning on
486 startup. If you are considering to do high performance capturing,
487 you need to carefully tune your machine, both hardware and software.
488 Simply letting netsniff-ng run without thinking about your underlying
489 system might not necessarily give you the desired performance. Note
490 that tuning your system is always a tradeoff and fine-grained
491 balancing act (throughput versus latency). You should know what
494 One recommendation for software-based tuning is tuned(8). Besides
495 that, there are many other things to consider. Just to throw you
496 a few things that you might want to look at: NAPI networking drivers,
497 tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based
498 file systems, multi-queues, and many more things. Also, you might
499 want to read the kernel's Documentation/networking/scaling.txt file
500 regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also
501 check your ethtool(8) settings, for example regarding offloading or
502 Ethernet pause frames.
504 Moreover, to get a deeper understanding of netsniff-ng internals
505 and how it interacts with the Linux kernel, the kernel documentation
506 under Documentation/networking/{packet_mmap.txt, filter.txt,
507 multiqueue.txt} might be of interest.
509 How do you sniff in a switched environment? I rudely refer to dSniff's
510 documentation that says:
512 The easiest route is simply to impersonate the local gateway, stealing
513 client traffic en route to some remote destination. Of course, the traffic
514 must be forwarded by your attacking machine, either by enabling kernel IP
515 forwarding or with a userland program that accomplishes the same
518 Several people have reportedly destroyed connectivity on their LAN to the
519 outside world by ARP spoofing the gateway, and forgetting to enable IP
520 forwarding on the attacking machine. Do not do this. You have been warned.
522 A safer option than ARP spoofing would be to use a "port mirror" function
523 if your switch hardware supports it and if you have access to the switch.
525 If you do not need to dump all possible traffic, you have to consider
526 running netsniff-ng with a BPF filter for the ingress path. For that
527 purpose, read the bpfc(8) man page.
529 Also, to aggregate multiple NICs that you want to capture on, you
530 should consider using team devices, further explained in libteam resp.
533 The following netsniff-ng pcap magic numbers are compatible with other
534 tools, at least tcpdump or Wireshark:
536 0xa1b2c3d4 (tcpdump-capable pcap)
537 0xa1b23c4d (tcpdump-capable pcap with ns resolution)
538 0xa1b2cd34 (Alexey Kuznetzov's pcap)
540 Pcap files with different meta data endianness are supported by netsniff-ng
545 When replaying pcap files, the timing information from the pcap packet
546 header is currently ignored.
548 Also, when replaying pcap files, demultiplexing traffic among multiple
549 networking interfaces does not work. Currently, it is only sent via the
550 interface that is given by the \-\-out parameter.
552 When performing traffic capture on the Ethernet interface, the pcap file
553 is created and packets are received but without a 802.1Q header. When one
554 uses tshark, all headers are visible, but netsniff-ng removes 802.1Q
555 headers. Is that normal behavior?
557 Yes and no. The way VLAN headers are handled in PF_PACKET sockets by the
558 kernel is somewhat \[lq]problematic\[rq] [1]. The problem in the Linux kernel
559 is that some drivers already handle VLANs, others do not. Those who handle it
560 can have different implementations, such as hardware acceleration and so on.
561 So in some cases the VLAN tag is even stripped before entering the protocol
562 stack, in some cases probably not. The bottom line is that a "hack" was
563 introduced in PF_PACKET so that a VLAN ID is visible in some helper data
564 structure that is accessible from the RX_RING.
566 Then it gets really messy in the user space to artificially put the VLAN
567 header back into the right place. Not to mention the resulting performance
568 implications on all of libpcap(3) tools since parts of the packet need to
569 be copied for reassembly via memmove(3).
571 A user reported the following, just to demonstrate this mess: some tests were
572 made with two machines, and it seems that results depend on the driver ...
575 ethtool \-k eth0 gives "rx-vlan-offload: on"
576 - wireshark gets the vlan header
577 - netsniff-ng doesn't get the vlan header
578 ethtool \-K eth0 rxvlan off
579 - wireshark gets a QinQ header even though no one sent QinQ
580 - netsniff-ng gets the vlan header
583 ethtool \-k eth0 gives "rx-vlan-offload: on"
584 - wireshark gets the vlan header
585 - netsniff-ng doesn't get the vlan header
586 ethtool \-K eth0 rxvlan off
587 - wireshark gets the vlan header
588 - netsniff-ng doesn't get the vlan header
590 Even if we agreed on doing the same workaround as libpcap, we still will
591 not be able to see QinQ, for instance, due to the fact that only one VLAN tag
592 is stored in the kernel helper data structure. We think that there should be
593 a good consensus on the kernel space side about what gets transferred to
596 Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support
597 for hardware accelerated VLAN filtering, even though tags might not be visible
598 in the payload itself as reported here. However, the filtering for VLANs works
599 reliable if your NIC supports it. See bpfc(8) for an example.
601 [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
602 [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html
603 [3] http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
606 netsniff-ng is licensed under the GNU GPL version 2.0.
610 was originally written for the netsniff-ng toolkit by Daniel Borkmann. Bigger
611 contributions were made by Emmanuel Roullit, Markus Amend, Tobias Klauser and
612 Christoph Jaeger. It is currently maintained by Tobias Klauser
613 <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
621 .BR astraceroute (8),
625 Manpage was written by Daniel Borkmann.
628 This page is part of the Linux netsniff-ng toolkit project. A description of the project,
629 and information about reporting bugs, can be found at http://netsniff-ng.org/.