1 This FAQ is copied from the FAQ from our website:
3 Q: What is netsniff-ng?
4 A: netsniff-ng is is a free, performant Linux network analyzer and
7 Q: What are the main goals?
8 A: netsniff-ngs main goal is to be a high performance network toolkit that
9 focuses on usability, robustness and functionality. Its aim is to support
10 the daily work for networking engineers, developers, admins or Linux
11 users by providing support with or in network monitoring, protocol
12 analysis, reverse engineering, network debugging and penetration testing.
14 Q: I like your project. Can I donate something?
15 A: Sure, we're always happy to hear that. If you think this software is
16 good, then please consider donating your money to the Tibet Foundation
17 instead to us and help the Tibetian people. For non-money stuff, we'd
18 prefer hardware like servers, switches, routers, access points, specific
19 NICs or wireless cards or other (also exotic) kinds of embedded systems
20 in order to do research, test our software and integrate new features.
21 You are welcome to leave us a short message at <workgroup@netsniff-ng.org>.
23 Q: How can I be notified of new releases?
24 A: New releases will be announced on Freshmeat. We have a project page there
25 where you can subscribe.
27 Q: Is there a mailing list?
28 A: Yes, of course there is. It's a moderated mailing list on GoogleGroups
29 where you can add yourself and post your questions to
30 <netsniff-ng@googlegroups.com>.
32 Q: Is there an IRC channel?
33 A: Sometimes we're reachable via #netsniff-ng which is located at Freenode.
35 Q: Do you have a blog? Is there a RSS feed for your blog?
36 A: Yes, it's http://dev.netsniff-ng.org/ and yep, it's here:
37 http://netsniff-ng.org/dev.rss
39 Q: Can you change the design of your blog?
42 Q: Why can't I post comments to your blog?
43 A: Because you can't. Moderating all those comments costs too much time that
44 we could also spend on development. If you'd like to discuss certain
45 issues, then use our mailing list.
47 Q: Is there a commercial support?
50 Q: How good is the throughput of RX_RING/TX_RING?
51 A: Have a look at our benchmark (online).
53 Q: Are the statistics generated by ifpps 'reliable'?
54 A: Yes. The figures are extracted from the kernel directly, so this is what
55 the kernel gets to see. There is no sniffing or other stuff to generate
56 these figures - it's pure kernelland.
58 Q: What's a primer document and why should I read it first?
59 A: It's netsniff-ngs manpage. The manpage is shipped with the latest stable
60 netsniff-ng release. Everything that needs to be known for using
61 netsniff-ng is documented within this manpage.
63 Q: What platforms are supported?
64 A: Currently only operating systems running on Linux kernels with
65 CONFIG_PACKET_MMAP enabled. This feature can be found even back to the
66 days of 2.4 kernels. Most operating systems ship pre-compiled kernels
67 that have this config option enabled and even the latest kernel versions
68 got rid of this option and have this functionality built-in. However,
69 we recommend a kernel >= 2.6.31, because it has the built-in TX_RING
72 Q: What libraries are required?
75 Q: What version of netsniff-ng should I use?
76 A: That depends. If you prefer to use the latest features, use the version
77 that is marked as -next on the frontpage. The source is available via
78 tarball. Otherwise there is a stable version that is usually recommended.
80 Q: Can netsniff-ng read network dumps of Wireshark or others and vice versa?
81 A: Yes, if the dumps are formatted as pcap files. This is default on
82 Wireshark for instance. On the other hand, Wireshark can also read
85 Q: How can I create Berkeley Packet Filters?
86 A: If you want to run netsniff-ng in combination with -f or --filter <file>
87 you need to build a so called Berkeley Packet Filter program within a
88 plaintext file (here, marked as: <file>). The Berkeley Packet Filters
89 language description can be obtained from netsniff-ngs documentation
90 section or from netsniff-ngs manpage. One way to create a custom filter
91 for the non-lazy people is to hack the opcodes by hand according to the
92 specification. In this case you have all the freedom to build your
93 filters for your needs. The alternative way is to use tcpdumps -dd
94 option. Simply pipe the output into a textfile and pass this to
96 Furthermore, we already ship some common filters and we are planning our
97 own filter compiler! Most distributions put these files into
98 /etc/netsniff-ng/rules/.
100 Q: I've created a custom Berkeley Packet Filter program with tcpdump, but
101 netsniff-ng cuts the packet payload?
102 A: If you try to create custom socket filters with tcpdump -dd, you have to
103 edit the ret opcode (0x6) of the resulting filter, otherwise your payload
105 0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060
106 The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do not
107 change it, the kernel will take 0x00000060 as buffer length and packets
108 larger than 96 Byte will be cut off (filled with zero Bytes)! It's a bug
109 in libpcaps filter compiler. Detailed information about this issue can
110 be found on our blog post.
112 Q: How do I sniff in a switched environment?
113 A: I rudely refer to the dSniff documentation that says:
114 The easiest route is simply to impersonate the local gateway, stealing
115 client traffic en route to some remote destination. Of course, the
116 traffic must be forwarded by your attacking machine, either by enabling
117 kernel IP forwarding or with a userland program that acccomplishes the
118 same (fragrouter -B1).
119 Several people have reportedly destroyed connectivity on their LAN to
120 the outside world by arpspoof'ing the gateway, and forgetting to enable
121 IP forwarding on the attacking machine. Don't do this. You have been
124 Q: Can I run netsniff-ng as a normal user?
125 A: No, you need to be root on your box in oder to run netsniff-ng.
127 Q: What's the license of netsniff-ng?
128 A: It's the GNU GPL, version 2. See COPYING.
130 Q: Can you change your license e.g. to BSD or have you ever considered it?
131 A: Nope. Live with it!
133 Q: Can I use netsniff-ng commercially?
134 A: Yep, if you mean "I work for a commercial organization and I'd like to
135 use netsniff-ng for capturing and analyzing network traffic in our
136 company's networks or in our customer's networks.".
137 It depends, if you mean "Can I use netsniff-ng as a part of my commercial
138 product?". See below.
140 Q: Can I use netsniff-ng as a part of my commercial product?
141 A: As long as your commercial product then stays compatible with the GNU GPL,
142 version 2, then it should be no problem. Have a look at the frequently
143 asked questions of gnu.org in order to clarify your questions.
145 Q: How much does netsniff-ng cost?
146 A: netsniff-ng is "free software"; you can download it without paying any
147 license fee. The version of netsniff-ng you download isn't a "demo"
148 version, with limitations not present in a "full" version; it is the
149 full version. And the good thing is: it will always stay that way!
150 netsniff-ng is licensed under the GNU GPL, version 2. Read more about
153 Q: Really, then why are you doing this?
154 A: For the fun and freedom of contributing to the open source community.
157 Q: Do you have release cycles?
158 A: No, we don't. We used to, but since netsniff-ng is a spare time project
159 and sometimes there's lots of other stuff to do and sometimes not, we
160 think we are more flexible this way without making hard deadline
161 promises. Nevertheless, netsniff-ng is a long-term project, so even if
162 there's hard times for month of not pushing to Git, there will be others
163 with the opposite situation. We think netsniff-ng is useful for our daily
164 network engineering work and research and we will do our best that it
165 stays this way! This should be your take-home message! ;-)
167 Q: Can you add feature xy to netsniff-ng?
168 A: Well, that depends. If it's a good feature and you make us think that
169 adding this would make sense, then why not. You are also free to discuss
170 this specific feature with us and post a patch.
172 Q: Are there other source repositories than on your homepage?
173 A: No! Only the repositories stated on our homepage are official ones!
175 Q: Is your GoogleCode page still up to date?
176 A: No, it isn't. We completely moved to repo.or.cz and do not use any of
177 the functionality from GoogleCode. Please consider our repo.or.cz page
178 http://repo.or.cz/w/netsniff-ng.git as our official repository.
180 Q: Can I participate in the development of netsniff-ng?
181 A: Sure, we'd be happy about that. Send us your ideas or code and we're
182 going to evaluate and probably integrate it. Have a look at the HACKING
183 file. The release Git repository is located at
184 http://repo.or.cz/w/netsniff-ng.git, so you are free to clone and hack.
186 Q: How do I post a patch?
187 A: Have a look at the HACKING file of netsniff-ngs source for further
191 A: Have a look at the Git documentation at
192 http://www.kernel.org/pub/software/scm/git/docs/.
194 Q: Will you ship a GUI like Wireshark?
195 A: Probably not, at least this is not our main interest. netsniff-ng is
196 intened to run on any Linux boxes including the ones without graphical
197 user interfaces, so that you are able to run netsniff-ng on your server
200 Q: Will you support the future pcapng (so called 'PCAP Next Generation Dump
201 File Format') format?
202 A: Yes, we're planning it.
204 Q: Do you plan some fancy version other than kernelspace RX_RING/TX_RING?
205 A: We're experimenting on our own kernelspace zero-copy mechanism and also
206 enhancements of the PACKET_MMAP. Nevertheless, the official netsniff-ng
207 version will have the kernel-supported packet mmap, as is. If our
208 findings really outperform the RX_RING/TX_RING and are worth publishing,
209 then it will be shipped as a patch and contribute it to netdev.
211 Q: Will you support the PF_RING from the ntop project?
212 A: Well, no. There are two reasons for this: First reason is, that it's not
213 part of the mainline kernel. A interesting discussion about getting
214 PF_RING into the kernel can be found at the netdev lists
215 (http://lists.openwall.net/netdev/2009/10/14/37) and obviously there are
216 no further efforts (browse the netdev/LKML) from the ntop project to
217 merge both architectures or add features to PF_PACKET. Second reason is
218 that we've evaluated the PF_RING (without the commercial Direct NIC
219 Access [DNA]) regarding its performance and came to the conclusion, that
220 there is no significant performance enhancement (see benchmarks). ntops
221 DNA ships its own versions of some modified device drivers like Broadcoms
222 tg3 and NetXtreme, Intels e1000(e), igb and ixgbe. Since these
223 modifications are not official, neither to the kernel, nor to the vendors
224 and cover only a small amout of what is out there, we're not doing
225 further investigations at the moment.
227 Q: What's the future of netsniff-ngs server?
228 A: We plan to remove the -D from netsniff-ng and we're heading towards a
229 real daemon. What is real? Well, we don't want to mix the actual tool
230 with daemon code, so we plan to outsource it from netsniff-ng.c and
231 build a netsniff-ngd.c. The daemon itself then will be able to run on
232 your router box and analyse traffic. We already have some special
233 features in mind. ;-)
235 Q: Are you also maintaining distribution specific packages?
236 A: Yes, but only for Debian GNU/Linux, which then automatically gets updated
237 in some other distros like GRML. People that maintain netsniff-ng in other
238 distributions are listed within the CREDITS file.
240 Q: Will you port netsniff-ng to Windows?
241 A: No, at least we are not doing this! Windows is a proprietary environment
242 and restricts your freedom. Have a look at the FSF site for more
243 information if you don't know what this means. Besides that? Honestly, who
244 voluntarily wants to use Windows?
246 Q: Will you port netsniff-ng to *BSD?
247 A: Could be possible for the future.
249 Q: Do you have your own personal devel trees? Which one should I patch against?
250 A: Yes, we have. Emmanuels devel tree is at http://github.com/eroullit/netsniff-ng/
251 and Daniels devel tree can be found at http://repo.or.cz/w/netsniff-ng.git.
252 Unlike otherwise clarified, you normally patch against the tree stated on
253 our website, which is http://repo.or.cz/w/netsniff-ng.git.
255 Q: Why don't you answer my mails? Isn't that rude?
256 A: No, it isn't rude. We're focusing on answering every mail, but in some
257 rare cases it's mostly because of sheer lack of time to answer each email
258 that gets sent to us. Furthermore, some hints for writing good e-mails
259 can be found in rfc2635 and rfc1855.
261 Q: How do you pronounce netsniff-ng?
262 A: $ flite -o play -t "netsniff n g"
264 Q: Do you have netsniff-ng t-shirts?
267 Q: I've got some artwork for you!?
268 A: Great! We'd very much like to see it. Please mail it to us ;-)