1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5 <title>netsniff-ng - frequently asked questions
</title>
7 <meta http-equiv=
"Content-Type" content=
"text/html; charset=utf-8">
8 <meta name=
"Robots" content=
"noarchive">
10 <link rel=
"Shortcut Icon" href=
"http://netsniff-ng.org/img/tiny-logo.png" type=
"image/png">
11 <link type=
"text/css" rel=
"stylesheet" media=
"screen" href=
"style.css" />
13 <script type=
"text/javascript">
14 function InsertMail(mailnam
,mailsvr
,maildom
)
16 document
.write('<<a href="mailto:' + mailnam
+ '@' + mailsvr
+ '.'
17 + maildom
+ '">' + mailnam
+ '@' + mailsvr
+ '.' + maildom
+
24 <a href=
"https://github.com/gnumaniacs/netsniff-ng"><img style=
"position: absolute; top: 0; right: 0; border: 0;" src=
"https://s3.amazonaws.com/github/ribbons/forkme_right_white_ffffff.png" alt=
"Fork me on GitHub"></a>
30 <a href=
"http://netsniff-ng.org"><img src=
"http://netsniff-ng.org/img/logo.png" border=
"0" alt=
"netsniff-ng"></a>
34 <img src=
"http://netsniff-ng.org/img/logo2.png" border=
"0" alt=
"the packet sniffing beast">
40 <h2>Frequently asked questions (FAQ)
</h2>
42 If your question is not answered here, please consult our mailing list.
43 <h3>General questions
</h3>
45 <li><a href=
"#g0">What is netsniff-ng?
</a></li>
46 <li><a href=
"#g1">What are the main goals?
</a></li>
47 <li><a href=
"#g2">I like your project. Can I donate something?
</a></li>
48 <li><a href=
"#g3">How can I be notified of new releases?
</a></li>
49 <li><a href=
"#g4">Is there a mailing list?
</a></li>
50 <li><a href=
"#g5">Is there an IRC channel?
</a></li>
51 <li><a href=
"#g6">Do you have a blog? Is there a RSS feed for your blog?
</a></li>
52 <li><a href=
"#g7">Can you change the design of your blog?
</a></li>
53 <li><a href=
"#g8">Why can't I post comments to your blog?
</a></li>
54 <li><a href=
"#g9">Is there a commercial support?
</a></li>
55 <li><a href=
"#g10">How good is the throughput of RX_RING/TX_RING?
</a></li>
56 <li><a href=
"#g11">Are the statistics generated by ifpps 'reliable'?
</a></li>
59 <h3>Usage questions
</h3>
61 <li><a href=
"#u0">What's a primer document and why should I read it first?
</a></li>
62 <li><a href=
"#u1">What platforms are supported?
</a></li>
63 <li><a href=
"#u2">What libraries are required?
</a></li>
64 <li><a href=
"#u3">What version of netsniff-ng should I use?
</a></li>
65 <li><a href=
"#u4">Can netsniff-ng read network dumps of Wireshark or others and vice versa?
</a></li>
66 <li><a href=
"#u5">How can I create Berkeley Packet Filters?
</a></li>
67 <li><a href=
"#u6">I've created a custom Berkeley Packet Filter program with tcpdump, but netsniff-ng cuts the packet payload?
</a></li>
68 <li><a href=
"#u7">How do I sniff in a switched environment?
</a></li>
69 <li><a href=
"#u8">Can I run netsniff-ng as a normal user?
</a></li>
72 <h3>Licensing questions
</h3>
74 <li><a href=
"#l0">What's the license of netsniff-ng?
</a></li>
75 <li><a href=
"#l1">Can you change your license e.g. to BSD or have you ever considered it?
</a></li>
76 <li><a href=
"#l2">Can I use netsniff-ng commercially?
</a></li>
77 <li><a href=
"#l3">Can I use netsniff-ng as a part of my commercial product?
</a></li>
78 <li><a href=
"#l4">How much does netsniff-ng cost?
</a></li>
79 <li><a href=
"#l5">Really, then why are you doing this?
</a></li>
82 <h3>Development questions
</h3>
84 <li><a href=
"#d0">Do you have release cycles?
</a></li>
85 <li><a href=
"#d1">Can you add feature xy to netsniff-ng?
</a></li>
86 <li><a href=
"#d2">Are there other source repositories than on your homepage?
</a></li>
87 <li><a href=
"#d3">Is your GoogleCode page still up to date?
</a></li>
88 <li><a href=
"#d4">Can I participate in the development of netsniff-ng?
</a></li>
89 <li><a href=
"#d5">How do I post a patch?
</a></li>
90 <li><a href=
"#d6">How do I use Git?
</a></li>
91 <li><a href=
"#d8">Will you ship a GUI like Wireshark?
</a></li>
92 <li><a href=
"#d9">Will you support the future pcapng (so called 'PCAP Next Generation Dump File Format') format?
</a></li>
93 <li><a href=
"#d10">Do you plan some fancy version other than kernelspace RX_RING/TX_RING?
</a></li>
94 <li><a href=
"#d11">Will you support the PF_RING from the ntop project?
</a></li>
95 <li><a href=
"#d13">Are you also maintaining distribution specific packages?
</a></li>
96 <li><a href=
"#d14">Will you port netsniff-ng to Windows?
</a></li>
97 <li><a href=
"#d15">Will you port netsniff-ng to *BSD?
</a></li>
98 <li><a href=
"#d16">Do you have your own devel trees? Which one should I patch against?
</a></li>
99 <li><a href=
"#d17">Are you adding more tools to the toolkit?
</a></li>
102 <h3>Misc questions
</h3>
104 <li><a href=
"#m0">Why don't you answer my mails? Isn't that rude?
</a></li>
105 <li><a href=
"#m1">How do you pronounce netsniff-ng?
</a></li>
106 <li><a href=
"#m2">Do you have netsniff-ng t-shirts?
</a></li>
107 <li><a href=
"#m3">I've got some artwork for you!?
</a></li>
114 <h3><a name=
"g0">What is netsniff-ng?
</a></h3>
117 netsniff-ng is a high performance Linux network sniffer for packet inspection. The project started during my B. Sc. thesis at the Max Planck Institute and continued to grow into a useful toolkit ever since. At the time of its initial development, the famous libpcap library did not support the zero-copy extensions of the Linux kernel. Therefore, I closed this gap by developing a sniffer that had a significantly better performance than existing ones that used libpcap.
122 <h3><a name=
"g1">What are the main goals?
</a></h3>
125 netsniff-ngs main goal is to be a
<i>high performance
</i> network sniffer that focuses on
<i>usability
</i>,
<i>robustness
</i> and
<i>functionality
</i>. Its aim is to support the daily work for networking engineers, developers, admins or Linux users by providing support with or in network monitoring, protocol analysis, reverse engineering, network debugging and penetration testing. Also, since
0.5.6.0 we've added further tools for high-performance traffic generation and reliable top-like networking statistics.
130 <h3><a name=
"g2">I like your project. Can I donate something?
</a></h3>
133 Sure, we're always happy to hear that. If you think this software is good, then please consider
<a href=
"http://flattr.com/thing/421382/gnumaniacs-devs" target=
"_blank">donating
</a> (Flattr) some money for our development. For non-money stuff, we'd prefer hardware like servers, switches, routers, access points, specific NICs or wireless cards or other (also exotic) kinds of embedded systems in order to do research, test our software and integrate new features. You are welcome to leave us a short message at
<script type=
"text/javascript">InsertMail("daniel", "netsniff-ng", "org");</script>.
138 <h3><a name=
"g3">How can I be notified of new releases?
</a></h3>
141 New releases will be announced on our homepage, mailing list and Freshmeat. We have a project page
<a href=
"http://freshmeat.net/projects/netsniff-ng/">at Freshmeat
</a> where you can subscribe.
146 <h3><a name=
"g4">Is there a mailing list?
</a></h3>
149 Yes, of course there is. It's a moderated, spam-free mailing list on GoogleGroups where you can add yourself and post your questions to
<script type=
"text/javascript">InsertMail("netsniff-ng", "googlegroups", "com");</script>.
154 <h3><a name=
"g5">Is there an IRC channel?
</a></h3>
157 Sometimes we're reachable via
<a href=
"irc://irc.freenode.net/netsniff-ng">#netsniff-ng
</a> which is located at
<a href=
"http://freenode.net/irc_servers.shtml">Freenode
</a>.
162 <h3><a name=
"g6">Do you have a blog? Is there a RSS feed for your blog?
</a></h3>
165 Yes, it's
<a href=
"http://dev.netsniff-ng.org/">http://dev.netsniff-ng.org/
</a>. The RSS feed can be found here:
<a href=
"http://blog.cryptoism.org/t_netsniff-ng.xml">http://blog.cryptoism.org/t_netsniff-ng.xml
</a>
170 <h3><a name=
"g7">Can you change the design of your blog?
</a></h3>
178 <h3><a name=
"g8">Why can't I post comments to your blog?
</a></h3>
181 Because we like HTML too much. ;-) Moderating all those comments costs too much time that we could also spend on development. If you'd like to discuss certain issues, then please use our mailing list.
186 <h3><a name=
"g9">Is there a commercial support?
</a></h3>
194 <h3><a name=
"g10">How good is the throughput of RX_RING/TX_RING?
</a></h3>
197 Have a look at our
<a href=
"http://wiki.netsniff-ng.org">Wiki
</a> within the benchmark section. For instance, on commodity hardware with Gigabit-Ethernet, we've reached nearly wirespeed with
<i>trafgen
</i> (
64 Byte,
1.2 Mio pps).
202 <h3><a name=
"g11">Are the statistics generated by ifpps 'reliable'?
</a></h3>
205 Yes. The statistics are extracted from the kernel directly, so this is what the NICs device driver gets to see. There is
<i>no
</i> sniffing or the like involved to generate these figures.
210 <h3><a name=
"u0">What's a primer document and why should I read it first?
</a></h3>
213 It's netsniff-ngs manpage. The manpage is shipped with the latest stable netsniff-ng release. Everything that needs to be known for using netsniff-ng is documented within this manpage.
218 <h3><a name=
"u1">What platforms are supported?
</a></h3>
221 Currently only operating systems running on Linux kernels with
<i>CONFIG_PACKET_MMAP
</i> enabled. This feature can be found even back to the days of
2.4 kernels. Most operating systems ship pre-compiled kernels that have this config option enabled and even the latest kernel versions got rid of this option and have this functionality built-in. However, we recommend using a kernel
>=
2.6.31, because the TX_RING support has been added since then.
226 <h3><a name=
"u2">What libraries are required?
</a></h3>
229 Well, for version
0.5.5.0 <i>libc
</i> is the only one. Most operating systems already have their
<i>libc
</i> shipped. That's it, nothing else. For version
0.5.6.0 you'll need
<i>libncurses
</i>,
<i>zlib
</i>,
<i>libgcrypt
</i>. All of them are usually available via your operating systems packet management system.
234 <h3><a name=
"u3">What version of netsniff-ng should I use?
</a></h3>
237 That depends. If you prefer to use the latest features, use the version that is marked as
<i>-next
</i> on the frontpage. The source is available via tarball and Git. Note that
<i>-next
</i> is our development tree and nearly daily changes are made. Otherwise there is a stable version that is usually recommended.
242 <h3><a name=
"u4">Can netsniff-ng read network dumps of Wireshark or others and vice versa?
</a></h3>
245 Yes, if the dumps are formatted as
<i>pcap
</i> files. This is default on Wireshark for instance. On the other hand, Wireshark can also read netsniff-ng dumps.
250 <h3><a name=
"u5">How can I create Berkeley Packet Filters?
</a></h3>
253 If you want to run netsniff-ng in combination with
<i>-f
</i> or
<i>--filter
<file
></i> you need to build a so called Berkeley Packet Filter program within a plaintext file (here, marked as:
<i><file
></i>). The Berkeley Packet Filters language description can be obtained from netsniff-ngs documentation
<a href=
"bpf.pdf">section
</a>. One way to create a custom filter for the non-lazy people is to hack the opcodes by hand according to the specification. In this case you have all the freedom to build your filters for your needs. The alternative way is to use tcpdumps
<i>-dd
</i> option. Simply pipe the output into a textfile and pass this to netsniff-ng.
255 Furthermore, we already ship some common filters and we are planning our own filter compiler! Most distributions put these files into
<i>/etc/netsniff-ng/rules/
</i>.
260 <h3><a name=
"u6">I've created a custom Berkeley Packet Filter program with tcpdump, but netsniff-ng cuts the packet payload?
</a></h3>
263 If you try to create custom socket filters with tcpdump
<i>-dd
</i>, you have to edit the
<i>ret
</i> opcode (
<i>0x6</i>) of the resulting filter, otherwise your payload will be cut off:
265 <i>0x6,
0,
0,
0xFFFFFFFF</i> instead of
<i>0x6,
0,
0,
0x00000060</i>
267 The Linux kernel now takes
<i>skb-
>len
</i> instead of
0xFFFFFFFF. If you do not change it, the kernel will take
0x00000060 as buffer length and packets larger than
96 Byte will be cut off (filled with zero Bytes)! It's a bug in libpcaps filter compiler. Detailed information about this issue can be found on our
<a href=
"http://dev.netsniff-ng.org/#4">blog post
</a>.
272 <h3><a name=
"u7">How do I sniff in a switched environment?
</a></h3>
275 I rudely refer to the
<i>dSniff
</i> documentation that says:
277 The easiest route is simply to impersonate the local gateway, stealing client traffic en route to some remote destination. Of course, the traffic must be forwarded by your attacking machine, either by enabling kernel IP forwarding or with a userland program that acccomplishes the same (fragrouter -B1).
279 Several people have reportedly destroyed connectivity on their LAN to the outside world by arpspoof'ing the gateway, and forgetting to enable IP forwarding on the attacking machine. Don't do this. You have been warned.
284 <h3><a name=
"u8">Can I run netsniff-ng as a normal user?
</a></h3>
287 No, you need to be
<i>root
</i> on your box in oder to run netsniff-ng.
292 <h3><a name=
"l0">What's the license of netsniff-ng?
</a></h3>
295 It's the GNU GPL, version
2.
<a href=
"http://www.gnu.org/licenses/gpl-2.0.txt">Here
</a>'s the licensing text.
300 <h3><a name=
"l1">Can you change your license e.g. to BSD or have you ever considered it?
</a></h3>
303 No. We've thought this through and the GPL version
2 is the best that suits our needs.
308 <h3><a name=
"l2">Can I use netsniff-ng commercially?
</a></h3>
311 Yes, if you mean
"I work for a commercial organization and I'd like to use netsniff-ng for capturing and analyzing network traffic in our company's networks or in our customer's networks.".
313 It depends, if you mean
"Can I use netsniff-ng as a part of my commercial product?". See below.
318 <h3><a name=
"l3">Can I use netsniff-ng as a part of my commercial product?
</a></h3>
321 As long as your commercial product then stays compatible with the
<a href=
"http://www.gnu.org/licenses/gpl-2.0.txt">GNU GPL, version
2</a>, then it should be no problem. Have a look at the
<a href=
"http://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html">frequently asked questions
</a> of gnu.org in order to clarify your questions.
326 <h3><a name=
"l4">How much does netsniff-ng cost?
</a></h3>
329 netsniff-ng is
"free software"; you can download it without paying any license fee. The version of netsniff-ng you download isn't a
"demo" version, with limitations not present in a
"full" version; it is the full version. And the good thing is: it will always stay that way!
331 netsniff-ng is licensed under the GNU GPL, version
2. Read more about this
<a href=
"http://www.gnu.org/licenses/gpl-2.0.txt">here
</a>.
336 <h3><a name=
"l5">Really, then why are you doing this?
</a></h3>
339 For the fun and freedom of contributing to the open source community and for learning and researching purposes. Simple, isn't it?
344 <h3><a name=
"d0">Do you have release cycles?
</a></h3>
347 No, we don't. We used to, but since netsniff-ng is a spare time project and sometimes there's lots of other stuff to do and sometimes not, we think we are more flexible this way without making hard deadline promises. Nevertheless, netsniff-ng is a long-term project, so even if there's hard times for weeks of not pushing to Git, there will be others with the opposite situation. We think netsniff-ng is useful for our daily network engineering work and research and we will do our best that it stays this way! This should be your take-home message! ;-)
352 <h3><a name=
"d1">Can you add feature xy to netsniff-ng?
</a></h3>
355 Well, that depends. If it's a good feature and you make us think that adding this would make sense, then why not. You are also free to discuss this specific feature with us and post a patch.
360 <h3><a name=
"d2">Are there other source repositories than on your homepage?
</a></h3>
363 No! Only the repositories stated on our homepage are
<a href=
"http://repo.or.cz/w/netsniff-ng.git/">official
</a> ones!
368 <h3><a name=
"d3">Is your GoogleCode page still up to date?
</a></h3>
371 No, it isn't. We completely moved to
<i>repo.or.cz
</i> and do
<i>not
</i> use any of the functionality from GoogleCode. Please consider our repo.or.cz page
<a href=
"http://repo.or.cz/w/netsniff-ng.git">http://repo.or.cz/w/netsniff-ng.git
</a> as our official repository.
376 <h3><a name=
"d4">Can I participate in the development of netsniff-ng?
</a></h3>
379 Sure, we'd be happy about that. Send us your ideas or code and we're going to evaluate and probably integrate it. Have a look at the HACKING file. The release Git repository is located at
<a href=
"http://repo.or.cz/w/netsniff-ng.git">http://repo.or.cz/w/netsniff-ng.git
</a>, so you are free to clone and hack.
384 <h3><a name=
"d5">How do I post a patch?
</a></h3>
387 Have a look at the HACKING file of netsniff-ngs source for further instructions.
392 <h3><a name=
"d6">How do I use Git?
</a></h3>
395 Have a look at the Git documentation at
<a href=
"http://www.kernel.org/pub/software/scm/git/docs/">http://www.kernel.org/pub/software/scm/git/docs/
</a>.
400 <h3><a name=
"d8">Will you ship a GUI like Wireshark?
</a></h3>
403 Probably not, at least this is not our main interest. netsniff-ng is intened to run on any Linux boxes including the ones without graphical user interfaces, so that you are able to run netsniff-ng on your server or router. But of course, you are free to develop a GUI and let us know about it! :-)
408 <h3><a name=
"d9">Will you support the future pcapng (so called 'PCAP Next Generation Dump File Format') format?
</a></h3>
411 Yes, we're planning it.
416 <h3><a name=
"d10">Do you plan some fancy version other than kernelspace RX_RING/TX_RING?
</a></h3>
419 We're experimenting on our own kernelspace zero-copy mechanism and also enhancements of the PACKET_MMAP. Nevertheless, the official netsniff-ng version will have the kernel-supported packet mmap, as is. If our findings really outperform the RX_RING/TX_RING and are worth publishing, then it will be shipped as a patch and contribute it to netdev.
424 <h3><a name=
"d11">Will you support the PF_RING from the ntop project?
</a></h3>
427 Well, no. There are two reasons for this:
<i>First reason
</i> is, that it's not part of the mainline kernel. A interesting discussion about getting PF_RING into the kernel can be found at the netdev lists (
<a href=
"http://lists.openwall.net/netdev/2009/10/14/37">http://lists.openwall.net/netdev/
2009/
10/
14/
37</a>) and obviously there are no further efforts (browse the netdev/LKML, also
<a href=
"http://www.spinics.net/lists/netfilter-devel/msg20212.html">netfilter
</a>) from the ntop project to merge both architectures or add features to PF_PACKET.
<i>Second reason
</i> is that we've evaluated the PF_RING (without the commercial Direct NIC Access [DNA]) regarding its performance and came to the conclusion, that there is no significant performance enhancement on our IBM HS21 Bladeserver test system. ntopi's DNA ships its own versions of some modified device drivers like Broadcoms tg3 and NetXtreme, Intels e1000(e), igb and ixgbe. Since these modifications are not official, neither to the kernel, nor to the vendors and cover only a small amout of what is out there, we're not doing further investigations at the moment. Also, netsniff-ng users have reported similar observations. A benchmark with PF_RING in transparent_mode
0 and
1 is even slower than netsniff-ng and in transparent_mode
2 both have the same performance. The test was done on a Dell PowerEdge
2850. Nevertheless,
<a href=
"http://www.ntop.org/">ntop
</a> is a very interesting project you definately should check out!
432 <h3><a name=
"d13">Are you also maintaining distribution specific packages?
</a></h3>
435 Yes, but only for
<a href=
"http://packages.qa.debian.org/n/netsniff-ng.html">Debian GNU/Linux
</a>, which then automatically gets updated in some other distros like
<a href=
"http://grml.org">GRML
</a>. People that maintain netsniff-ng in other distributions are listed within the CREDITS file.
440 <h3><a name=
"d14">Will you port netsniff-ng to Windows?
</a></h3>
443 No, at least
<i>we
</i> are not doing this simply because we don't have any Windows box! Why would we? Why would we encourage people to stay at a fucked up operating system? Have a look at the FSF site for more information, if you don't know why you should switch to Linux or *BSD.
448 <h3><a name=
"d15">Will you port netsniff-ng to *BSD?
</a></h3>
451 Could be possible for the future.
456 <h3><a name=
"d16">Do you have your own personal devel trees? Which one should I patch against?
</a></h3>
459 Yes, we have. Emmanuels devel tree is at
<a href=
"http://github.com/eroullit/netsniff-ng/">http://github.com/eroullit/netsniff-ng/
</a> and Daniels devel tree can be found at
<a href=
"http://repo.or.cz/w/netsniff-ng.git">http://repo.or.cz/w/netsniff-ng.git
</a>. Unlike otherwise clarified, you normally patch against the tree stated on our website, which is
<a href=
"http://repo.or.cz/w/netsniff-ng.git">http://repo.or.cz/w/netsniff-ng.git
</a>.
464 <h3><a name=
"d17">Are you adding more tools to the toolkit?
</a></h3>
467 No,
8 tools (netsniff-ng, trafgen, mausezahn, bpfc, ifpps, flowtop, curvetun, astraceroute) are enough. We now rather focus on improving them and fixing bugs.
472 <h3><a name=
"m0">Why don't you answer my mails? Isn't that rude?
</a></h3>
475 No, it isn't rude. We're focusing on answering every mail, but in some rare cases it's mostly because of sheer lack of time to answer each email that gets sent to us. Furthermore, some hints for writing good e-mails can be found in
<a href=
"http://www.ietf.org/rfc/rfc2635.txt">rfc2635
</a> and
<a href=
"http://www.ietf.org/rfc/rfc1855.txt">rfc1855
</a>.
480 <h3><a name=
"m1">How do you pronounce netsniff-ng?
</a></h3>
483 <code>$ flite -o play -t
"netsniff n g"</code>
488 <h3><a name=
"m2">Do you have netsniff-ng t-shirts, ...?
</a></h3>
491 Yes,
<a href=
"http://netsniff-ng.spreadshirt.de/">here
</a> (note: we do not take any commission for the products).
496 <h3><a name=
"m3">I've got some artwork for you!?
</a></h3>
499 Great! We'd very much like to see it. Please mail it to us ;-)
503 <table border=
"0" width=
"90%">
506 <code>Copyright (C)
2009-
2012 <a href=
"http://gnumaniacs.org">Daniel Borkmann
</a>
507 <script type=
"text/javascript">InsertMail("daniel", "netsniff-ng", "org");</script>
508 and
<a href=
"https://github.com/gnumaniacs/netsniff-ng/blob/master/AUTHORS">contributers
</a>