use strlcpy

[netsniff-ng.git] / FAQ

This FAQ is copied from the FAQ from our website:

Q: What is netsniff-ng?
A: netsniff-ng is is a free, performant Linux network analyzer and
   networking toolkit.

Q: What are the main goals?
A: netsniff-ngs main goal is to be a high performance network toolkit that
   focuses on usability, robustness and functionality. Its aim is to support
   the daily work for networking engineers, developers, admins or Linux
   users by providing support with or in network monitoring, protocol
   analysis, reverse engineering, network debugging and penetration testing.

Q: I like your project. Can I donate something?
A: Sure, we're always happy to hear that. If you think this software is
   good, then please consider donating your money to the Tibet Foundation
   instead to us and help the Tibetian people. For non-money stuff, we'd
   prefer hardware like servers, switches, routers, access points, specific
   NICs or wireless cards or other (also exotic) kinds of embedded systems
   in order to do research, test our software and integrate new features.
   You are welcome to leave us a short message at <workgroup@netsniff-ng.org>.

Q: How can I be notified of new releases?
A: New releases will be announced on Freshmeat. We have a project page there
   where you can subscribe.

Q: Is there a mailing list?
A: Yes, of course there is. It's a moderated mailing list on GoogleGroups
   where you can add yourself and post your questions to
   <netsniff-ng@googlegroups.com>.

Q: Is there an IRC channel?
A: Sometimes we're reachable via #netsniff-ng which is located at Freenode.

Q: Do you have a blog? Is there a RSS feed for your blog?
A: Yes, it's http://dev.netsniff-ng.org/ and yep, it's here:
   http://netsniff-ng.org/dev.rss

Q: Can you change the design of your blog?
A: Nope, go with it!

Q: Why can't I post comments to your blog?
A: Because you can't. Moderating all those comments costs too much time that
   we could also spend on development. If you'd like to discuss certain
   issues, then use our mailing list.

Q: Is there a commercial support?
A: Nope.

Q: How good is the throughput of RX_RING/TX_RING?
A: Have a look at our benchmark (online).

Q: Are the statistics generated by ifpps 'reliable'?
A: Yes. The figures are extracted from the kernel directly, so this is what
   the kernel gets to see. There is no sniffing or other stuff to generate
   these figures - it's pure kernelland.

Q: What's a primer document and why should I read it first?
A: It's netsniff-ngs manpage. The manpage is shipped with the latest stable
   netsniff-ng release. Everything that needs to be known for using
   netsniff-ng is documented within this manpage.

Q: What platforms are supported?
A: Currently only operating systems running on Linux kernels with
   CONFIG_PACKET_MMAP enabled. This feature can be found even back to the
   days of 2.4 kernels. Most operating systems ship pre-compiled kernels
   that have this config option enabled and even the latest kernel versions
   got rid of this option and have this functionality built-in. However,
   we recommend a kernel >= 2.6.31, because it has the built-in TX_RING
   functionality.

Q: What libraries are required?
A: See INSTALL notes.

Q: What version of netsniff-ng should I use?
A: That depends. If you prefer to use the latest features, use the version
   that is marked as -next on the frontpage. The source is available via
   tarball. Otherwise there is a stable version that is usually recommended.

Q: Can netsniff-ng read network dumps of Wireshark or others and vice versa?
A: Yes, if the dumps are formatted as pcap files. This is default on
   Wireshark for instance. On the other hand, Wireshark can also read
   netsniff-ng dumps.

Q: How can I create Berkeley Packet Filters?
A: If you want to run netsniff-ng in combination with -f or --filter <file>
   you need to build a so called Berkeley Packet Filter program within a
   plaintext file (here, marked as: <file>). The Berkeley Packet Filters
   language description can be obtained from netsniff-ngs documentation 
   section or from netsniff-ngs manpage. One way to create a custom filter
   for the non-lazy people is to hack the opcodes by hand according to the
   specification. In this case you have all the freedom to build your
   filters for your needs. The alternative way is to use tcpdumps -dd
   option. Simply pipe the output into a textfile and pass this to
   netsniff-ng.
   Furthermore, we already ship some common filters and we are planning our
   own filter compiler! Most distributions put these files into
   /etc/netsniff-ng/rules/.

Q: I've created a custom Berkeley Packet Filter program with tcpdump, but
   netsniff-ng cuts the packet payload?
A: If you try to create custom socket filters with tcpdump -dd, you have to
   edit the ret opcode (0x6) of the resulting filter, otherwise your payload
   will be cut off:
     0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060
   The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do not
   change it, the kernel will take 0x00000060 as buffer length and packets
   larger than 96 Byte will be cut off (filled with zero Bytes)! It's a bug
   in libpcaps filter compiler. Detailed information about this issue can
   be found on our blog post.

Q: How do I sniff in a switched environment?
A: I rudely refer to the dSniff documentation that says:
     The easiest route is simply to impersonate the local gateway, stealing
     client traffic en route to some remote destination. Of course, the
     traffic must be forwarded by your attacking machine, either by enabling
     kernel IP forwarding or with a userland program that acccomplishes the
     same (fragrouter -B1).
     Several people have reportedly destroyed connectivity on their LAN to
     the outside world by arpspoof'ing the gateway, and forgetting to enable
     IP forwarding on the attacking machine. Don't do this. You have been
     warned.

Q: Can I run netsniff-ng as a normal user?
A: No, you need to be root on your box in oder to run netsniff-ng.

Q: What's the license of netsniff-ng?
A: It's the GNU GPL, version 2. See COPYING.

Q: Can you change your license e.g. to BSD or have you ever considered it?
A: Nope. Live with it!

Q: Can I use netsniff-ng commercially?
A: Yep, if you mean "I work for a commercial organization and I'd like to
   use netsniff-ng for capturing and analyzing network traffic in our
   company's networks or in our customer's networks.".
   It depends, if you mean "Can I use netsniff-ng as a part of my commercial
   product?". See below.

Q: Can I use netsniff-ng as a part of my commercial product?
A: As long as your commercial product then stays compatible with the GNU GPL,
   version 2, then it should be no problem. Have a look at the frequently
   asked questions of gnu.org in order to clarify your questions.

Q: How much does netsniff-ng cost?
A: netsniff-ng is "free software"; you can download it without paying any
   license fee. The version of netsniff-ng you download isn't a "demo"
   version, with limitations not present in a "full" version; it is the
   full version. And the good thing is: it will always stay that way!
   netsniff-ng is licensed under the GNU GPL, version 2. Read more about
   this at gnu.org.

Q: Really, then why are you doing this?
A: For the fun and freedom of contributing to the open source community.
   Simple, isn't it?

Q: Do you have release cycles?
A: No, we don't. We used to, but since netsniff-ng is a spare time project
   and sometimes there's lots of other stuff to do and sometimes not, we
   think we are more flexible this way without making hard deadline
   promises. Nevertheless, netsniff-ng is a long-term project, so even if
   there's hard times for month of not pushing to Git, there will be others
   with the opposite situation. We think netsniff-ng is useful for our daily
   network engineering work and research and we will do our best that it
   stays this way! This should be your take-home message! ;-)

Q: Can you add feature xy to netsniff-ng?
A: Well, that depends. If it's a good feature and you make us think that
   adding this would make sense, then why not. You are also free to discuss
   this specific feature with us and post a patch.

Q: Are there other source repositories than on your homepage?
A: No! Only the repositories stated on our homepage are official ones!

Q: Is your GoogleCode page still up to date?
A: No, it isn't. We completely moved to repo.or.cz and do not use any of
   the functionality from GoogleCode. Please consider our repo.or.cz page
   http://repo.or.cz/w/netsniff-ng.git as our official repository.

Q: Can I participate in the development of netsniff-ng?
A: Sure, we'd be happy about that. Send us your ideas or code and we're
   going to evaluate and probably integrate it. Have a look at the HACKING
   file. The release Git repository is located at
   http://repo.or.cz/w/netsniff-ng.git, so you are free to clone and hack.

Q: How do I post a patch?
A: Have a look at the HACKING file of netsniff-ngs source for further
   instructions.

Q: How do I use Git?
A: Have a look at the Git documentation at
   http://www.kernel.org/pub/software/scm/git/docs/.

Q: Will you ship a GUI like Wireshark?
A: Probably not, at least this is not our main interest. netsniff-ng is
   intened to run on any Linux boxes including the ones without graphical
   user interfaces, so that you are able to run netsniff-ng on your server
   or router.

Q: Will you support the future pcapng (so called 'PCAP Next Generation Dump
   File Format') format?
A: Yes, we're planning it.

Q: Do you plan some fancy version other than kernelspace RX_RING/TX_RING?
A: We're experimenting on our own kernelspace zero-copy mechanism and also
   enhancements of the PACKET_MMAP. Nevertheless, the official netsniff-ng
   version will have the kernel-supported packet mmap, as is. If our
   findings really outperform the RX_RING/TX_RING and are worth publishing,
   then it will be shipped as a patch and contribute it to netdev.

Q: Will you support the PF_RING from the ntop project?
A: Well, no. There are two reasons for this: First reason is, that it's not
   part of the mainline kernel. A interesting discussion about getting
   PF_RING into the kernel can be found at the netdev lists
   (http://lists.openwall.net/netdev/2009/10/14/37) and obviously there are
   no further efforts (browse the netdev/LKML) from the ntop project to
   merge both architectures or add features to PF_PACKET. Second reason is
   that we've evaluated the PF_RING (without the commercial Direct NIC
   Access [DNA]) regarding its performance and came to the conclusion, that
   there is no significant performance enhancement (see benchmarks). ntops
   DNA ships its own versions of some modified device drivers like Broadcoms
   tg3 and NetXtreme, Intels e1000(e), igb and ixgbe. Since these
   modifications are not official, neither to the kernel, nor to the vendors
   and cover only a small amout of what is out there, we're not doing
   further investigations at the moment.

Q: What's the future of netsniff-ngs server?
A: We plan to remove the -D from netsniff-ng and we're heading towards a
   real daemon. What is real? Well, we don't want to mix the actual tool
   with daemon code, so we plan to outsource it from netsniff-ng.c and
   build a netsniff-ngd.c. The daemon itself then will be able to run on
   your router box and analyse traffic. We already have some special
   features in mind. ;-)

Q: Are you also maintaining distribution specific packages?
A: Yes, but only for Debian GNU/Linux, which then automatically gets updated
   in some other distros like GRML. People that maintain netsniff-ng in other
   distributions are listed within the CREDITS file.

Q: Will you port netsniff-ng to Windows?
A: No, at least we are not doing this! Windows is a proprietary environment
   and restricts your freedom. Have a look at the FSF site for more
   information if you don't know what this means. Besides that? Honestly, who
   voluntarily wants to use Windows?

Q: Will you port netsniff-ng to *BSD?
A: Could be possible for the future.

Q: Do you have your own personal devel trees? Which one should I patch against?
A: Yes, we have. Emmanuels devel tree is at http://github.com/eroullit/netsniff-ng/
   and Daniels devel tree can be found at http://repo.or.cz/w/netsniff-ng.git.
   Unlike otherwise clarified, you normally patch against the tree stated on
   our website, which is http://repo.or.cz/w/netsniff-ng.git.

Q: Why don't you answer my mails? Isn't that rude?
A: No, it isn't rude. We're focusing on answering every mail, but in some
   rare cases it's mostly because of sheer lack of time to answer each email
   that gets sent to us. Furthermore, some hints for writing good e-mails
   can be found in rfc2635 and rfc1855.

Q: How do you pronounce netsniff-ng?
A: $ flite -o play -t "netsniff n g"

Q: Do you have netsniff-ng t-shirts?
A: Not yet.

Q: I've got some artwork for you!?
A: Great! We'd very much like to see it. Please mail it to us ;-)