Added BPF attach/detach support check.

[netsniff-ng.git] / README

////////////////////////////////////////////////////////////////

        netsniff-ng - the packet sniffing beast

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

                                      .      .
                                     /(      )\
                                   .' {______} '.
                                    \ ^,    ,^ /
 netsniff-ng is a free, performant   |'O\  /O'|   _.<0101011>--
 Linux network analyzer and          > `'  '` <  /
 networking toolkit.                 ) ,.==., (  |
                                    (|/--~~--\|)-'
 Release: 2011-xx-xx               /
                                  (      ___
 Web: http://netsniff-ng.org       \__.=|___E

The gain of performance is reached by 'zero-copy' mechanisms, so that the
kernel does not need to copy packets from kernelspace to userspace and vice
versa.

For this purpose netsniff-ng is libpcap independent, but nevertheless supports
the pcap file format for capturing, replaying and performing offline-analysis
of pcap dumps. Furthermore we are focussing on building a robust, clean and
secure analyzer and utilities that complete netsniff-ng as a support for the
the daily work of system administrators, networking engineers, researchers or
security specialists.

The netsniff-ng toolkit [1] currently consists of the following utilities:

  * netsniff-ng: the 'zero-copy' sniffer, pcap capturer and replayer itself
  * arpswirl: an ARP cache poisoning utility (todo)
  * trafgen: a high performance 'zero-copy' network packet generator
  * flowtop: a top-like netfilter connection tracking tool (todo)
  * curvetun: a lightweight curve25519-based multiuser IP tunnel
  * ashunt: an Autonomous System trace route utility and ISP's DPI tester
  * bpfc: a tiny Berkeley Packet Filter compiler supporting Linux extensions
  * ifpps: a top-like kernel networking and system statistics tool

The netsniff-ng toolkit is an Open Source project covered by the GNU General 
Public License. For any questions or feedback about netsniff-ng you are welcome
to leave us a message to <workgroup@netsniff-ng.org> or to our mailing list
at <netsniff-ng@googlegroups.com> (Note: you have to register first). This
project is purely non-commercial and will always stay that way!

Also, have a look at our FAQ [2] for answering your questions. Furthermore,
we have a development blog [3] where we sometimes drop some interesting things
or news for the outside world! A public repository of the old stable releases
(which you probably do not want to have a look at), can be found here [4].

By the way, some notes on zero-copy ... You might want to have NAPI drivers [5]
enabled in your kernel to reduce interrupt load and for high-speed (= relative
to the CPU speed) PCAP dumping and replay, a fast SSD isn't too bad either,
and make sure to use netsniff-ngs scatter/gather or mmap I/O options. Next to
this, (and this refers to packet generation as well), a 10-Gbit/s-Ethernet
NIC, an appropriate amount of RAM and a fast CPU is recommended. Furthermore,
you should bind the netsniff-ng tools to a specific CPU via commandline option
(i.e. --bind 0). Some further recommendations can be found in [6] [8]. Also,
Eric Dumazets BPF Just-in-Time compiler can speed up the critical path [7].

You might want to have a look at INSTALL, REPORTING-BUGS, HACKING, CODING,
and COPYING, too. Anyways, enough talking from my side and happy packet
hacking!

[1] http://netsniff-ng.org/
[2] http://netsniff-ng.org/faq.html
[3] http://dev.netsniff-ng.org/
[4] http://pub.netsniff-ng.org/
[5] http://www.linuxfoundation.org/collaborate/workgroups/networking/napi
[6] http://datatag.web.cern.ch/datatag/howto/tcp.html
[7] http://thread.gmane.org/gmane.linux.network/191115
    Kernel build option:
      CONFIG_HAVE_BPF_JIT=y
      CONFIG_BPF_JIT=y
[8] http://bit.ly/3XbBrM