Man Linux: Main Page and Category List


       netsniff-ng - a high performance network sniffer for packet inspection


       netsniff-ng [-d device] [-f filter] [-b cpu] [-B cpu] [-P pid] [-L log]
       [-S af_unix] [-DHnsv]


       netsniff-ng is a high performance  Linux  network  sniffer  for  packet
       inspection.  Basically, it is similar to tcpdump, but it doesn’t need a
       syscall per packet. Instead, it  uses  an  memory  mapped  area  within
       kernelspace  for  accessing  packets  without copying them to userspace
       ("zero-copy" mechanism), so during high  bandwidth  less  packet  drops
       than on standard libpcap-based sniffers will occur.

       netsniff-ng  is  useful  for protocol analysis and reverse engineering,
       network debugging, measurement of  performance  throughput  or  network
       statistics  creation  of incoming packets on central network nodes like
       routers or firewalls.


       If you try to create custom socket filters with tcpdump -dd,  you  have
       to  edit the ret opcode of the resulting filter, otherwise your payload
       will be cut off:

       0x6, 0, 0, 0xFFFFFFFF  instead of  0x6, 0, 0, 0x00000060

       The Linux kernel now takes skb->len instead of 0xFFFFFFFF.  If  you  do
       not  change  it,  the  kernel will take 0x00000060 as buffer length and
       packets larger than 96 Byte will be cut off (filled with zero Bytes)!


       -d device
              For instance, use ‘eth0’ or  ‘wlan0’  as  the  packet  capturing
              network device.

       -f filter
              Use a specific Berkeley Packet Filter program to filter incoming
              Have a look at the given examples in: /etc/netsniff-ng/rules

       -D     Run netsniff-ng in daemon  mode,  options  -P,  -L  and  -S  are
              required, too.
              Note:  To  gather  statistics  during  runtime  without the unix
              domain socket inode, just send SIGUSR1 to netsniff-ng.

       -P pidfile
              Used to define the pidfile. In most cases you can define  it  as

       -L logfile
              Used  to  define the logfile. In most cases you can define it as

       -S inode
              Used to define the unix domain socket inode. In most  cases  you
              can define it as /tmp/netsniff-ng.uds.

       -b CPU Force  system scheduler to schedule netsniff-ng only on specific
              CPUs. Parameters could  be 0 for using only CPU0, 0,1 for  using
              CPU0  and  CPU1  or even 0-4 for using a whole CPU range. If you
              have a customized init process that leaves out a special CPU you
              could bind netsniff-ng on that free CPU for maximal performance.
              On the other hand, you can avoid scheduling netsniff-ng on  CPUs
              which are reserved for other critical tasks.

       -B CPU Force  system  scheduler to not schedule netsniff-ng on specific
              CPUs. Parameter syntax is equivalent to -b.

       -H     Do  not  put  netsniff-ng  in  high-priorized  mode.   Normally,
              netsniff-ng  will  be  scheduled  with high priority thus it may
              make use of the full CPUs  timeslice.  You  can  avoid  this  by
              setting -H.

       -n     This  option  sets  netsniff-ng  in  non-blocking  mode.  If the
              RX_RING is empty for several reasons, netsniff-ng will be put to
              sleep  and  wait  for  new  incoming  packages.  By  setting  -n
              netsniff-ng will spin (with  100%  CPU  usage)  in  non-blocking
              mode. This might be faster, but could slow down other processes.

       -s     Do not print captured packets  to  stdout  (silent  mode).  That
              switch  can  be  changes  during  runtime  by sending SIGUSR2 to
              toggle verbose/silent mode.

       -v     Prints versioning information.


       (C) 2009, 2010, by Daniel Borkmann and Emmanuel Roullit

       For bug reports, questions, code contributions, cool hacks and all  the


Leipzig University of Applied SciJanuary 2010                   netsniff-ng(8)