netsniff-ng - a high performance network sniffer for packet inspection
netsniff-ng [-d device] [-f filter] [-b cpu] [-B cpu] [-P pid] [-L log]
[-S af_unix] [-DHnsv]
netsniff-ng is a high performance Linux network sniffer for packet
inspection. Basically, it is similar to tcpdump, but it doesn’t need a
syscall per packet. Instead, it uses an memory mapped area within
kernelspace for accessing packets without copying them to userspace
("zero-copy" mechanism), so during high bandwidth less packet drops
than on standard libpcap-based sniffers will occur.
netsniff-ng is useful for protocol analysis and reverse engineering,
network debugging, measurement of performance throughput or network
statistics creation of incoming packets on central network nodes like
routers or firewalls.
If you try to create custom socket filters with tcpdump -dd, you have
to edit the ret opcode of the resulting filter, otherwise your payload
will be cut off:
0x6, 0, 0, 0xFFFFFFFF instead of 0x6, 0, 0, 0x00000060
The Linux kernel now takes skb->len instead of 0xFFFFFFFF. If you do
not change it, the kernel will take 0x00000060 as buffer length and
packets larger than 96 Byte will be cut off (filled with zero Bytes)!
For instance, use ‘eth0’ or ‘wlan0’ as the packet capturing
Use a specific Berkeley Packet Filter program to filter incoming
Have a look at the given examples in: /etc/netsniff-ng/rules
-D Run netsniff-ng in daemon mode, options -P, -L and -S are
Note: To gather statistics during runtime without the unix
domain socket inode, just send SIGUSR1 to netsniff-ng.
Used to define the pidfile. In most cases you can define it as
Used to define the logfile. In most cases you can define it as
Used to define the unix domain socket inode. In most cases you
can define it as /tmp/netsniff-ng.uds.
-b CPU Force system scheduler to schedule netsniff-ng only on specific
CPUs. Parameters could be 0 for using only CPU0, 0,1 for using
CPU0 and CPU1 or even 0-4 for using a whole CPU range. If you
have a customized init process that leaves out a special CPU you
could bind netsniff-ng on that free CPU for maximal performance.
On the other hand, you can avoid scheduling netsniff-ng on CPUs
which are reserved for other critical tasks.
-B CPU Force system scheduler to not schedule netsniff-ng on specific
CPUs. Parameter syntax is equivalent to -b.
-H Do not put netsniff-ng in high-priorized mode. Normally,
netsniff-ng will be scheduled with high priority thus it may
make use of the full CPUs timeslice. You can avoid this by
-n This option sets netsniff-ng in non-blocking mode. If the
RX_RING is empty for several reasons, netsniff-ng will be put to
sleep and wait for new incoming packages. By setting -n
netsniff-ng will spin (with 100% CPU usage) in non-blocking
mode. This might be faster, but could slow down other processes.
-s Do not print captured packets to stdout (silent mode). That
switch can be changes during runtime by sending SIGUSR2 to
toggle verbose/silent mode.
-v Prints versioning information.
(C) 2009, 2010, by Daniel Borkmann and Emmanuel Roullit
For bug reports, questions, code contributions, cool hacks and all the
Leipzig University of Applied SciJanuary 2010 netsniff-ng(8)