Netsniff-ng

netsniff-ng toolkit
Screenshot of astraceroute trace for the website of Mushoku Tensei
Original author(s)	Daniel Borkmann
Developer(s)	Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others
Initial release	December, 2009
Stable release	0.6.9 [1] / 7 January 2025;7 months ago (7 January 2025)
Repository	https://github.com/netsniff-ng/netsniff-ng
Written in	C
Operating system	Linux
Available in	English
Type	Network management Network engineering Computer security
License	GPLv2 [2]
Website	http://www.netsniff-ng.org/

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), ^[3] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg(). ^[4] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Overview

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen. ^{[5] [6]} The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more: ^[7]

• netsniff-ng: a zero-copy analyzer, packet capturer and replayer, itself supporting the pcap file format
• trafgen: a zero-copy wire-rate traffic generator
• mausezahn: a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
• bpfc: a Berkeley Packet Filter (BPF) compiler
• ifpps: a top-like kernel networking statistics tool
• flowtop: a top-like netfilter connection tracking tool with Geo-IP information
• curvetun: a lightweight multiuser IP tunnel based on elliptic-curve cryptography
• astraceroute: an autonomous system trace route utility with Geo-IP information

Distribution specific packages are available for all major operating system distributions such as Debian ^[8] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit, ^[9] GRML Linux, Security Onion, ^[10] and to the Network Security Toolkit. ^[11] The netsniff-ng toolkit is also used in academia. ^{[12] [13]}

Basic commands working in netsniff-ng

In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. --in ( -i ), --out ( -o ), --dev ( -d ).

• For geographical AS TCP SYN probe trace route to a website:

  astraceroute -d eth0 -N -S -H <span class="nowrap">⟨host e.g., netsniff-ng.org⟩</span>

• For kernel networking statistics within promiscuous mode:

  ifpps -d eth0 -p

• For high-speed network packet traffic generation, trafgen.txf is the packet configuration:

  trafgen -d eth0 -c trafgen.txf

• For compiling a Berkeley Packet Filter fubar.bpf:

  bpfc fubar.bpf

• For live-tracking of current TCP connections (including protocol, application name, city and country of source and destination):

  flowtop

• For efficiently dumping network traffic in a pcap file:

  netsniff-ng -i eth0 -o dump.pcap -s -b 0

Platforms

The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows. ^[14]

See also

• Comparison of packet analyzers
• OpenVPN
• Packet generator
• Tcpdump
• Traceroute
• Traffic generation model
• Wireshark
• Xplico

References

1. "Release 0.6.9". 7 January 2025. Retrieved 26 January 2025.
2. "netsniff-ng license". GitHub . Archived from the original on 24 December 2021. Retrieved 20 December 2021.
3. "Description of the Linux packet-mmap mechanism". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
4. "netsniff-ng homepage, abstract, zero-copy". Archived from the original on 8 September 2016. Retrieved 6 November 2011.
5. "Network Security Toolkit Article about trafgen's performance capabilities". 4 November 2011. Archived from the original on 14 February 2022. Retrieved 6 November 2011.
6. "Developer's blog about trafgen's performance". 16 October 2011. Archived from the original on 25 April 2012. Retrieved 6 November 2011.
7. "netsniff-ng README". GitHub . Archived from the original on 22 January 2022. Retrieved 16 February 2018.
8. "netsnif-ng in Debian". Archived from the original on 2021-12-21. Retrieved 2024-06-12.
9. "Xplico support of netsniff-ng". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
10. "Security Onion 12.04 RC1 available now!" . Retrieved 16 December 2012.
11. "Network Security Toolkit adds netsniff-ng". Archived from the original on 24 June 2021. Retrieved 6 November 2011.
12. "netsniff-ng's trafgen at University of Napoli Federico II". Archived from the original on 10 November 2011. Retrieved 7 November 2011.
13. "netsniff-ng's trafgen at Columbia University". Archived from the original on 26 August 2021. Retrieved 7 November 2011.
14. "netsniff-ng FAQ declining a port to Microsoft Windows". Archived from the original on 13 June 2021. Retrieved 21 June 2015.

External links

• Official netsniff-ng website