Netsniff-ng

Last updated
netsniff-ng toolkit
Original author(s) Daniel Borkmann
Developer(s) Daniel Borkmann, Tobias Klauser, Herbert Haas, Emmanuel Roullit, Markus Amend and many others
Initial releaseDecember, 2009
Stable release
0.6.8 [1] / 11 January 2021;3 years ago (11 January 2021)
Repository https://github.com/netsniff-ng/netsniff-ng
Written in C
Operating system Linux
Available in English
Type
License GPLv2 [2]
Website http://www.netsniff-ng.org/

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), [3] so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg(). [4] libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Contents

Overview

netsniff-ng was initially created as a network sniffer with support of the Linux kernel packet-mmap interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen. [5] [6] The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.

The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more: [7]

Distribution specific packages are available for all major operating system distributions such as Debian [8] or Fedora Linux. It has also been added to Xplico's Network Forensic Toolkit, [9] GRML Linux, Security Onion, [10] and to the Network Security Toolkit. [11] The netsniff-ng toolkit is also used in academia. [12] [13]

Basic commands working in netsniff-ng

In these examples, it is assumed that eth0 is the used network interface. Programs in the netsniff-ng suite accept long options, e.g. --in ( -i ), --out ( -o ), --dev ( -d ).

astraceroute -d eth0 -N -S -H <host e.g., netsniff-ng.org>
ifpps -d eth0 -p
trafgen -d eth0 -c trafgen.txf
bpfc fubar.bpf
flowtop
netsniff-ng -i eth0 -o dump.pcap -s -b 0

Platforms

The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows. [14]

See also

Related Research Articles

In computing, traceroute and tracert are diagnostic command-line interface commands for displaying possible routes (paths) and transit delays of packets across an Internet Protocol (IP) network.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

<span class="mw-page-title-main">ARP spoofing</span> Cyberattack which associates the attackers MAC address with the IP address of another host

In computer networking, ARP spoofing is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

"Zero-copy" describes computer operations in which the CPU does not perform the task of copying data from one memory area to another or in which unnecessary data copies are avoided. This is frequently used to save CPU cycles and memory bandwidth in many time consuming tasks, such as when transmitting a file at high speed over a network, etc., thus improving the performance of programs (processes) executed by a computer.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behaviour, instead of using existing network traffic. Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding. Tools exist for each of the stages - some tools are focused only on one stage while others such as Ostinato try to encompass all stages.

<span class="mw-page-title-main">Wireshark</span> Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

The Berkeley Packet Filter is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received, and allows a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.

Packet injection in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

Mausezahn is a fast network traffic generator written in C which allows the user to craft nearly every possible and "impossible" packet. Since version 0.31 Mausezahn is open source in terms of the GPLv2. Herbert Haas, the original developer of Mausezahn, died on 25 June 2011. The project has been incorporated into the netsniff-ng toolkit, and continues to be developed there.

<span class="mw-page-title-main">EtherApe</span> Network traffic monitoring tool

EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.

<span class="mw-page-title-main">Iftop</span> Real-time bandwidth usage software

Iftop is a free software command-line system monitor tool developed by Paul Warren. It produces a real-time stream of incoming and outgoing network communications from the operating system iftop is running within. By default, the connections are ordered by bandwidth usage, with only the largest ("top") bandwidth consumers shown. It is analogous to top, but instead of system-wide resource monitoring, it focuses on displaying just network usage. Iftop is typically used for monitoring bandwidth consumption, and while investigating unknown consumers of available network bandwidth.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

Justniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances . The output format of the traffic can be easily customized. An example written in Python stores the transferred contents in an output directory separated by domains. This means that the transferred files like html, css, javascript, images, sounds, etc. can be saved to a directory.

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer.

<span class="mw-page-title-main">Network scheduler</span> Arbiter on a node in packet switching communication network

A network scheduler, also called packet scheduler, queueing discipline (qdisc) or queueing algorithm, is an arbiter on a node in a packet switching communication network. It manages the sequence of network packets in the transmit and receive queues of the protocol stack and network interface controller. There are several network schedulers available for the different operating systems, that implement many of the existing network scheduling algorithms.

XDP is an eBPF-based high-performance data path used to send and receive network packets at high rates by bypassing most of the operating system networking stack. It is merged in the Linux kernel since version 4.8. This implementation is licensed under GPL. Large technology firms including Amazon, Google and Intel support its development. Microsoft released their free and open source implementation XDP for Windows in May 2022. It is licensed under MIT License.

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection. The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

<span class="mw-page-title-main">Cilium (computing)</span> Open source cloud computing software

Cilium is a cloud native technology for networking, observability, and security. It is based on the kernel technology eBPF, originally for better networking performance, and now leverages many additional features for different use cases. The core networking component has evolved from only providing a flat Layer 3 network for containers to including advanced networking features, like BGP and Service mesh, within a Kubernetes cluster, across multiple clusters, and connecting with the world outside Kubernetes. Hubble was created as the network observability component and Tetragon was later added for security observability and runtime enforcement. Cilium runs on Linux and is one of the first eBPF applications being ported to Microsoft Windows through the eBPF on Windows project.

References

  1. "Release 0.6.8". 11 January 2021. Retrieved 13 January 2021.
  2. "netsniff-ng license". GitHub . Archived from the original on 24 December 2021. Retrieved 20 December 2021.
  3. "Description of the Linux packet-mmap mechanism". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
  4. "netsniff-ng homepage, abstract, zero-copy". Archived from the original on 8 September 2016. Retrieved 6 November 2011.
  5. "Network Security Toolkit Article about trafgen's performance capabilities". 4 November 2011. Archived from the original on 14 February 2022. Retrieved 6 November 2011.
  6. "Developer's blog about trafgen's performance". 16 October 2011. Archived from the original on 25 April 2012. Retrieved 6 November 2011.
  7. "netsniff-ng README". GitHub . Archived from the original on 22 January 2022. Retrieved 16 February 2018.
  8. "netsnif-ng in Debian". Archived from the original on 2021-12-21. Retrieved 2024-06-12.
  9. "Xplico support of netsniff-ng". Archived from the original on 21 December 2021. Retrieved 6 November 2011.
  10. "Security Onion 12.04 RC1 available now!" . Retrieved 16 December 2012.
  11. "Network Security Toolkit adds netsniff-ng". Archived from the original on 24 June 2021. Retrieved 6 November 2011.
  12. "netsniff-ng's trafgen at University of Napoli Federico II". Archived from the original on 10 November 2011. Retrieved 7 November 2011.
  13. "netsniff-ng's trafgen at Columbia University". Archived from the original on 26 August 2021. Retrieved 7 November 2011.
  14. "netsniff-ng FAQ declining a port to Microsoft Windows". Archived from the original on 13 June 2021. Retrieved 21 June 2015.