Netsniff-ng
Encyclopedia
netsniff-ng is a free, performant Linux
networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy
mechanisms for network packets , so that the operating system
does not need to copy packets from kernelspace to userspace via systemcalls
.
kernel zero-copy interface for network packets, but later on, more tools have been added to make it a useful toolkit
such as the iproute2
suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet
wire-speed has been reached with netsniff-ng's trafgen . The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches
are needed to run the toolkit. netsniff-ng is free software
and has been released under the terms of the GNU General Public License
version 2.
The toolkit currently consists of a network analyzer, packet capturer
and replayer, a wire-rate traffic generator, an encrypted multiuser IP
tunnel
, a Berkeley Packet Filter
compiler, networking statistic tools, an autonomous system
trace route and more :
Distribution specific packages are available for all major operating system distributions such as Debian
or Fedora Linux including its Security Spin . It has also been added to Xplico's Network Forensic Toolkit , GRML Linux and to the to the Network Security Toolkit
. The netsniff-ng toolkit is also used in academia .
ashunt -d eth0 -N -S -H
ifpps -d eth0 -p
trafgen -d eth0 -c trafgen.txf -b 0
bpfc -i fubar.bpf
curvetun -s -4 -u -p 6666 --stun stunserver.org
curvetun --client=bob-server
netsniff-ng -i eth0 -o dump.pcap -s -b 0
netsniff-ng -i dump.pcap -o eth0 -s -b 0
netsniff-ng -i eth0 -o eth1 -s -b 0
netsniff-ng -i any
systems. Its developers decline a port to Microsoft Windows
.
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy
Zero-copy
"Zero-copy" describes computer operations in which the CPU does not perform the task of copying data from one memory area to another. This is most often used to save on processing power and memory use when sending files over a network.- Principle :...
mechanisms for network packets , so that the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
does not need to copy packets from kernelspace to userspace via systemcalls
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
.
Overview
netsniff-ng was initially created as a network sniffer with support of the LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
kernel zero-copy interface for network packets, but later on, more tools have been added to make it a useful toolkit
Toolkit
A toolkit is an assembly of tools; set of basic building units for graphical user interfaces.Things called toolkits include:* Abstract Window Toolkit* Accessibility Toolkit* Adventure Game Toolkit* B-Toolkit* Battlefield Mod Development Toolkit...
such as the iproute2
Iproute2
iproute2 is a collection of utilities for controllingTCP and UDP IP networking and traffic control in Linux, in both IPv4 and IPv6 networks. It is currently maintained by Stephen Hemminger...
suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet
Gigabit Ethernet
Gigabit Ethernet is a term describing various technologies for transmitting Ethernet frames at a rate of a gigabit per second , as defined by the IEEE 802.3-2008 standard. It came into use beginning in 1999, gradually supplanting Fast Ethernet in wired local networks where it performed...
wire-speed has been reached with netsniff-ng's trafgen . The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
are needed to run the toolkit. netsniff-ng is free software
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
and has been released under the terms of the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
version 2.
The toolkit currently consists of a network analyzer, packet capturer
Packet capture
Packet capture is the act of capturing data packets crossing a computer network. Deep packet capture is the act of capturing, at full network speed, complete network packets crossing a network with a high traffic rate...
and replayer, a wire-rate traffic generator, an encrypted multiuser IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
tunnel
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
, a Berkeley Packet Filter
Berkeley Packet Filter
The Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
compiler, networking statistic tools, an autonomous system
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
trace route and more :
- netsniff-ng, a zero-copyZero-copy"Zero-copy" describes computer operations in which the CPU does not perform the task of copying data from one memory area to another. This is most often used to save on processing power and memory use when sending files over a network.- Principle :...
analyzer, packet capturer and replayer itself supporting the pcapPcapIn the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
file format - trafgen, a zero-copy wire-rate traffic generator
- bpfc, a Berkeley Packet FilterBerkeley Packet FilterThe Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
compiler - ifpps, a top-like kernel networking statistics tool
- curvetun, a lightweight multiuser IP tunnelIP tunnelAn IP tunnel is an Internet Protocol network communications channel between two networks. It is used to transport another network protocol by encapsulation of its packets....
based on elliptic curve cryptographyElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S... - ashunt, an Autonomous SystemAutonomous system (Internet)Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
trace route utility
Distribution specific packages are available for all major operating system distributions such as Debian
Debian
Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
or Fedora Linux including its Security Spin . It has also been added to Xplico's Network Forensic Toolkit , GRML Linux and to the to the Network Security Toolkit
Network Security Toolkit
The Network Security Toolkit is a Linux-based Live CD that provides a set of open source computer security and networking tools to perform routine security and networking diagnostic and monitoring tasks. The distribution can be used as a network security analysis, validation and monitoring tool on...
. The netsniff-ng toolkit is also used in academia .
Basic commands working in netsniff-ng
In these examples, it is assumed that eth0 is the used network interface.- For geographical AS TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
SYN probe trace route to a website:
ashunt -d eth0 -N -S -H
- For kernel networking statistics within promiscuous modePromiscuous modeIn computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
:
ifpps -d eth0 -p
- For high-speed network packet traffic generationTraffic generationA traffic generation model is a stochastic model of the traffic flows or data sources in a communication network, for example a cellular network or a computer network. A packet generation model is a traffic generation model of the packet flows or data sources in a packet-switched network...
, trafgen.txf is the packet configuration:
trafgen -d eth0 -c trafgen.txf -b 0
- For compiling a Berkeley Packet FilterBerkeley Packet FilterThe Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
fubar.bpf:
bpfc -i fubar.bpf
- For starting an encrypted ECC IPv4 tunnel in UDPUser Datagram ProtocolThe User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
mode on Port 6666 (read more https://github.com/gnumaniacs/netsniff-ng/blob/master/README.curvetun), including STUNSTUNSTUN is a standardized set of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications....
detection:
curvetun -s -4 -u -p 6666 --stun stunserver.org
- For connecting to a curvetun tunnel server (assuming the remote bob-server is configured in curvetun, read more https://github.com/gnumaniacs/netsniff-ng/blob/master/README.curvetun):
curvetun --client=bob-server
- For efficiently dumping network traffic in a pcapPcapIn the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
file:
netsniff-ng -i eth0 -o dump.pcap -s -b 0
- For efficiently replaying network traffic from a pcapPcapIn the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
file:
netsniff-ng -i dump.pcap -o eth0 -s -b 0
- For redirecting network traffic between interfaces:
netsniff-ng -i eth0 -o eth1 -s -b 0
- For analyzing network traffic on all interfaces:
netsniff-ng -i any
Platforms
The netsniff-ng toolkit currently runs only on LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
systems. Its developers decline a port to Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
.
External links
See also
- Comparison of packet analyzers
- Packet generatorPacket generatorA packet generator or packet builder is a type of software that generates random packets or allows the user to construct detailed custom packets. Packet generators utilize raw sockets....
- Traffic generation model
- OpenVPNOpenVPNOpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
- TracerouteTraceroutetraceroute is a computer network diagnostic tool for displaying the route and measuring transit delays of packets across an Internet Protocol network. Traceroute is available on most operating systems....
- WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
- TcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...