diff options
author | Daniel Borkmann <dborkman@redhat.com> | 2013-05-05 13:15:10 +0200 |
---|---|---|
committer | Daniel Borkmann <dborkman@redhat.com> | 2013-05-05 13:15:10 +0200 |
commit | 9ea8663420e2b591ff7e43176fbfb2137aacf79c (patch) | |
tree | 5d33957f3eda84ff8d1469af7ca809690b415c51 /man/netsniff-ng.8 | |
parent | bdfd22ceea4ba6dba113b1ac8514abb2839b94e4 (diff) |
misc: move file to source root
Only have Makefile specific folders in the project root where the
binaries are stored, the rest should be part of the repository root.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Diffstat (limited to 'man/netsniff-ng.8')
-rw-r--r-- | man/netsniff-ng.8 | 497 |
1 files changed, 0 insertions, 497 deletions
diff --git a/man/netsniff-ng.8 b/man/netsniff-ng.8 deleted file mode 100644 index 023f777..0000000 --- a/man/netsniff-ng.8 +++ /dev/null @@ -1,497 +0,0 @@ -.\" netsniff-ng - the packet sniffing beast -.\" Copyright 2013 Daniel Borkmann. -.\" Subject to the GPL, version 2. - -.TH NETSNIFF-NG 8 "03 March 2013" "Linux" "netsniff-ng toolkit" -.SH NAME -netsniff-ng \- the packet sniffing beast - -.SH SYNOPSIS - -\fB netsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] } - -.SH DESCRIPTION - -netsniff-ng is a fast, minimal tool to i) analyze network packets, ii) capture -pcap files, iii) replay pcap files or iv) redirect traffic between interfaces -with the help of zero-copy packet(7) sockets. netsniff-ng uses both, Linux -specific RX_RING and TX_RING interfaces to perform zero-copy, that is, to avoid -copies and system call overhead between kernel and user address space. At the -time, we started hacking on netsniff-ng, the pcap(3) library did not use this -zero-copy facility. - -netsniff-ng is Linux specific only, meaning there is no support for other -operating systems, thus we can keep the code footprint quite minimal and to -the point. Linux' packet(7) sockets and its RX_RING and TX_RING interfaces -bypass the normal packet processing path through the networking stack. Thus, -this is the fastest one can get out of the box in terms of capturing or -transmission performance from user space, without having to load unsupported -or non-mainline third-party kernel modules. We explicitly refuse to build -netsniff-ng on top of ntop/PF_RING. Not because we do not like it (we do find -it interesting), but because of the fact that it is not part of the mainline -kernel. Therefore, the ntop project has to maintain/sync out-of-tree drivers -to adapt them to their DNA. Eventually, we went for untainted Linux kernel, -since its code has a higher rate of reviews, maintenance, security and bug -fixes. - -netsniff-ng also supports early packet filtering in the kernel. It has support -for low-level and high-level packet filters that are translated into Berkeley -Packet Filter instructions. - -netsniff-ng can capture pcap files in several different pcap formats that -are interoperable with other tools. It has different pcap I/O methods supported -(scatter-gather, mmap(2), read(2)/write(2)) for efficient to-disc capturing. -netsniff-ng is also able to rotate pcap files based on data size or time -intervals, thus, making it a useful backend tool for subsequent traffic -analysis. - -netsniff-ng itself also supports analysis, dumping or replay of raw 802.11 -frames. For online or offline analysis netsniff-ng has a built-in packet -dissector for currently 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q -(VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4, ICMPv6, IGMP, TCP and UDP, -including GeoIP location analysis. Since netsniff-ng does not establish any -state or reassembly during packet dissection, its memory footprint is quite -low, thus, making netsniff-ng quite efficient for offline analysis of large -pcap files as well. - -.SH OPTIONS - -.SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|-> -Defines an input device, that can either be a networking device, a pcap file -or stdin (``-''). In case of a pcap file, the pcap type (``-D'' option) is -determined automatically by the pcap file magic. In case of stdin, it is -assumed that the input stream is a pcap file. - -.SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|-> -Defines the output device, that can either be a networking device, a pcap file, -a folder, a trafgen(8) configuration file or stdout (``-''). In case of a pcap -file, that should not have the default pcap type (0xa1b2c3d4), the additional -option ``-T'' must be provided. If a directory is given, then, instead of a -single pcap file, multiple pcap files are generated with rotation based on -maximum file size or a given interval (``-F'' option). A trafgen configuration -file can currently only be specified if the input device is a pcap file. If -stdout is given as a device, then a trafgen configuration will be written to -stdout if the input device is a pcap file, or a pcap file if the input device -is a networking device. - -.SS -f, --filter <bpf-file|expr> -Specifies to not dump all traffic, but to filter the network packet haystack. -As a filter, either a bpfc(8) compiled file can be passed as a parameter or -a tcpdump(1)-like filter expression in quotes. For details regarding the -bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter -have a look at section ``filter example'' or at pcap-filter(7). A filter -expression may also be passed to netsniff-ng without option ``-f'' in case -there is no subsequent option following after the command-line filter expression. - -.SS -t, --type <type> -This defines some sort of filtering mechanisms in terms of addressing. Possible -values for type are ``host'' (to us), ``broadcast'' (to all), ``multicast'' (to -group), ``others'' (promiscuous mode) or ``outgoing'' (from us). - -.SS -F, --interval <size|time> -If the output device is a folder, with ``-F'' it is possible to define the pcap -file rotation interval either in terms of size or time. Thus, when the interval -limit has been reached, a new pcap file will be started. As size parameter, the -following values are possible ``<num>KiB/MiB/GiB'' while as a time parameter -it can be ``<num>s/sec/min/hrs''. - -.SS -J, --jumbo-support -On default netsniff-ng's ring buffer frames are of a fixed size of 2048 bytes. -This means that if you're expecting jumbo frames or even super jumbo frames to -pass your line, then you need to enable support for that with the help of this -option. However, this has the disadvantage of a performance regression and a -bigger memory footprint for the ring buffer. - -.SS -R, --rfraw -In case the input or output networking device is a wireless device, it is -possible with netsniff-ng to turn this into monitor mode and create a mon<X> -device that netsniff-ng will be listening on instead of wlan<X>, for instance. -This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames. - -.SS -n <0|uint>, --num <0|uint> -Process a number of packets and then exit. If the number of packets is 0, then -this is equivalent to infinite packets resp. processing until interrupted. -Otherwise, a number given as an unsigned integer will limit processing. - -.SS -P <name>, --prefix <name> -When dumping pcap files into a folder, a file name prefix can be defined with -this option. If not otherwise specified, the default prefix is ``dump-'' followed -by a unix timestamp. - -.SS -T <pcap-magic>, --magic <pcap-magic> -Specify a pcap type for storage. Different pcap types with their various meta -data capabilities are shown with option ``-D''. If not otherwise specified, the -pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is -used. Pcap files with swapped endianess are also supported. - -.SS -D, --dump-pcap-types -Dump all available pcap types with their capabilities and magic numbers that -can be used with option ``-T'' and exit. - -.SS -B, --dump-bpf -If a Berkeley Packet Filter is given, e.g. via option ``-f'', then dump the BPF -disassembly to stdout during ring setup. This only serves for informative or -verification purposes. - -.SS -r, --rand -If the input and output device are both networking devices, then this option will -randomize packet order in the output ring buffer. - -.SS -M, --no-promisc -The networking interface will not be put into promiscuous mode. On default, -promiscuous mode is turned on. - -.SS -A, --no-sock-mem -On startup (and shutdown), netsniff-ng is trying to increase socket read and -write buffers if appropriate. This option will prevent netsniff-ng from doing -that. - -.SS -m, --mmap -Use mmap(2) as pcap file I/O. This is default in case of replaying pcap files. - -.SS -G, --sg -Use scatter-gather as pcap file I/O. This is default in case when capturing -pcap files. - -.SS -c, --clrw -Use slower read(2)/write(2) I/O. This is not the default case anywhere, but in -some situations it could be preferred as it has a lower latency on write-back -to disc. - -.SS -S <size>, --ring-size <size> -Manually define the RX_RING resp. TX_RING size in ``<num>KiB/MiB/GiB''. On -default the size is being determined based on the network connectivity rate. - -.SS -k <uint>, --kernel-pull <uint> -Manually define the interval in micro-seconds where the kernel should be triggered -to batch process the ring buffer frames. On default, it is every 10us, but it can -manually be prolonged, for instance. - -.SS -b <cpu>, --bind-cpu <cpu> -Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ -CPU affinity to this CPU. This option should be preferred in combination with -``-s'' in case a middle till high packet rate is expected. - -.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid> -After ring setup drop privileges to a non-root user/group combination. - -.SS -H, --prio-high -Set this process as a high priority process in order to achieve a higher -scheduling rate resp. CPU time. This is however not default setting, since -it could lead to starvation of other processes, e.g. low priority kernel -threads. - -.SS -Q, --notouch-irq -Do not reassign the NIC's IRQ CPU affinity settings. - -.SS -s, --silent -Do not enter the packet dissector at all and do not print any packet information -to the terminal. Just shut up and be silent. This option should be preferred in -combination with pcap recording or replay, since it will not flood your terminal -which causes a significant performance regression. - -.SS -q, --less -Print a less verbose one-line information for each packet to the terminal. - -.SS -X, --hex -Only dump packets in hex format to the terminal. - -.SS -l, --ascii -Only display ASCII prinable characters. - -.SS -U, --update -If geographical IP locationing should be used, the built-in database update -mechanism will be invoked to get Maxmind's latest database. To configure -search locations for databases, the file /etc/netsniff-ng/geoip.conf contains -possible addresses. Thus, to save bandwidth or for mirroring Maxmind's -databases (to bypass their traffic limit policy), different hosts or IP -addresses can be placed into geoip.conf, separated by a newline. - -.SS -V, --verbose -Be more verbose during startup, i.e. show detailled ring setup information. - -.SS -v, --version -Show versioning information. - -.SS -h, --help -Show user help. - -.SH USAGE EXAMPLE - -.SS netsniff-ng -The most simple command is to just run ``netsniff-ng''. This will start -listening on all available networking devices in promiscuous mode and dump -the packet dissector output to the terminal. No files will be recorded. - -.SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp -Capture TCP or UDP traffic from the networking device eth0 into the pcap file -named dump.pcap, which has netsniff-ng specific pcap extensions (see -``netsniff-ng -D'' for capabilities). Also, do not print the content to the -terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write -method is scatter-gather I/O. - -.SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0 -Put the wlan0 device into monitoring mode and capture all raw 802.11 frames -into the file dump.pcap. Do not dissect and print the content to the terminal -and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is -scatter-gather I/O. - -.SS netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0 -Replay the pcap file dump.pcap which is read through mmap(2) I/O and send -the packets out via the eth0 networking device. Do not dissect and print the -content to the terminal and pin the process and NIC IRQ affinity to CPU 0. -Also trigger the kernel every 1000us to traverse the TX_RING instead of every -10us. Note that the pcap magic type is detected automatically from the pcap -file header. - -.SS netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r -Redirect network traffic from the networking device eth0 to eth1 for traffic -that is destined for our host, thus ignore broadcast, multicast and promiscuous -traffic. Randomize the order of packets for the outgoing device and do not -print any packet contents to the terminal. Also, pin the process and NIC IRQ -affinity to CPU 0. - -.SS netsniff-ng --in team0 --out /opt/probe/ -s -m -J --interval 100MiB -b 0 -Capture on an aggregated team0 networking device and dump packets into multiple -pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write -method, enable support for super jumbo frames up to 64KB, and do not print -the captured data to the terminal. Pin netsniff-ng to and NIC IRQ affinity to -CPU 0. The default pcap magic type is 0xa1b2c3d4 (tcpdump-capable pcap). - -.SS netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob` -Capture network traffic on device wlan0 into a pcap file called dump.pcap -by using normal read(2), write(2) I/O for the pcap file (slower but less -latency). Also, after setting up the RX_RING for capture, drop privileges -from root to the user/group ``bob''. Invoke the packet dissector and print -packet contents to the terminal for further analysis. - -.SS netsniff-ng --in any --filter http.bpf -B --jumbo-support --ascii -V -Capture from all available networking interfaces and install a low-level -filter that was previously compiled by bpfc(8) into http.bpf in order to -filter HTTP traffic. Enable super jumbo frame support and only print -human readable packet data to the terminal, and also be more verbose during -setup phase. Moreover, dump a BPF disassembly of http.bpf. - -.SS netsniff-ng --in dump.pcap --out dump.cfg --silent -Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg. -Do not print pcap contents to the terminal. - -.SS netsniff-ng -i dump.pcap -f beacon.bpf -o - -Convert the pcap file dump.pcap into a trafgen(8) configuration file and write -it to stdout. However, do not dump all of its content, but only the one that -passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine -here is invoked in user space inside of netsniff-ng, so Linux extensions -are not available. - -.SS cat foo.pcap | netsniff-ng -i - -o - -Read a pcap file from stdin and convert it into a trafgen(8) configuration -file to stdout. - -.SH CONFIG FILES - -Under /etc/netsniff-ng/ there are the following files stored that are used -by netsniff-ng and can be extended if wished: - - * oui.conf - OUI/MAC vendor database - * ether.conf - Ethernet type descriptions - * tcp.conf - TCP port/services map - * udp.conf - UDP port/services map - * geoip.conf - GeoIP database mirrors - -.SH FILTER EXAMPLE - -netsniff-ng supports both, low-level and high-level filters that are -attached to its packet(7) socket. Low-level filters are described in -the bpfc(8) man page. - -Low-level filters can be used with netsniff-ng in the following way: - - 1. bpfc foo > bar - 2. netsniff-ng -f bar - -Here, foo is the bpfc program that will be translated into a netsniff-ng -readable ``opcodes'' file and passed to netsniff-ng through the -f option. - -Similarly, high-level filter can be either passed through the -f option, -e.g. -f "tcp or udp" or at the end of all options without the ``-f''. - -The filter syntax is the same as in tcpdump(8), which is described in -the man page pcap-filter(7). Just to quote some examples from pcap-filter(7): - -.SS host sundown -To select all packets arriving at or departing from sundown. - -.SS host helios and \( hot or ace \) -To select traffic between helios and either hot or ace. - -.SS ip host ace and not helios -To select all IP packets between ace and any host except helios. - -.SS net ucb-ether -To select all traffic between local hosts and hosts at Berkeley. - -.SS gateway snup and (port ftp or ftp-data) -To select all ftp traffic through internet gateway snup. - -.SS ip and not net localnet -To select traffic neither sourced from nor destined for local hosts (if you -gateway to one other net, this stuff should never make it onto your local net). - -.SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet -To select the start and end packets (the SYN and FIN packets) of each TCP -conversation that involve a non-local host. - -.SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) -To select all IPv4 HTTP packets to and from port 80, i.e. print only packets -that contain data, not, for example, SYN and FIN packets and ACK-only packets. -(IPv6 is left as an exercise for the reader.) - -.SS gateway snup and ip[2:2] > 576 -To select IP packets longer than 576 bytes sent through gateway snup. - -.SS ether[0] & 1 = 0 and ip[16] >= 224 -To select IP broadcast or multicast packets that were not sent via Ethernet -broadcast or multicast. - -.SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply -To select all ICMP packets that are not echo requests/replies (i.e., not -ping packets). - -.SH NOTE -For introducing bit errors, delays with random variation and more -while replaying pcaps, make use of tc(8) with its disciplines such -as netem. - -netsniff-ng does only some basic, architecture generic tuning on -startup. If you are considering to do high performance capturing, -you need to carefully tune your machine, hardware and software-wise. -Simply letting netsniff-ng run without thinking about your underlying -system might not necessarily give you the desired performance. Note -that tuning your system is always a tradeoff and fine-grained -balancing act (e.g. throughput vs. latency). You should know what -you're doing! - -One recommendation for software-based tuning is tuned(8). Besides -that, there are many other things to consider. Just to throw you -a few things that you might want to look at: NAPI networking drivers, -tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based -file systems, multi-queues, and many more things. Also, you might -want to read the kernel's Documentation/networking/scaling.txt file -regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also -check your ethtool(8) settings, e.g. regarding offloading or -Ethernet pause frames etc. - -Moreover, to get a deeper understanding of netsniff-ng internals -and how it interacts with the Linux kernel, the kernel documentation -under Documentation/networking/{packet_mmap.txt, filter.txt, -multiqueue.txt} might be of interest. - -How do you sniff in a switched environment? I rudely refer to dSniff's -documentation that says: - -The easiest route is simply to impersonate the local gateway, stealing -client traffic en route to some remote destination. Of course, the traffic -must be forwarded by your attacking machine, either by enabling kernel IP -forwarding or with a userland program that acccomplishes the same -(fragrouter -B1). - -Several people have reportedly destroyed connectivity on their LAN to the -outside world by arpspoof'ing the gateway, and forgetting to enable IP -forwarding on the attacking machine. Don't do this. You have been warned. - -If you do not need to dump all possible traffic, you have to consider -running netsniff-ng with a BPF filter for the ingress path. For that -purpose, read the bpfc(8) man page. - -Also, to aggregate multiple NICs that you want to capture on, you -should consider using team devices, further explained in libteam resp. -teamd(8). - -The following netsniff-ng pcap magic numbers are compatible with other -tools, at least tcpdump or Wireshark: - - 0xa1b2c3d4 (tcpdump-capable pcap) - 0xa1b23c4d (tcpdump-capable pcap with ns resolution) - 0xa1b2cd34 (Alexey Kuznetzov's pcap) - -Pcap files with different meta data endianess are supported by netsniff-ng -as well. - -.SH BUGS - -When replaying pcap files, the timing information from the pcap packet -header is currently ignored. - -Also, when replaying pcap files, demultiplexing traffic among multiple -networking interfaces does not work. Currently, it is only sent via the -interface that is given by the --out parameter. - -When performing traffic capture on the Ethernet interface, the pcap file -is created and packets are received but without a 802.1Q header. When one -uses tshark, all headers are visible, but netsniff-ng removes 802.1Q -headers. Is that normal behavior? - -Yes and no. The way how VLAN headers are handled in PF_PACKET sockets by the -kernel is somewhat ``problematic'' [1]. The problem in the Linux kernel is that -some drivers already handle VLAN, others not. Those who handle it can have -different implementations, i.e. hardware acceleration and so on. So in some -cases the VLAN tag is even stripped before entering the protocol stack, in -some cases probably not. Bottom line is that a "hack" was introduced in -PF_PACKET so that a VLAN ID is visible in some helper data structure that is -accessible from the RX_RING. - -And then it gets really messy in the user space to artificially put the VLAN -header back into the right place. Not mentioning about the resulting performance -implications on that of all libpcap(3) tools since parts of the packet need to -be copied for reassembly via memmove(3). - -A user reported the following, just to demonstrate this mess: some tests were -made with two machines, and it seems that results depends on the driver ... - AR8131: - ethtool -k eth0 gives "rx-vlan-offload: on" - - wireshark gets the vlan header - - netsniff-ng doesn't get the vlan header - ethtool -K eth0 rxvlan off - - wireshark gets a QinQ header even though noone sent QinQ - - netsniff-ng gets the vlan header - RTL8111/8168B: - ethtool -k eth0 gives "rx-vlan-offload: on" - - wireshark gets the vlan header - - netsniff-ng doesn't get the vlan header - ethtool -K eth0 rxvlan off - - wireshark gets the vlan header - - netsniff-ng doesn't get the vlan header -Even if we would agree on doing the same workaround as libpcap, we still will -not be able to see QinQ, for instance, due to the fact that only one VLAN tag -is stored in the kernel helper data structure. We think that there should be -a good consensus on the kernel space side about what gets transferred to the -userland first. - -Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support -for hardware accelerated VLAN filtering, even though tags might not be visible -in the payload itself as reported here. However, the filtering for VLANs works -reliable if your NIC supports it. See bpfc(8) for an example. - - [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html - -.SH LEGAL -netsniff-ng is licensed under the GNU GPL version 2.0. - -.SH HISTORY -.B netsniff-ng -was originally written for the netsniff-ng toolkit by Daniel Borkmann. Bigger -contributions were made by Emmanuel Roullit, Markus Amend, Tobias Klauser and -Christoph Jaeger. It is currently maintained by Tobias Klauser -<tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>. - -.SH SEE ALSO -.BR trafgen (8), -.BR mausezahn (8), -.BR ifpps (8), -.BR bpfc (8), -.BR flowtop (8), -.BR astraceroute (8), -.BR curvetun (8) - -.SH AUTHOR -Manpage was written by Daniel Borkmann. |