man: netsniff-ng: elaborate on capturing netlink traffic

As nlmon's device setup has now been changed to use rtnl link setup,
give a full example on how to setup and teardown nlmon devices.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>

1 files changed, 15 insertions, 3 deletions

diff --git a/netsniff-ng.8 b/netsniff-ng.8
index 0bc874b..15e744c 100644
--- a/netsniff-ng.8
+++ b/netsniff-ng.8
@@ -62,9 +62,7 @@ scheduled move to slower medias). You can then use mergecap(1) to transform
 all pcaps into a single large pcap. Thus, netsniff-ng then works multithreaded
 eventually.
 .PP
-netsniff-ng can also be used to debug netlink traffic. On newer kernels one
-needs to modprobe nlmon so that a ''netlink'' networking device appears that
-can be used as an input device for netsniff-ng.
+netsniff-ng can also be used to debug netlink traffic.
 .PP
 .SH OPTIONS
 .PP
@@ -303,6 +301,20 @@ are not available.
 Read a pcap file from stdin and convert it into a trafgen(8) configuration
 file to stdout.
 .PP
+.SS modprobe nlmon
+.SS ip link add type nlmon
+.SS ip link set nlmon0 up
+.SS netsniff-ng -i nlmon0 -o dump.pcap -s
+.SS ip link set nlmon0 down
+.SS ip link del dev nlmon0
+.SS rmmod nlmon
+In this example, netlink traffic is being captured. If not already done, a
+netlink monitoring device needs to be set up before it can be used to capture
+netlink socket buffers (iproute2's ip(1) commands are given for nlmon device
+setup and teardown). netsniff-ng can then make use of the nlmon device as
+an input device. In this example a pcap file with netlink traffic is being
+recorded.
+.PP
 .SH CONFIG FILES
 .PP
 Files under /etc/netsniff-ng/ can be modified to extend netsniff-ng's