summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--netsniff-ng.818
1 files changed, 15 insertions, 3 deletions
diff --git a/netsniff-ng.8 b/netsniff-ng.8
index 0bc874b..15e744c 100644
--- a/netsniff-ng.8
+++ b/netsniff-ng.8
@@ -62,9 +62,7 @@ scheduled move to slower medias). You can then use mergecap(1) to transform
all pcaps into a single large pcap. Thus, netsniff-ng then works multithreaded
eventually.
.PP
-netsniff-ng can also be used to debug netlink traffic. On newer kernels one
-needs to modprobe nlmon so that a ''netlink'' networking device appears that
-can be used as an input device for netsniff-ng.
+netsniff-ng can also be used to debug netlink traffic.
.PP
.SH OPTIONS
.PP
@@ -303,6 +301,20 @@ are not available.
Read a pcap file from stdin and convert it into a trafgen(8) configuration
file to stdout.
.PP
+.SS modprobe nlmon
+.SS ip link add type nlmon
+.SS ip link set nlmon0 up
+.SS netsniff-ng -i nlmon0 -o dump.pcap -s
+.SS ip link set nlmon0 down
+.SS ip link del dev nlmon0
+.SS rmmod nlmon
+In this example, netlink traffic is being captured. If not already done, a
+netlink monitoring device needs to be set up before it can be used to capture
+netlink socket buffers (iproute2's ip(1) commands are given for nlmon device
+setup and teardown). netsniff-ng can then make use of the nlmon device as
+an input device. In this example a pcap file with netlink traffic is being
+recorded.
+.PP
.SH CONFIG FILES
.PP
Files under /etc/netsniff-ng/ can be modified to extend netsniff-ng's