diff options
| -rw-r--r-- | bpfc.8 | 200 | ||||
| -rw-r--r-- | curvetun.8 | 156 | ||||
| -rw-r--r-- | ifpps.8 | 91 | ||||
| -rw-r--r-- | netsniff-ng.8 | 389 |
4 files changed, 421 insertions, 415 deletions
@@ -1,113 +1,113 @@ .\" netsniff-ng - the packet sniffing beast .\" Copyright 2013 Daniel Borkmann. .\" Subject to the GPL, version 2. - +.PP .TH BPFC 8 "03 March 2013" "Linux" "netsniff-ng toolkit" .SH NAME -bpfc \- a Berkeley Packet Filter assembler/compiler - +bpfc \- a Berkeley Packet Filter assembler and compiler +.PP .SH SYNOPSIS - +.PP \fB bpfc\fR { [\fIoptions\fR] | [\fIsource-file\fR] } - +.PP .SH DESCRIPTION - -bpfc is a small Berkeley Packet Filter assembler/compiler which is able to +.PP +bpfc is a small Berkeley Packet Filter assembler and compiler which is able to translate BPF assembler-like mnemonics into a numerical or C-like format, that can be read by tools such as netsniff-ng, iptables (xt_bpf) and many others. BPF is the one and only upstream filtering construct that is used in combination with packet(7) sockets. The Linux kernel and also BSD kernels -implement ``virtual machine'' like constructs and JIT compilers that mimic +implement "virtual machine" like constructs and JIT compilers that mimic a small register-based machine in BPF architecture and execute filter code -that is e.g. composed by bpfc on a data buffer that is given by network +that is, for example, composed by bpfc on a data buffer that is given by network packets. The purpose of this is to shift computation in time, so that the -kernel can drop (or truncate) incoming packets as early as possible without +kernel can drop or truncate incoming packets as early as possible without having to push them to user space for further analysis first. Meanwhile, -BPF constructs also find application in other areas like the communication -between user and kernel space. - -By the time of writing this man page, the only available BPF compiler is +BPF constructs also find application in other areas such as in the +communication between user and kernel space like system call sand-boxing. +.PP +At the time of writing this man page, the only available BPF compiler is part of the pcap(3) library and accessible through a high-level filter -language that might be familiar for many people as tcpdump-like filters. - -However, quite often, it is useful to bypass that compiler and write -optimized code that couldn't be produced by the pcap(3) compiler, was +language that might be familiar to many people as tcpdump-like filters. +.PP +However, it is quite often useful to bypass that compiler and write +optimized code that cannot be produced by the pcap(3) compiler, or is wrongly optimized, or is defective on purpose in order to debug test kernel code. Also, a reason to use bpfc could be to try out some new BPF extensions -that are not supported by other compilers. Furthermore, bpfc can be of good -use to verify JIT compiler behaviour or to find possible bugs that need +that are not supported by other compilers. Furthermore, bpfc can be useful +to verify JIT compiler behavior or to find possible bugs that need to be fixed. - +.PP bpfc is implemented with the help of flex(1) and bison(1), tokenizes the -source file in a first stage and parses it's content into an AST. In two +source file in the first stage and parses its content into an AST. In two code generation stages it emits target opcodes. bpfc furthermore supports Linux kernel BPF extensions. More about that can be found in the syntax section. - +.PP The Linux kernel BPF JIT compiler is automatically turned on if detected by netsniff-ng. However, it can also be manually turned on through the -command ``echo "1" > /proc/sys/net/core/bpf_jit_enable'' (normal working -mode) or ``echo "2" > /proc/sys/net/core/bpf_jit_enable'' (debug mode +command ''echo "1" > /proc/sys/net/core/bpf_jit_enable'' (normal working +mode) or ''echo "2" > /proc/sys/net/core/bpf_jit_enable'' (debug mode where emitted opcodes of the image are printed to the kernel log). An -architecture generic BPF JIT image disassembler can be found in the kernel +architecture agnostic BPF JIT image disassembler can be found in the kernel source tree under: tools/net/bpf_jit_disasm.c - +.PP .SH OPTIONS - +.PP .SS -i <source-file/->, --input <source-file/-> Read BPF assembly instruction from an input file or from stdin. - +.PP .SS -f <format>, --format <format> Specify a different output format than the default that is netsniff-ng compatible. The <format> specifier can be: C, netsniff-ng, xt_bpf, tcpdump. - +.PP .SS -b, --bypass Bypass basic filter validation when emitting opcodes. This can be useful -for explicitly creating malformed BPF expressions that should be injected -into the kernel, e.g. for bug testing. - +for explicitly creating malformed BPF expressions for injecting +into the kernel, for example, for bug testing. +.PP .SS -V, --verbose Be more verbose and display some bpfc debugging information. - +.PP .SS -d, --dump Dump all supported instructions to stdout. - +.PP .SS -v, --version -Show versioning information and exit. - +Show version information and exit. +.PP .SS -h, --help Show user help and exit. - +.PP .SH SYNTAX - +.PP The BPF architecture resp. register machine consists of the following elements: - +.PP Element Description - +.PP A 32 bit wide accumulator X 32 bit wide X register - M[] 16 x 32 bit wide misc registers aka ``scratch -memory store'', addressable from 0 to 15 - -A program, that is translated by bpfc into ``opcodes'' is an array that + M[] 16 x 32 bit wide misc registers aka \[lq]scratch +memory store\[rq], addressable from 0 to 15 +.PP +A program, that is translated by bpfc into ''opcodes'' is an array that consists of the following elements: - +.PP o:16, jt:8, jf:8, k:32 - +.PP The element o is a 16 bit wide opcode that has a particular instruction encoded, jt and jf are two 8 bit wide jump targets, one for condition -``true'', one for condition ``false''. Last but not least the 32 bit wide +''true'', one for condition ''false''. Last but not least the 32 bit wide element k contains a miscellaneous argument that can be interpreted in different ways depending on the given instruction resp. opcode. - +.PP The instruction set consists of load, store, branch, alu, miscellaneous and return instructions that are also represented in bpfc syntax. This -table also includes own bpfc extensions. All operations are based on +table also includes bpfc's own extensions. All operations are based on unsigned data structures: - +.PP Instruction Addressing mode Description - +.PP ld 1, 2, 3, 4, 10 Load word into A ldi 4 Load word into A ldh 1, 2 Load half-word into A @@ -115,10 +115,10 @@ unsigned data structures: ldx 3, 4, 5, 10 Load word into X ldxi 4 Load word into X ldxb 5 Load byte into X - +.PP st 3 Copy A into M[] stx 3 Copy X into M[] - +.PP jmp 6 Jump to label ja 6 Jump to label jeq 7, 8 Jump on k == A @@ -129,7 +129,7 @@ unsigned data structures: jgt 7, 8 Jump on k > A jge 7, 8 Jump on k >= A jset 7, 8 Jump on k & A - +.PP add 0, 4 A + <x> sub 0, 4 A - <x> mul 0, 4 A * <x> @@ -141,14 +141,14 @@ unsigned data structures: xor 0, 4 A ^ <x> lsh 0, 4 A << <x> rsh 0, 4 A >> <x> - +.PP tax Copy A into X txa Copy X into A - +.PP ret 4, 9 Return - +.PP Addressing mode Syntax Description - +.PP 0 x Register X 1 [k] BHW at byte offset k in the packet 2 [x + k] BHW at the offset X + k in the packet @@ -160,9 +160,9 @@ unsigned data structures: 8 #k,Lt Jump to Lt if predicate is true 9 a Accumulator A 10 extension BPF extension (see next table) - +.PP Extension (and alias) Description - +.PP #len, len, #pktlen, pktlen Length of packet (skb->len) #pto, pto, #proto, proto Ethernet type field (skb->protocol) #type, type Packet type (**) (skb->pkt_type) @@ -177,15 +177,15 @@ unsigned data structures: #cpu, cpu Current CPU (raw_smp_processor_id()) #vlant, vlant, #vlan_tci, vlan_tci VLAN TCI value (vlan_tx_tag_get(skb)) #vlanp, vlanp VLAN present (vlan_tx_tag_present(skb)) - +.PP Further extension details (**) Value - +.PP #type, type 0 - to us / host 1 - to all / broadcast 2 - to group / multicast 3 - to others (promiscuous mode) 4 - outgoing of any type - +.PP #hat, hat, #hatype, hatype 1 - Ethernet 10Mbps 8 - APPLEtalk 19 - ATM @@ -201,46 +201,46 @@ unsigned data structures: 803 - IEEE 802.11 + radiotap header 823 - GRE over IP6 [...] See include/uapi/linux/if_arp.h - +.PP Note that the majority of BPF extensions are available on Linux only. - +.PP There are two types of comments in bpfc source-files: - +.PP 1. Multi-line C-style comments: /* put comment here */ 2. Single-line ASM-style comments: ; put comment here - +.PP Used Abbreviations: - +.PP BHW: byte, half-word, or word - +.PP .SH SOURCE EXAMPLES - -In this section, we give a couple of examples for bpfc source-files, in other +.PP +In this section, we give a couple of examples of bpfc source files, in other words, some small example filter programs: - +.PP .SS Only return packet headers (truncate packets): - +.PP ld poff ret a - +.PP .SS Only allow ARP packets: - +.PP ldh [12] jne #0x806, drop ret #-1 drop: ret #0 - +.PP .SS Only allow IPv4 TCP packets: - +.PP ldh [12] jne #0x800, drop ldb [23] jneq #6, drop ret #-1 drop: ret #0 - -.SS Only allow IPv4 TCP, SSH traffic: - +.PP +.SS Only allow IPv4 TCP SSH traffic: +.PP ldh [12] jne #0x800, drop ldb [23] @@ -254,59 +254,59 @@ words, some small example filter programs: jne #0x16, drop pass: ret #-1 drop: ret #0 - +.PP .SS Allow any (hardware accelerated) VLAN: - +.PP ld vlanp jeq #0, drop ret #-1 drop: ret #0 - +.PP .SS Only allow traffic for (hardware accelerated) VLAN 10: - +.PP ld vlant jneq #10, drop ret #-1 drop: ret #0 - +.PP .SS More pedantic check for the above VLAN example: - +.PP ld vlanp jeq #0, drop ld vlant jneq #10, drop ret #-1 drop: ret #0 - +.PP .SH USAGE EXAMPLE - +.PP .SS bpfc fubar -Compile the source file ``fubar'' into BPF opcodes. Opcodes will be +Compile the source file ''fubar'' into BPF opcodes. Opcodes will be directed to stdout. - +.PP .SS bpfc -f xt_bpf -b -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG -Compile the source file ``fubar'' into BPF opcodes, bypass basic filter +Compile the source file ''fubar'' into BPF opcodes, bypass basic filter validation and emit opcodes in netfilter's xt_bpf readable format. - +.PP .SS bpfc - Read bpfc instruction from stdin and emit opcodes to stdout. - +.PP .SS bpfc foo > bar, resp. netsniff-ng -f bar ... Compile filter instructions from file foo and redirect bpfc's output into the file bar, that can then be read by netsniff-ng(8) through option -f. - +.PP .SS bpfc -f tcpdump -i fubar -Output opcodes from source file fubar in the same behaviour as ``tcpdump -ddd''. - +Output opcodes from source file fubar in the same behavior as ''tcpdump -ddd''. +.PP .SH LEGAL bpfc is licensed under the GNU GPL version 2.0. - +.PP .SH HISTORY .B bpfc was originally written for the netsniff-ng toolkit by Daniel Borkmann. It is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>. - +.PP .SH SEE ALSO .BR netsniff-ng (8), .BR trafgen (8), @@ -315,6 +315,6 @@ Borkmann <dborkma@tik.ee.ethz.ch>. .BR flowtop (8), .BR astraceroute (8), .BR curvetun (8) - +.PP .SH AUTHOR Manpage was written by Daniel Borkmann. @@ -1,90 +1,90 @@ .\" netsniff-ng - the packet sniffing beast .\" Copyright 2013 Daniel Borkmann. .\" Subject to the GPL, version 2. - +.PP .TH CURVETUN 8 "03 March 2013" "Linux" "netsniff-ng toolkit" .SH NAME curvetun \- a lightweight Curve25519 IP tunnel - +.PP .SH SYNOPSIS - +.PP \fB curvetun\fR [\fIoptions\fR] - +.PP .SH DESCRIPTION curvetun is a lightweight, high-speed ECDH multiuser IP tunnel for Linux that is based on epoll(2). curvetun uses the Linux TUN/TAP interface and supports {IPv4, IPv6} over {IPv4, IPv6} with UDP or TCP as carrier protocols. - -It has an integrated packet forwarding trie, thus multiple users with +.PP +It has an integrated packet forwarding tree, thus multiple users with different IPs can be handled via a single tunnel device on the server side -and flows are scheduled for processing in a CPU affine way, at least in case -of TCP as a carrier protocol. - -As key management, public-key cryptography based on elliptic curves are being +and flows are scheduled for processing in a CPU efficient way, at least in the +case of TCP as the carrier protocol. +.PP +For key management, public-key cryptography based on elliptic curves are being used and packets are encrypted end-to-end by the symmetric stream cipher Salsa20 and authenticated by the MAC Poly1305, where keys have previously been computed with the ECDH key agreement protocol Curve25519. - +.PP Cryptography is based on Daniel J. Bernstein's networking and cryptography -library ``NaCl''. By design, curvetun does not provide any particular pattern +library \[lq]NaCl\[rq]. By design, curvetun does not provide any particular pattern or default port numbers that gives certainty that the connection from a particular flow is actually running curvetun. - -However, if you have further needs to bypass censorship, you can try using +.PP +However, if you have a further need to bypass censorship, you can try using curvetun in combination with Tor's obfsproxy or Telex. Furthermore, curvetun -also protects you against replay attacks and DH man in the middle. +also protects you against replay attacks and DH man-in-the-middle attacks. Additionally, server-side syslog event logging can also be disabled to not reveal any critical user connection data. - +.PP .IP " 1." 4 obfsproxy from the TOR project .RS 4 \%https://www.torproject.org/projects/obfsproxy.html.en .RE - +.PP .IP " 2." 4 -Telex, anticensorship in the network infrastructure +Telex, anti-censorship in the network infrastructure .RS 4 \%https://telex.cc/ .RE - +.PP .SH OPTIONS - -todo - +.PP +todo FIXME +.PP .SH CRYPTOGRAPHY -IP tunnels are usually used to create virtual private networks (VPN), where -parts of the network can only be reached via an unsecure or untrusted underlay -network like the Internet. Only few software exists to create such tunnels, +Encrypted IP tunnels are often used to create virtual private networks (VPN), +where parts of the network can only be reached via an insecure or untrusted medium +such as the Internet. Only a few software utilities exists to create such tunnels, or, VPNs. Two popular representatives of such software are OpenVPN and VTUN. - +.PP The latter also introduced the TUN/TAP interfaces into the Linux kernel. VTUN -only has a rather basic encryption module, that doesn't fit into todays -cryptographic needs. By default MD5 is used to create 128-Bit wide keys for +only has a rather basic encryption module, that does not fit todays +cryptographic needs. By default, MD5 is used to create 128-Bit wide keys for the symmetric BlowFish cipher in ECB mode [1]. - -Although OpenSSL is used in both, VTUN and OpenVPN, OpenVPN is much more +.PP +Although OpenSSL is used in both VTUN and OpenVPN, OpenVPN is much more feature rich regarding ciphers and user authentication. Nevertheless, letting -people choose ciphers or authentication methods does not necessarily mean a +people choose ciphers or authentication methods is not necessarily a good thing: administrators could either prefer speed over security and therefore choose weak ciphers, so that the communication system will be as good as without any cipher; they could choose weak passwords for symmetric encryption or they could misconfigure the communication system by having too -much choices of ciphers and too little experience for picking the right one. - +much choice of ciphers and too little experience for picking the right one. +.PP Next to the administration issues, there are also software development issues. Cryptographic libraries like OpenSSL are a huge mess and too low-level and -complex to probably fully understand or correctly apply, so that they form a +complex to properly fully understand or correctly apply, so that they form a further ground for vulnerabilities of such software. - +.PP In 2010, the cryptographers Tanja Lange and Daniel J. Bernstein have therefore created and published a cryptography library for networking, which is called -NaCl (pronounced ``salt''). NaCl challenges such addressed problems as in +NaCl (pronounced ''salt''). NaCl addresses such problems as mentioned in OpenSSL and, in contrast to the rather generic use of OpenSSL, was created with a strong focus on public-key authenticated encryption based on elliptic curve cryptography, which is used in curvetun. Partially quoting Daniel J. Bernstein: - +.PP RSA is somewhat older than elliptic-curve cryptography: RSA was introduced in 1977, while elliptic-curve cryptography was introduced in 1985. However, RSA has shown many more weaknesses than elliptic-curve cryptography. RSA's @@ -95,29 +95,29 @@ developed against some rare elliptic curves having special algebraic structures, and the amount of computer power available to attackers has predictably increased, but typical elliptic curves require just as much computer power to break today as they required twenty years ago. - +.PP IEEE P1363 standardized elliptic-curve cryptography in the late 1990s, including a stringent list of security criteria for elliptic curves. NIST used the IEEE P1363 criteria to select fifteen specific elliptic curves at -five different security levels. In 2005, NSA issued a new ``Suite B'' +five different security levels. In 2005, NSA issued a new ''Suite B'' standard, recommending the NIST elliptic curves (at two specific security levels) for all public-key cryptography and withdrawing previous recommendations of RSA. - +.PP curvetun uses a particular elliptic curve, Curve25519, introduced in the -following paper: Daniel J. Bernstein, ``Curve25519: new Diffie-Hellman speed +following paper: Daniel J. Bernstein, ''Curve25519: new Diffie-Hellman speed records,'' pages 207-228 in Proceedings of PKC 2006, edited by Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, Lecture Notes in Computer Science 3958, Springer, 2006, ISBN 3-540-33851-9. - +.PP This elliptic curve follows all of the standard IEEE P1363 security criteria. -It also follows new recommendations that achieve ``side-channel immunity'' -and ``twist security'' while improving speed. What this means is that secure +It also follows new recommendations that achieve ''side-channel immunity'' +and ''twist security'' while improving speed. What this means is that secure implementations of Curve25519 are considerably simpler and faster than secure -implementations of (e.g.) NIST P-256; there are fewer opportunities for +implementations of, for example, NIST P-256; there are fewer opportunities for implementors to make mistakes that compromise security, and mistakes are more easily caught by reviewers. - +.PP An attacker who spends a billion dollars on special-purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1000000000000000000000000000 of breaking Curve25519 after a year of computation. @@ -125,64 +125,64 @@ One could achieve similar levels of security with 3000-bit RSA, but encryption and authentication with 3000-bit RSA are not nearly fast enough to handle tunnel traffic and would require much more space in network packets. - +.PP .IP " 1." 4 Security analysis of VTun .RS 4 \%http://www.off.net/~jme/vtun_secu.html .RE - +.PP .IP " 2." 4 NaCl: Networking and Cryptography library .RS 4 \%http://nacl.cr.yp.to/ .RE - +.PP .SH SETUP EXAMPLE If you've never run curvetun before, you need to do an initial setup once. - -At first, make sure that the servers and clients clocks are periodically -synced, for instance, by running a ntp daemon. This is necessary to protect -against replay attacks. Also, make sure if you have read and write access to -/dev/net/tun. You should not run curvetun as root! Then, after you assured -this, the first step is to generate keys and config files. On both, the client +.PP +First, make sure that the servers and clients clocks are periodically +synced, for example, by running an ntp daemon. This is necessary to protect +against replay attacks. Also, make sure you have read and write access to +/dev/net/tun. You should not run curvetun as root! Then, after you have assured +this, the first step is to generate keys and config files. On both the client and server do: - +.PP .B curvetun -k - -You are asked for a username. You can use an email address or whatever suits -you. Here, we assume, you've entered 'mysrv1' on the server and 'myclient1' +.PP +You are asked for a user name. You can use an email address or whatever suits +you. Here, we assume you have entered 'mysrv1' on the server and 'myclient1' on the client side. - -Now, all necessary file have been created under ~/.curvetun. Files include -``priv.key'', ``pub.key'', ``username', ``clients'' and ``servers''. - -``clients'' and ``servers'' are empty at the beginning and need to be filled. -The ``clients'' file is meant for the server, so that it knows what clients -are allowed to connect. The ``servers'' file is for the client, where it can +.PP +Now, all necessary files have been created under ~/.curvetun. Files include +\[lq]priv.key\[rq], \[lq]pub.key\[rq], \[lq]username\[rq], \[lq]clients\[rq] and \[lq]servers\[rq]. +.PP +\[lq]clients\[rq] and \[lq]servers\[rq] are empty at the beginning and need to be filled. +The \[lq]clients\[rq] file is meant for the server, so that it knows what clients +are allowed to connect. The \[lq]servers\[rq] file is for the client, where it can select curvetun servers to connect to. Both files are kept very simple, so that a single configuration line per client or server is sufficient. - -The client needs to export it's public key data for the server: - +.PP +The client needs to export its public key data for the server: +.PP .B curvetun -x - -todo - +.PP +todo FIXME +.PP .SH NOTE -This software is an experimental prototype intended for researchers. Likely, -it will mature over time, but it is currently not advised using this software +This software is an experimental prototype intended for researchers. It will most +likely mature over time, but it is currently not advised to use this software when life is put at risk. - +.PP .SH LEGAL curvetun is licensed under the GNU GPL version 2.0. - +.PP .SH HISTORY .B curvetun was originally written for the netsniff-ng toolkit by Daniel Borkmann. It is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>. - +.PP .SH SEE ALSO .BR netsniff-ng (8), .BR trafgen (8), @@ -191,6 +191,6 @@ Borkmann <dborkma@tik.ee.ethz.ch>. .BR ifpps (8), .BR flowtop (8), .BR astraceroute (8) - +.PP .SH AUTHOR Manpage was written by Daniel Borkmann. @@ -1,22 +1,22 @@ .\" netsniff-ng - the packet sniffing beast .\" Copyright 2013 Daniel Borkmann. .\" Subject to the GPL, version 2. - +.PP .TH IFPPS 8 "03 March 2013" "Linux" "netsniff-ng toolkit" .SH NAME ifpps \- top-like networking and system statistics - +.PP .SH SYNOPSIS - +.PP \fB ifpps\fR { [\fIoptions\fR] | [\fIdevice\fR] } - +.PP .SH DESCRIPTION - +.PP ifpps is a small utility which periodically provides top-like networking and system statistics from the kernel. ifpps gathers its data directly from procfs files and does not apply any user space monitoring libraries -which would falsify statistics on high load. - +which would falsify statistics under high load. +.PP For instance, consider the following scenario: two directly connected Linux machines with Intel Core 2 Quad Q6600 2.40GHz CPUs, 4 GB RAM, and an Intel 82566DC-2 Gigabit Ethernet NIC are used for performance evaluation. @@ -24,74 +24,73 @@ One machine generates 64 byte network packets by using the kernel space packet generator pktgen with a maximum possible packet rate. The other machine displays statistics about incoming network packets by using i) iptraf(8) and ii) ifpps. - -iptraf that incorporates pcap(3) shows an average packet rate of -246,000 pps while on the other hand ifpps shows an average packet rate of -1,378,000 pps. Hence, due to copying packets and deferring statistics -creation into user space, measurement error of approx. 460 per cent +.PP +iptraf which incorporates pcap(3) shows an average packet rate of +246,000 pps while on the other hand ifpps shows an average packet rate +of 1,378,000 pps. Hence, due to packet copies and deferring statistics +creation into user space, a measurement error of approximately 460 per cent occurs. Tools like iptraf might display much more information such as -TCP per flow statistics (therefore the use of the pcap library), which -is not implemented in ifpps, because overall networking statistics are -in our focus; statistics, which are also fairly reliable under high packet -load. - +TCP per flow statistics (hence the use of the pcap library), that is not +possible with ifpps, because overall networking statistics are our focus; +statistics, which are also fairly reliable under high packet load. +.PP .SH OPTIONS - +.PP .SS -d <netdev>, --dev <netdev> -Networking device to fetch statistics from, e.g. eth0, wlan0. - +Networking device to fetch statistics from, for example, eth0, wlan0. +.PP .SS -t <time>, --interval <time> -Statistics refresh interval in milliseconds, default is 1000 ms. - +Statistics refresh interval in milliseconds, default is 1000ms. +.PP .SS -p, --promisc Turn on promiscuous mode for the given networking device. - +.PP .SS -c, --csv Output (once) the ncurses data to the terminal as gnuplot(1)-ready data. - +.PP .SS -l, --loop Continuously output the terminal data after a refresh interval. This option -only is available, if option ``-c'' is given. For ``-l'' it is usually -recommended to redirect the output into a file that is later being processed -with gnuplot(1). - +is only available, if option \[lq]-c\[rq] is given. For \[lq]-l\[rq] it is usually +recommended to redirect the output into a file that is to be be processed +later with gnuplot(1). +.PP .SS -v, --version -Show versioning information. - +Show version information. +.PP .SS -h, --help Show user help. - +.PP .SH USAGE EXAMPLE - +.PP .SS ifpps eth0 Default ncurses output for the eth0 device. - +.PP .SS ifpps -pd eth0 Ncurses output for the eth0 device in promiscuous mode. - +.PP .SS ifpps -lpcd wlan0 > plot.dat Continuous terminal output for the wlan0 device in promiscuous mode. - +.PP .SH NOTE On 10Gbit/s cards or higher, receive and transmit statistics are usually -accumulated each > 1sec. Thus, it might be advised to alter the timing -option to a higher accumulation interval for such cards. - +accumulated at a higher duration interval than 1 second. Thus, it might +be advisable to alter the timing to a higher accumulation interval for such cards. +.PP .SH BUGS -Systems with a failry high number of cores (> 32) are currently not -supported. This should however not be a big deal to fix that. The only -challenge would be to display the presented information in a sane way, -probably by selectively hiding uninteresting statistics. - +Systems with greater than 32 cores are currently not supported. This +should, however, not be a big task to fix. The only challenge would +be to display the presented information in a sane way, probably by +selectively hiding uninteresting statistics. +.PP .SH LEGAL ifpps is licensed under the GNU GPL version 2.0. - +.PP .SH HISTORY .B ifpps was originally written for the netsniff-ng toolkit by Daniel Borkmann. It is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>. - +.PP .SH SEE ALSO .BR netsniff-ng (8), .BR trafgen (8), @@ -100,6 +99,6 @@ Borkmann <dborkma@tik.ee.ethz.ch>. .BR flowtop (8), .BR astraceroute (8), .BR curvetun (8) - +.PP .SH AUTHOR Manpage was written by Daniel Borkmann. diff --git a/netsniff-ng.8 b/netsniff-ng.8 index a8018ab..573a360 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -1,241 +1,241 @@ .\" netsniff-ng - the packet sniffing beast .\" Copyright 2013 Daniel Borkmann. .\" Subject to the GPL, version 2. - +.PP .TH NETSNIFF-NG 8 "03 March 2013" "Linux" "netsniff-ng toolkit" .SH NAME netsniff-ng \- the packet sniffing beast - +.PP .SH SYNOPSIS - +.PP \fB netsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] } - +.PP .SH DESCRIPTION - -netsniff-ng is a fast, minimal tool to i) analyze network packets, ii) capture -pcap files, iii) replay pcap files or iv) redirect traffic between interfaces -with the help of zero-copy packet(7) sockets. netsniff-ng uses both, Linux -specific RX_RING and TX_RING interfaces to perform zero-copy, that is, to avoid -copies and system call overhead between kernel and user address space. At the -time, we started hacking on netsniff-ng, the pcap(3) library did not use this +.PP +netsniff-ng is a fast, minimal tool to analyze network packets, capture +pcap files, replay pcap files, and redirect traffic between interfaces +with the help of zero-copy packet(7) sockets. netsniff-ng uses both Linux +specific RX_RING and TX_RING interfaces to perform zero-copy. This is to avoid +copy and system call overhead between kernel and user address space. When we +started working on netsniff-ng, the pcap(3) library did not use this zero-copy facility. - +.PP netsniff-ng is Linux specific only, meaning there is no support for other operating systems, thus we can keep the code footprint quite minimal and to -the point. Linux' packet(7) sockets and its RX_RING and TX_RING interfaces +the point. Linux packet(7) sockets and its RX_RING and TX_RING interfaces bypass the normal packet processing path through the networking stack. Thus, this is the fastest one can get out of the box in terms of capturing or transmission performance from user space, without having to load unsupported or non-mainline third-party kernel modules. We explicitly refuse to build netsniff-ng on top of ntop/PF_RING. Not because we do not like it (we do find it interesting), but because of the fact that it is not part of the mainline -kernel. Therefore, the ntop project has to maintain/sync out-of-tree drivers +kernel. Therefore, the ntop project has to maintain and sync out-of-tree drivers to adapt them to their DNA. Eventually, we went for untainted Linux kernel, -since its code has a higher rate of reviews, maintenance, security and bug +since its code has a higher rate of review, maintenance, security and bug fixes. - +.PP netsniff-ng also supports early packet filtering in the kernel. It has support for low-level and high-level packet filters that are translated into Berkeley Packet Filter instructions. - +.PP netsniff-ng can capture pcap files in several different pcap formats that are interoperable with other tools. It has different pcap I/O methods supported -(scatter-gather, mmap(2), read(2)/write(2)) for efficient to-disc capturing. +(scatter-gather, mmap(2), read(2), and write(2)) for efficient to-disc capturing. netsniff-ng is also able to rotate pcap files based on data size or time intervals, thus, making it a useful backend tool for subsequent traffic analysis. - +.PP netsniff-ng itself also supports analysis, dumping or replay of raw 802.11 frames. For online or offline analysis netsniff-ng has a built-in packet -dissector for currently 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q +dissector for the current 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q (VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4, ICMPv6, IGMP, TCP and UDP, including GeoIP location analysis. Since netsniff-ng does not establish any -state or reassembly during packet dissection, its memory footprint is quite +state or perform reassembly during packet dissection, its memory footprint is quite low, thus, making netsniff-ng quite efficient for offline analysis of large pcap files as well. - +.PP .SH OPTIONS - +.PP .SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|-> Defines an input device, that can either be a networking device, a pcap file -or stdin (``-''). In case of a pcap file, the pcap type (``-D'' option) is +or stdin (\[lq]-\[rq]). In case of a pcap file, the pcap type (\[lq]-D\[rq] option) is determined automatically by the pcap file magic. In case of stdin, it is assumed that the input stream is a pcap file. - +.PP .SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|-> Defines the output device. This can either be a networking device, a pcap file, -a folder, a trafgen(8) configuration file or stdout (``-''). In case of a pcap -file, that should not have the default pcap type (0xa1b2c3d4), the additional -option ``-T'' must be provided. If a directory is given, then, instead of a +a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). In the case of a pcap +file that should not have the default pcap type (0xa1b2c3d4), the additional +option \[lq]-T\[rq] must be provided. If a directory is given, then, instead of a single pcap file, multiple pcap files are generated with rotation based on -maximum file size or a given interval (``-F'' option). A trafgen configuration +maximum file size or a given interval (\[lq]-F\[rq] option). A trafgen configuration file can currently only be specified if the input device is a pcap file. If stdout is given as a device, then a trafgen configuration will be written to stdout if the input device is a pcap file, or a pcap file if the input device is a networking device. - +.PP .SS -f, --filter <bpf-file|expr> Specifies to not dump all traffic, but to filter the network packet haystack. As a filter, either a bpfc(8) compiled file can be passed as a parameter or a tcpdump(1)-like filter expression in quotes. For details regarding the bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter -have a look at section ``filter example'' or at pcap-filter(7). A filter -expression may also be passed to netsniff-ng without option ``-f'' in case +have a look at section \[lq]filter example\[rq] or at pcap-filter(7). A filter +expression may also be passed to netsniff-ng without option \[lq]-f\[rq] in case there is no subsequent option following after the command-line filter expression. - +.PP .SS -t, --type <type> This defines some sort of filtering mechanisms in terms of addressing. Possible -values for type are ``host'' (to us), ``broadcast'' (to all), ``multicast'' (to -group), ``others'' (promiscuous mode) or ``outgoing'' (from us). - +values for type are \[lq]host\[rq] (to us), \[lq]broadcast\[rq] (to all), \[lq]multicast\[rq] (to +group), \[lq]others\[rq] (promiscuous mode) or \[lq]outgoing\[rq] (from us). +.PP .SS -F, --interval <size|time> -If the output device is a folder, with ``-F'' it is possible to define the pcap +If the output device is a folder, with \[lq]-F\[rq] it is possible to define the pcap file rotation interval either in terms of size or time. Thus, when the interval limit has been reached, a new pcap file will be started. As size parameter, the -following values are possible ``<num>KiB/MiB/GiB'' while as a time parameter -it can be ``<num>s/sec/min/hrs''. - +following values are accepted \[lq]<num>KiB/MiB/GiB\[rq] while as a time parameter +it can be \[lq]<num>s/sec/min/hrs\[rq]. +.PP .SS -J, --jumbo-support -By default netsniff-ng's ring buffer frames are of a fixed size of 2048 bytes. -This means that if you're expecting jumbo frames or even super jumbo frames to -pass your line, then you need to enable support for that with the help of this -option. However, this has the disadvantage of a performance regression and a -bigger memory footprint for the ring buffer. - +By default, netsniff-ng's ring buffer frames are a fixed size of 2048 bytes. +This means that if you are expecting jumbo frames or even super jumbo frames to +pass through your network, then you need to enable support for that by using +this option. However, this has the disadvantage of performance degradation +and a bigger memory footprint for the ring buffer. +.PP .SS -R, --rfraw In case the input or output networking device is a wireless device, it is possible with netsniff-ng to turn this into monitor mode and create a mon<X> device that netsniff-ng will be listening on instead of wlan<X>, for instance. This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames. - +.PP .SS -n <0|uint>, --num <0|uint> Process a number of packets and then exit. If the number of packets is 0, then this is equivalent to infinite packets resp. processing until interrupted. Otherwise, a number given as an unsigned integer will limit processing. - +.PP .SS -P <name>, --prefix <name> When dumping pcap files into a folder, a file name prefix can be defined with -this option. If none is specified, the default prefix is ``dump-'' followed by a -unix timestamp. - +this option. If not otherwise specified, the default prefix is \[lq]dump-\[rq] +followed by a Unix timestamp. +.PP .SS -T <pcap-magic>, --magic <pcap-magic> Specify a pcap type for storage. Different pcap types with their various meta -data capabilities are shown with option ``-D''. If not otherwise specified, the +data capabilities are shown with option \[lq]-D\[rq]. If not otherwise specified, the pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is used. Pcap files with swapped endianess are also supported. - +.PP .SS -D, --dump-pcap-types Dump all available pcap types with their capabilities and magic numbers that -can be used with option ``-T'' to stdout and exit. - +can be used with option \[lq]-T\[rq] to stdout and exit. +.PP .SS -B, --dump-bpf -If a Berkeley Packet Filter is given, e.g. via option ``-f'', then dump the BPF -disassembly to stdout during ring setup. This only serves for informative or -verification purposes. - +If a Berkeley Packet Filter is given, for example via option \[lq]-f\[rq], then +dump the BPF disassembly to stdout during ring setup. This only serves for informative +or verification purposes. +.PP .SS -r, --rand If the input and output device are both networking devices, then this option will randomize packet order in the output ring buffer. - +.PP .SS -M, --no-promisc The networking interface will not be put into promiscuous mode. By default, promiscuous mode is turned on. - +.PP .SS -A, --no-sock-mem -On startup (and shutdown), netsniff-ng is trying to increase socket read and +On startup and shutdown, netsniff-ng tries to increase socket read and write buffers if appropriate. This option will prevent netsniff-ng from doing that. - +.PP .SS -m, --mmap -Use mmap(2) as pcap file I/O. This is default in case of replaying pcap files. - +Use mmap(2) as pcap file I/O. This is the default when replaying pcap files. +.PP .SS -G, --sg -Use scatter-gather as pcap file I/O. This is default in case when capturing +Use scatter-gather as pcap file I/O. This is the default when capturing pcap files. - +.PP .SS -c, --clrw -Use slower read(2)/write(2) I/O. This is not the default case anywhere, but in +Use slower read(2) and write(2) I/O. This is not the default case anywhere, but in some situations it could be preferred as it has a lower latency on write-back to disc. - +.PP .SS -S <size>, --ring-size <size> -Manually define the RX_RING resp. TX_RING size in ``<num>KiB/MiB/GiB''. On -default the size is being determined based on the network connectivity rate. - +Manually define the RX_RING resp. TX_RING size in \[lq]<num>KiB/MiB/GiB\[rq]. By +default the size is determined based on the network connectivity rate. +.PP .SS -k <uint>, --kernel-pull <uint> Manually define the interval in micro-seconds where the kernel should be triggered to batch process the ring buffer frames. By default, it is every 10us, but it can manually be prolonged, for instance. - +.PP .SS -b <cpu>, --bind-cpu <cpu> Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ CPU affinity to this CPU. This option should be preferred in combination with -``-s'' in case a middle till high packet rate is expected. - +\[lq]-s\[rq] in case a middle till high packet rate is expected. +.PP .SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid> After ring setup drop privileges to a non-root user/group combination. - +.PP .SS -H, --prio-high Set this process as a high priority process in order to achieve a higher -scheduling rate resp. CPU time. This is however not default setting, since -it could lead to starvation of other processes, e.g. low priority kernel +scheduling rate resp. CPU time. This is however not the default setting, since +it could lead to starvation of other processes, for example low priority kernel threads. - +.PP .SS -Q, --notouch-irq Do not reassign the NIC's IRQ CPU affinity settings. - +.PP .SS -s, --silent Do not enter the packet dissector at all and do not print any packet information to the terminal. Just shut up and be silent. This option should be preferred in combination with pcap recording or replay, since it will not flood your terminal -which causes a significant performance regression. - +which causes a significant performance degradation. +.PP .SS -q, --less Print a less verbose one-line information for each packet to the terminal. - +.PP .SS -X, --hex Only dump packets in hex format to the terminal. - +.PP .SS -l, --ascii -Only display ASCII prinable characters. - +Only display ASCII printable characters. +.PP .SS -U, --update -If geographical IP locationing should be used, the built-in database update +If geographical IP location is used, the built-in database update mechanism will be invoked to get Maxmind's latest database. To configure search locations for databases, the file /etc/netsniff-ng/geoip.conf contains -possible addresses. Thus, to save bandwidth or for mirroring Maxmind's +possible addresses. Thus, to save bandwidth or for mirroring of Maxmind's databases (to bypass their traffic limit policy), different hosts or IP addresses can be placed into geoip.conf, separated by a newline. - +.PP .SS -V, --verbose -Be more verbose during startup, i.e. show detailled ring setup information. - +Be more verbose during startup, that is to say, show detailed ring setup information. +.PP .SS -v, --version -Show versioning information and exit. - +Show version information and exit. +.PP .SS -h, --help Show user help and exit. - +.PP .SH USAGE EXAMPLE - +.PP .SS netsniff-ng -The most simple command is to just run ``netsniff-ng''. This will start +The most simple command is to just run \[lq]netsniff-ng\[rq]. This will start listening on all available networking devices in promiscuous mode and dump the packet dissector output to the terminal. No files will be recorded. - +.PP .SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp Capture TCP or UDP traffic from the networking device eth0 into the pcap file named dump.pcap, which has netsniff-ng specific pcap extensions (see -``netsniff-ng -D'' for capabilities). Also, do not print the content to the +\[lq]netsniff-ng -D\[rq] for capabilities). Also, do not print the content to the terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is scatter-gather I/O. - +.PP .SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0 Put the wlan0 device into monitoring mode and capture all raw 802.11 frames into the file dump.pcap. Do not dissect and print the content to the terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is scatter-gather I/O. - +.PP .SS netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0 Replay the pcap file dump.pcap which is read through mmap(2) I/O and send the packets out via the eth0 networking device. Do not dissect and print the @@ -243,164 +243,165 @@ content to the terminal and pin the process and NIC IRQ affinity to CPU 0. Also trigger the kernel every 1000us to traverse the TX_RING instead of every 10us. Note that the pcap magic type is detected automatically from the pcap file header. - +.PP .SS netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r Redirect network traffic from the networking device eth0 to eth1 for traffic that is destined for our host, thus ignore broadcast, multicast and promiscuous traffic. Randomize the order of packets for the outgoing device and do not print any packet contents to the terminal. Also, pin the process and NIC IRQ affinity to CPU 0. - +.PP .SS netsniff-ng --in team0 --out /opt/probe/ -s -m -J --interval 100MiB -b 0 Capture on an aggregated team0 networking device and dump packets into multiple pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write method, enable support for super jumbo frames up to 64KB, and do not print -the captured data to the terminal. Pin netsniff-ng to and NIC IRQ affinity to +the captured data to the terminal. Pin netsniff-ng and NIC IRQ affinity to CPU 0. The default pcap magic type is 0xa1b2c3d4 (tcpdump-capable pcap). - +.PP .SS netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob` Capture network traffic on device wlan0 into a pcap file called dump.pcap by using normal read(2), write(2) I/O for the pcap file (slower but less latency). Also, after setting up the RX_RING for capture, drop privileges -from root to the user/group ``bob''. Invoke the packet dissector and print +from root to the user and group \[lq]bob\[rq]. Invoke the packet dissector and print packet contents to the terminal for further analysis. - +.PP .SS netsniff-ng --in any --filter http.bpf -B --jumbo-support --ascii -V Capture from all available networking interfaces and install a low-level filter that was previously compiled by bpfc(8) into http.bpf in order to filter HTTP traffic. Enable super jumbo frame support and only print human readable packet data to the terminal, and also be more verbose during setup phase. Moreover, dump a BPF disassembly of http.bpf. - +.PP .SS netsniff-ng --in dump.pcap --out dump.cfg --silent Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg. Do not print pcap contents to the terminal. - +.PP .SS netsniff-ng -i dump.pcap -f beacon.bpf -o - Convert the pcap file dump.pcap into a trafgen(8) configuration file and write it to stdout. However, do not dump all of its content, but only the one that passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine here is invoked in user space inside of netsniff-ng, so Linux extensions are not available. - +.PP .SS cat foo.pcap | netsniff-ng -i - -o - Read a pcap file from stdin and convert it into a trafgen(8) configuration file to stdout. - +.PP .SH CONFIG FILES - -Under /etc/netsniff-ng/ there are the following files stored that are used -by netsniff-ng and can be extended if wished: - +.PP +Under /etc/netsniff-ng/ there are stored the following files that are used +by netsniff-ng and can be extended if so wished: +.PP * oui.conf - OUI/MAC vendor database * ether.conf - Ethernet type descriptions * tcp.conf - TCP port/services map * udp.conf - UDP port/services map * geoip.conf - GeoIP database mirrors - +.PP .SH FILTER EXAMPLE - +.PP netsniff-ng supports both, low-level and high-level filters that are attached to its packet(7) socket. Low-level filters are described in the bpfc(8) man page. - +.PP Low-level filters can be used with netsniff-ng in the following way: - +.PP 1. bpfc foo > bar 2. netsniff-ng -f bar - +.PP Here, foo is the bpfc program that will be translated into a netsniff-ng -readable ``opcodes'' file and passed to netsniff-ng through the -f option. - +readable \[lq]opcodes\[rq] file and passed to netsniff-ng through the -f option. +.PP Similarly, high-level filter can be either passed through the -f option, -e.g. -f "tcp or udp" or at the end of all options without the ``-f''. - +e.g. -f "tcp or udp" or at the end of all options without the \[lq]-f\[rq]. +.PP The filter syntax is the same as in tcpdump(8), which is described in the man page pcap-filter(7). Just to quote some examples from pcap-filter(7): - +.PP .SS host sundown To select all packets arriving at or departing from sundown. - +.PP .SS host helios and \( hot or ace \) To select traffic between helios and either hot or ace. - +.PP .SS ip host ace and not helios To select all IP packets between ace and any host except helios. - +.PP .SS net ucb-ether To select all traffic between local hosts and hosts at Berkeley. - +.PP .SS gateway snup and (port ftp or ftp-data) -To select all ftp traffic through internet gateway snup. - +To select all FTP traffic through Internet gateway snup. +.PP .SS ip and not net localnet -To select traffic neither sourced from nor destined for local hosts (if you -gateway to one other net, this stuff should never make it onto your local net). - +To select traffic neither sourced from, nor destined for, local hosts. If you +have a gateway to another network, this traffic should never make it onto +your local network. +.PP .SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet To select the start and end packets (the SYN and FIN packets) of each TCP conversation that involve a non-local host. - +.PP .SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) -To select all IPv4 HTTP packets to and from port 80, i.e. print only packets +To select all IPv4 HTTP packets to and from port 80, that is to say, print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.) - +.PP .SS gateway snup and ip[2:2] > 576 To select IP packets longer than 576 bytes sent through gateway snup. - +.PP .SS ether[0] & 1 = 0 and ip[16] >= 224 To select IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast. - +.PP .SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply -To select all ICMP packets that are not echo requests/replies (i.e., not -ping packets). - +To select all ICMP packets that are not echo requests or replies +(that is to say, not "ping" packets). +.PP .SH PCAP FORMATS: - +.PP netsniff-ng supports a couple of pcap formats, visible through ``netsniff-ng -D'': - +.PP .SS tcpdump-capable pcap (default) Pcap magic number is encoded as 0xa1b2c3d4 resp. 0xd4c3b2a1. As packet meta data this format contains the timeval in microseconds, the original packet length and the captured packet length. - +.PP .SS tcpdump-capable pcap with ns resolution Pcap magic number is encoded as 0xa1b23c4d resp. 0x4d3cb2a1. As packet meta data this format contains the timeval in nanoseconds, the original packet length and the captured packet length. - +.PP .SS Alexey Kuznetzov's pcap Pcap magic number is encoded as 0xa1b2cd34 resp. 0x34cdb2a1. As packet meta data this format contains the timeval in microseconds, the original packet length, the captured packet length, the interface index (sll_ifindex), the packet's protocol (sll_protocol), and the packet type (sll_pkttype). - +.PP .SS netsniff-ng pcap Pcap magic number is encoded as 0xa1e2cb12 resp. 0x12cbe2a1. As packet meta data this format contains the timeval in nanoseconds, the original packet length, the captured packet length, the timestamp hw/sw source, the interface index (sll_ifindex), the packet's protocol (sll_protocol), the packet type (sll_pkttype) and the hardware type (sll_hatype). - +.PP For further implementation details or format support in your application, have a look at pcap_io.h. - +.PP .SH NOTE For introducing bit errors, delays with random variation and more while replaying pcaps, make use of tc(8) with its disciplines such as netem. - +.PP netsniff-ng does only some basic, architecture generic tuning on startup. If you are considering to do high performance capturing, -you need to carefully tune your machine, hardware and software-wise. +you need to carefully tune your machine, both hardware and software. Simply letting netsniff-ng run without thinking about your underlying system might not necessarily give you the desired performance. Note that tuning your system is always a tradeoff and fine-grained -balancing act (e.g. throughput vs. latency). You should know what -you're doing! - +balancing act (throughput versus latency). You should know what +you are doing! +.PP One recommendation for software-based tuning is tuned(8). Besides that, there are many other things to consider. Just to throw you a few things that you might want to look at: NAPI networking drivers, @@ -408,75 +409,79 @@ tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based file systems, multi-queues, and many more things. Also, you might want to read the kernel's Documentation/networking/scaling.txt file regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also -check your ethtool(8) settings, e.g. regarding offloading or -Ethernet pause frames etc. - +check your ethtool(8) settings, for example regarding offloading or +Ethernet pause frames. +.PP Moreover, to get a deeper understanding of netsniff-ng internals and how it interacts with the Linux kernel, the kernel documentation under Documentation/networking/{packet_mmap.txt, filter.txt, multiqueue.txt} might be of interest. - +.PP How do you sniff in a switched environment? I rudely refer to dSniff's documentation that says: - +.PP The easiest route is simply to impersonate the local gateway, stealing client traffic en route to some remote destination. Of course, the traffic must be forwarded by your attacking machine, either by enabling kernel IP -forwarding or with a userland program that acccomplishes the same +forwarding or with a userland program that accomplishes the same (fragrouter -B1). - +.PP Several people have reportedly destroyed connectivity on their LAN to the -outside world by arpspoof'ing the gateway, and forgetting to enable IP -forwarding on the attacking machine. Don't do this. You have been warned. - +outside world by ARP spoofing the gateway, and forgetting to enable IP +forwarding on the attacking machine. Do not do this. You have been warned. +.PP +A safer option than ARP spoofing would be to use a "port mirror" function +if your switch hardware supports it and if you have access to the switch. +.PP If you do not need to dump all possible traffic, you have to consider running netsniff-ng with a BPF filter for the ingress path. For that purpose, read the bpfc(8) man page. - +.PP Also, to aggregate multiple NICs that you want to capture on, you should consider using team devices, further explained in libteam resp. teamd(8). - +.PP The following netsniff-ng pcap magic numbers are compatible with other tools, at least tcpdump or Wireshark: - +.PP 0xa1b2c3d4 (tcpdump-capable pcap) 0xa1b23c4d (tcpdump-capable pcap with ns resolution) 0xa1b2cd34 (Alexey Kuznetzov's pcap) - +.PP Pcap files with different meta data endianess are supported by netsniff-ng as well. - +.PP .SH BUGS - +.PP When replaying pcap files, the timing information from the pcap packet header is currently ignored. - +.PP Also, when replaying pcap files, demultiplexing traffic among multiple networking interfaces does not work. Currently, it is only sent via the interface that is given by the --out parameter. - +.PP When performing traffic capture on the Ethernet interface, the pcap file is created and packets are received but without a 802.1Q header. When one uses tshark, all headers are visible, but netsniff-ng removes 802.1Q headers. Is that normal behavior? - -Yes and no. The way how VLAN headers are handled in PF_PACKET sockets by the -kernel is somewhat ``problematic'' [1]. The problem in the Linux kernel is that -some drivers already handle VLAN, others not. Those who handle it can have -different implementations, i.e. hardware acceleration and so on. So in some +.PP +Yes and no. The way VLAN headers are handled in PF_PACKET sockets by the +kernel is somewhat \[lq]problematic\[rq] [1]. The problem in the Linux kernel is that +some drivers already handle VLANs, others not. Those who handle it can have +different implementations, such as hardware acceleration and so on. So in some cases the VLAN tag is even stripped before entering the protocol stack, in -some cases probably not. Bottom line is that a "hack" was introduced in +some cases probably not. The bottom line is that a "hack" was introduced in PF_PACKET so that a VLAN ID is visible in some helper data structure that is accessible from the RX_RING. - -And then it gets really messy in the user space to artificially put the VLAN -header back into the right place. Not mentioning about the resulting performance -implications on that of all libpcap(3) tools since parts of the packet need to +.PP +Then it gets really messy in the user space to artificially put the VLAN +header back into the right place. Not to mention the resulting performance +implications on all of libpcap(3) tools since parts of the packet need to be copied for reassembly via memmove(3). - +.PP A user reported the following, just to demonstrate this mess: some tests were -made with two machines, and it seems that results depends on the driver ... +made with two machines, and it seems that results depend on the driver ... +.PP AR8131: ethtool -k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header @@ -484,6 +489,7 @@ made with two machines, and it seems that results depends on the driver ... ethtool -K eth0 rxvlan off - wireshark gets a QinQ header even though noone sent QinQ - netsniff-ng gets the vlan header +.PP RTL8111/8168B: ethtool -k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header @@ -491,29 +497,30 @@ made with two machines, and it seems that results depends on the driver ... ethtool -K eth0 rxvlan off - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header -Even if we would agree on doing the same workaround as libpcap, we still will +.PP +Even if we agreed on doing the same workaround as libpcap, we still will not be able to see QinQ, for instance, due to the fact that only one VLAN tag is stored in the kernel helper data structure. We think that there should be -a good consensus on the kernel space side about what gets transferred to the +a good consensus on the kernel space side about what gets transferred to userland first. - +.PP Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support for hardware accelerated VLAN filtering, even though tags might not be visible in the payload itself as reported here. However, the filtering for VLANs works reliable if your NIC supports it. See bpfc(8) for an example. - +.PP [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html - +.PP .SH LEGAL netsniff-ng is licensed under the GNU GPL version 2.0. - +.PP .SH HISTORY .B netsniff-ng was originally written for the netsniff-ng toolkit by Daniel Borkmann. Bigger contributions were made by Emmanuel Roullit, Markus Amend, Tobias Klauser and Christoph Jaeger. It is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>. - +.PP .SH SEE ALSO .BR trafgen (8), .BR mausezahn (8), @@ -522,6 +529,6 @@ Christoph Jaeger. It is currently maintained by Tobias Klauser .BR flowtop (8), .BR astraceroute (8), .BR curvetun (8) - +.PP .SH AUTHOR Manpage was written by Daniel Borkmann. |