summaryrefslogtreecommitdiff
path: root/man/netsniff-ng.8
diff options
context:
space:
mode:
Diffstat (limited to 'man/netsniff-ng.8')
-rw-r--r--man/netsniff-ng.8192
1 files changed, 163 insertions, 29 deletions
diff --git a/man/netsniff-ng.8 b/man/netsniff-ng.8
index 9e7fe0b..8bc6740 100644
--- a/man/netsniff-ng.8
+++ b/man/netsniff-ng.8
@@ -56,35 +56,146 @@ pcap files as well.
.SH OPTIONS
-.\" -i|-d|--dev|--in <dev|pcap|-> Input source as netdev, pcap or pcap stdin
-.\" -o|--out <dev|pcap|dir|cfg|-> Output sink as netdev, pcap, directory, trafgen, or stdout
-.\" -f|--filter <bpf-file|expr> Use BPF filter file from bpfc or tcpdump-like expression
-.\" -t|--type <type> Filter for: host|broadcast|multicast|others|outgoing
-.\" -F|--interval <size|time> Dump interval if -o is a dir: <num>KiB/MiB/GiB/s/sec/min/hrs
-.\" -J|--jumbo-support Support for 64KB Super Jumbo Frames (def: 2048B)
-.\" -R|--rfraw Capture or inject raw 802.11 frames
-.\" -n|--num <0|uint> Number of packets until exit (def: 0)
-.\" -P|--prefix <name> Prefix for pcaps stored in directory
-.\" -T|--magic <pcap-magic> Pcap magic number/pcap format to store, see -D
-.\" -D|--dump-pcap-types Dump pcap types and magic numbers and quit
-.\" -B|--dump-bpf Dump generated BPF assembly
-.\" -r|--rand Randomize packet forwarding order (dev->dev)
-.\" -M|--no-promisc No promiscuous mode for netdev
-.\" -A|--no-sock-mem Don't tune core socket memory
-.\" -m|--mmap Mmap(2) pcap file i.e., for replaying pcaps
-.\" -G|--sg Scatter/gather pcap file I/O
-.\" -c|--clrw Use slower read(2)/write(2) I/O
-.\" -S|--ring-size <size> Specify ring size to: <num>KiB/MiB/GiB
-.\" -k|--kernel-pull <uint> Kernel pull from user interval in us (def: 10us)
-.\" -b|--bind-cpu <cpu> Bind to specific CPU
-.\" -u|--user <userid> Drop privileges and change to userid
-.\" -g|--group <groupid> Drop privileges and change to groupid
-.\" -H|--prio-high Make this high priority process
-.\" -Q|--notouch-irq Do not touch IRQ CPU affinity of NIC
-.\" -s|--silent Do not print captured packets
-.\" -q|--less Print less-verbose packet information
-.\" -X|--hex Print packet data in hex format
-.\" -l|--ascii Print human-readable packet data
+.SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
+Defines an input device, that can either be a networking device, a pcap file
+or stdin (``-''). In case of a pcap file, the pcap type (``-D'' option) is
+determined automatically by the pcap file magic. In case of stdin, it is
+assumed that the input stream is a pcap file.
+
+.SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
+Defines the output device, that can either be a networking device, a pcap file,
+a folder, a trafgen(8) configuration file or stdout (``-''). In case of a pcap
+file, that should not have the default pcap type (0xa1b2c3d4), the additional
+option ``-T'' must be provided. If a directory is given, then, instead of a
+single pcap file, multiple pcap files are generated with rotation based on
+maximum file size or a given interval (``-F'' option). A trafgen configuration
+file can currently only be specified if the input device is a pcap file. If
+stdout is given as a device, then a trafgen configuration will be written to
+stdout if the input device is a pcap file, or a pcap file if the input device
+is a networking device.
+
+.SS -f, --filter <bpf-file|expr>
+Specifies to not dump all traffic, but to filter the network packet haystack.
+As a filter, either a bpfc(8) compiled file can be passed as a parameter or
+a tcpdump(1)-like filter expression in quotes. For details regarding the
+bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter
+have a look at section ``filter example'' or at pcap-filter(7). A filter
+expression may also be passed to netsniff-ng without option ``-f'' in case
+there is no subsequent option following after the command-line filter expression.
+
+.SS -t, --type <type>
+This defines some sort of filtering mechanisms in terms of addressing. Possible
+values for type are ``host'' (to us), ``broadcast'' (to all), ``multicast'' (to
+group), ``others'' (promiscuous mode) or ``outgoing'' (from us).
+
+.SS -F, --interval <size|time>
+If the output device is a folder, with ``-F'' it is possible to define the pcap
+file rotation interval either in terms of size or time. Thus, when the interval
+limit has been reached, a new pcap file will be started. As size parameter, the
+following values are possible ``<num>KiB/MiB/GiB'' while as a time parameter
+it can be ``<num>s/sec/min/hrs''.
+
+.SS -J, --jumbo-support
+On default netsniff-ng's ring buffer frames are of a fixed size of 2048 bytes.
+This means that if you're expecting jumbo frames or even super jumbo frames to
+pass your line, then you need to enable support for that with the help of this
+option. However, this has the disadvantage of a performance regression and a
+bigger memory footprint for the ring buffer.
+
+.SS -R, --rfraw
+In case the input or output networking device is a wireless device, it is
+possible with netsniff-ng to turn this into monitor mode and create a mon<X>
+device that netsniff-ng will be listening on instead of wlan<X>, for instance.
+This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames.
+
+.SS -n <0|uint>, --num <0|uint>
+Process a number of packets and then exit. If the number of packets is 0, then
+this is equivalent to infinite packets resp. processing until interrupted.
+Otherwise, a number given as an unsigned integer will limit processing.
+
+.SS -P <name>, --prefix <name>
+When dumping pcap files into a folder, a file name prefix can be defined with
+this option. If not otherwise specified, the default prefix is ``dump-'' followed
+by a unix timestamp.
+
+.SS -T <pcap-magic>, --magic <pcap-magic>
+Specify a pcap type for storage. Different pcap types with their various meta
+data capabilities are shown with option ``-D''. If not otherwise specified, the
+pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is
+used. Pcap files with swapped endianess are also supported.
+
+.SS -D, --dump-pcap-types
+Dump all available pcap types with their capabilities and magic numbers that
+can be used with option ``-T'' and exit.
+
+.SS -B, --dump-bpf
+If a Berkeley Packet Filter is given, e.g. via option ``-f'', then dump the BPF
+disassembly to stdout during ring setup. This only serves for informative or
+verification purposes.
+
+.SS -r, --rand
+If the input and output device are both networking devices, then this option will
+randomize packet order in the output ring buffer.
+
+.SS -M, --no-promisc
+The networking interface will not be put into promiscuous mode. On default,
+promiscuous mode is turned on.
+
+.SS -A, --no-sock-mem
+On startup (and shutdown), netsniff-ng is trying to increase socket read and
+write buffers if appropriate. This option will prevent netsniff-ng from doing
+that.
+
+.SS -m, --mmap
+Use mmap(2) as pcap file I/O. This is default in case of replaying pcap files.
+
+.SS -G, --sg
+Use scatter-gather as pcap file I/O. This is default in case when capturing
+pcap files.
+
+.SS -c, --clrw
+Use slower read(2)/write(2) I/O. This is not the default case anywhere, but in
+some situations it could be preferred as it has a lower latency on write-back
+to disc.
+
+.SS -S <size>, --ring-size <size>
+Manually define the RX_RING resp. TX_RING size in ``<num>KiB/MiB/GiB''. On
+default the size is being determined based on the network connectivity rate.
+
+.SS -k <uint>, --kernel-pull <uint>
+Manually define
+
+.SS -b <cpu>, --bind-cpu <cpu>
+Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ
+CPU affinity to this CPU. This option should be preferred in combination with
+``-s'' in case a middle till high packet rate is expected.
+
+.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
+After ring setup drop priviledges to a non-root user/group combination.
+
+.SS -H, --prio-high
+Set this process as a high priority process in order to achieve a higher
+scheduling rate resp. CPU time. This is however not default setting, since
+it could lead to starvation of other processes, e.g. low priority kernel
+threads.
+
+.SS -Q, --notouch-irq
+Do not reassign the NIC's IRQ CPU affinity settings.
+
+.SS -s, --silent
+Do not enter the packet dissector at all and do not print any packet information
+to the terminal. Just shut up and be silent. This option should be preferred in
+combination with pcap recording or replay, since it will not flood your terminal
+which causes a significant performance regression.
+
+.SS -q, --less
+Print a less verbose one-line information for each packet to the terminal.
+
+.SS -X, --hex
+Only dump packets in hex format to the terminal.
+
+.SS -l, --ascii
+Only display ASCII prinable characters.
.SS -U, --update
If geographical IP locationing should be used, the built-in database update
@@ -174,6 +285,16 @@ are not available.
Read a pcap file from stdin and convert it into a trafgen(8) configuration
file to stdout.
+.SH CONFIG FILES
+
+Under /etc/netsniff-ng/ there are the following files stored that are used
+by netsniff-ng and can be extended if wished:
+
+ * oui.conf - OUI/MAC vendor database
+ * ether.conf - Ethernet type descriptions
+ * tcp.conf - TCP port/services map
+ * udp.conf - UDP port/services map
+
.SH FILTER EXAMPLE
netsniff-ng supports both, low-level and high-level filters that are
@@ -261,6 +382,19 @@ and how it interacts with the Linux kernel, the kernel documentation
under Documentation/networking/{packet_mmap.txt, filter.txt,
multiqueue.txt} might be of interest.
+How do you sniff in a switched environment? I rudely refer to dSniff's
+documentation that says:
+
+The easiest route is simply to impersonate the local gateway, stealing
+client traffic en route to some remote destination. Of course, the traffic
+must be forwarded by your attacking machine, either by enabling kernel IP
+forwarding or with a userland program that acccomplishes the same
+(fragrouter -B1).
+
+Several people have reportedly destroyed connectivity on their LAN to the
+outside world by arpspoof'ing the gateway, and forgetting to enable IP
+forwarding on the attacking machine. Don't do this. You have been warned.
+
If you do not need to dump all possible traffic, you have to consider
running netsniff-ng with a BPF filter for the ingress path. For that
purpose, read the bpfc(8) man page.