summaryrefslogtreecommitdiff
path: root/netsniff-ng.8
diff options
context:
space:
mode:
Diffstat (limited to 'netsniff-ng.8')
-rw-r--r--netsniff-ng.8497
1 files changed, 497 insertions, 0 deletions
diff --git a/netsniff-ng.8 b/netsniff-ng.8
new file mode 100644
index 0000000..023f777
--- /dev/null
+++ b/netsniff-ng.8
@@ -0,0 +1,497 @@
+.\" netsniff-ng - the packet sniffing beast
+.\" Copyright 2013 Daniel Borkmann.
+.\" Subject to the GPL, version 2.
+
+.TH NETSNIFF-NG 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
+.SH NAME
+netsniff-ng \- the packet sniffing beast
+
+.SH SYNOPSIS
+
+\fB netsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] }
+
+.SH DESCRIPTION
+
+netsniff-ng is a fast, minimal tool to i) analyze network packets, ii) capture
+pcap files, iii) replay pcap files or iv) redirect traffic between interfaces
+with the help of zero-copy packet(7) sockets. netsniff-ng uses both, Linux
+specific RX_RING and TX_RING interfaces to perform zero-copy, that is, to avoid
+copies and system call overhead between kernel and user address space. At the
+time, we started hacking on netsniff-ng, the pcap(3) library did not use this
+zero-copy facility.
+
+netsniff-ng is Linux specific only, meaning there is no support for other
+operating systems, thus we can keep the code footprint quite minimal and to
+the point. Linux' packet(7) sockets and its RX_RING and TX_RING interfaces
+bypass the normal packet processing path through the networking stack. Thus,
+this is the fastest one can get out of the box in terms of capturing or
+transmission performance from user space, without having to load unsupported
+or non-mainline third-party kernel modules. We explicitly refuse to build
+netsniff-ng on top of ntop/PF_RING. Not because we do not like it (we do find
+it interesting), but because of the fact that it is not part of the mainline
+kernel. Therefore, the ntop project has to maintain/sync out-of-tree drivers
+to adapt them to their DNA. Eventually, we went for untainted Linux kernel,
+since its code has a higher rate of reviews, maintenance, security and bug
+fixes.
+
+netsniff-ng also supports early packet filtering in the kernel. It has support
+for low-level and high-level packet filters that are translated into Berkeley
+Packet Filter instructions.
+
+netsniff-ng can capture pcap files in several different pcap formats that
+are interoperable with other tools. It has different pcap I/O methods supported
+(scatter-gather, mmap(2), read(2)/write(2)) for efficient to-disc capturing.
+netsniff-ng is also able to rotate pcap files based on data size or time
+intervals, thus, making it a useful backend tool for subsequent traffic
+analysis.
+
+netsniff-ng itself also supports analysis, dumping or replay of raw 802.11
+frames. For online or offline analysis netsniff-ng has a built-in packet
+dissector for currently 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q
+(VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4, ICMPv6, IGMP, TCP and UDP,
+including GeoIP location analysis. Since netsniff-ng does not establish any
+state or reassembly during packet dissection, its memory footprint is quite
+low, thus, making netsniff-ng quite efficient for offline analysis of large
+pcap files as well.
+
+.SH OPTIONS
+
+.SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
+Defines an input device, that can either be a networking device, a pcap file
+or stdin (``-''). In case of a pcap file, the pcap type (``-D'' option) is
+determined automatically by the pcap file magic. In case of stdin, it is
+assumed that the input stream is a pcap file.
+
+.SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
+Defines the output device, that can either be a networking device, a pcap file,
+a folder, a trafgen(8) configuration file or stdout (``-''). In case of a pcap
+file, that should not have the default pcap type (0xa1b2c3d4), the additional
+option ``-T'' must be provided. If a directory is given, then, instead of a
+single pcap file, multiple pcap files are generated with rotation based on
+maximum file size or a given interval (``-F'' option). A trafgen configuration
+file can currently only be specified if the input device is a pcap file. If
+stdout is given as a device, then a trafgen configuration will be written to
+stdout if the input device is a pcap file, or a pcap file if the input device
+is a networking device.
+
+.SS -f, --filter <bpf-file|expr>
+Specifies to not dump all traffic, but to filter the network packet haystack.
+As a filter, either a bpfc(8) compiled file can be passed as a parameter or
+a tcpdump(1)-like filter expression in quotes. For details regarding the
+bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter
+have a look at section ``filter example'' or at pcap-filter(7). A filter
+expression may also be passed to netsniff-ng without option ``-f'' in case
+there is no subsequent option following after the command-line filter expression.
+
+.SS -t, --type <type>
+This defines some sort of filtering mechanisms in terms of addressing. Possible
+values for type are ``host'' (to us), ``broadcast'' (to all), ``multicast'' (to
+group), ``others'' (promiscuous mode) or ``outgoing'' (from us).
+
+.SS -F, --interval <size|time>
+If the output device is a folder, with ``-F'' it is possible to define the pcap
+file rotation interval either in terms of size or time. Thus, when the interval
+limit has been reached, a new pcap file will be started. As size parameter, the
+following values are possible ``<num>KiB/MiB/GiB'' while as a time parameter
+it can be ``<num>s/sec/min/hrs''.
+
+.SS -J, --jumbo-support
+On default netsniff-ng's ring buffer frames are of a fixed size of 2048 bytes.
+This means that if you're expecting jumbo frames or even super jumbo frames to
+pass your line, then you need to enable support for that with the help of this
+option. However, this has the disadvantage of a performance regression and a
+bigger memory footprint for the ring buffer.
+
+.SS -R, --rfraw
+In case the input or output networking device is a wireless device, it is
+possible with netsniff-ng to turn this into monitor mode and create a mon<X>
+device that netsniff-ng will be listening on instead of wlan<X>, for instance.
+This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames.
+
+.SS -n <0|uint>, --num <0|uint>
+Process a number of packets and then exit. If the number of packets is 0, then
+this is equivalent to infinite packets resp. processing until interrupted.
+Otherwise, a number given as an unsigned integer will limit processing.
+
+.SS -P <name>, --prefix <name>
+When dumping pcap files into a folder, a file name prefix can be defined with
+this option. If not otherwise specified, the default prefix is ``dump-'' followed
+by a unix timestamp.
+
+.SS -T <pcap-magic>, --magic <pcap-magic>
+Specify a pcap type for storage. Different pcap types with their various meta
+data capabilities are shown with option ``-D''. If not otherwise specified, the
+pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is
+used. Pcap files with swapped endianess are also supported.
+
+.SS -D, --dump-pcap-types
+Dump all available pcap types with their capabilities and magic numbers that
+can be used with option ``-T'' and exit.
+
+.SS -B, --dump-bpf
+If a Berkeley Packet Filter is given, e.g. via option ``-f'', then dump the BPF
+disassembly to stdout during ring setup. This only serves for informative or
+verification purposes.
+
+.SS -r, --rand
+If the input and output device are both networking devices, then this option will
+randomize packet order in the output ring buffer.
+
+.SS -M, --no-promisc
+The networking interface will not be put into promiscuous mode. On default,
+promiscuous mode is turned on.
+
+.SS -A, --no-sock-mem
+On startup (and shutdown), netsniff-ng is trying to increase socket read and
+write buffers if appropriate. This option will prevent netsniff-ng from doing
+that.
+
+.SS -m, --mmap
+Use mmap(2) as pcap file I/O. This is default in case of replaying pcap files.
+
+.SS -G, --sg
+Use scatter-gather as pcap file I/O. This is default in case when capturing
+pcap files.
+
+.SS -c, --clrw
+Use slower read(2)/write(2) I/O. This is not the default case anywhere, but in
+some situations it could be preferred as it has a lower latency on write-back
+to disc.
+
+.SS -S <size>, --ring-size <size>
+Manually define the RX_RING resp. TX_RING size in ``<num>KiB/MiB/GiB''. On
+default the size is being determined based on the network connectivity rate.
+
+.SS -k <uint>, --kernel-pull <uint>
+Manually define the interval in micro-seconds where the kernel should be triggered
+to batch process the ring buffer frames. On default, it is every 10us, but it can
+manually be prolonged, for instance.
+
+.SS -b <cpu>, --bind-cpu <cpu>
+Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ
+CPU affinity to this CPU. This option should be preferred in combination with
+``-s'' in case a middle till high packet rate is expected.
+
+.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
+After ring setup drop privileges to a non-root user/group combination.
+
+.SS -H, --prio-high
+Set this process as a high priority process in order to achieve a higher
+scheduling rate resp. CPU time. This is however not default setting, since
+it could lead to starvation of other processes, e.g. low priority kernel
+threads.
+
+.SS -Q, --notouch-irq
+Do not reassign the NIC's IRQ CPU affinity settings.
+
+.SS -s, --silent
+Do not enter the packet dissector at all and do not print any packet information
+to the terminal. Just shut up and be silent. This option should be preferred in
+combination with pcap recording or replay, since it will not flood your terminal
+which causes a significant performance regression.
+
+.SS -q, --less
+Print a less verbose one-line information for each packet to the terminal.
+
+.SS -X, --hex
+Only dump packets in hex format to the terminal.
+
+.SS -l, --ascii
+Only display ASCII prinable characters.
+
+.SS -U, --update
+If geographical IP locationing should be used, the built-in database update
+mechanism will be invoked to get Maxmind's latest database. To configure
+search locations for databases, the file /etc/netsniff-ng/geoip.conf contains
+possible addresses. Thus, to save bandwidth or for mirroring Maxmind's
+databases (to bypass their traffic limit policy), different hosts or IP
+addresses can be placed into geoip.conf, separated by a newline.
+
+.SS -V, --verbose
+Be more verbose during startup, i.e. show detailled ring setup information.
+
+.SS -v, --version
+Show versioning information.
+
+.SS -h, --help
+Show user help.
+
+.SH USAGE EXAMPLE
+
+.SS netsniff-ng
+The most simple command is to just run ``netsniff-ng''. This will start
+listening on all available networking devices in promiscuous mode and dump
+the packet dissector output to the terminal. No files will be recorded.
+
+.SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
+Capture TCP or UDP traffic from the networking device eth0 into the pcap file
+named dump.pcap, which has netsniff-ng specific pcap extensions (see
+``netsniff-ng -D'' for capabilities). Also, do not print the content to the
+terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write
+method is scatter-gather I/O.
+
+.SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
+Put the wlan0 device into monitoring mode and capture all raw 802.11 frames
+into the file dump.pcap. Do not dissect and print the content to the terminal
+and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is
+scatter-gather I/O.
+
+.SS netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
+Replay the pcap file dump.pcap which is read through mmap(2) I/O and send
+the packets out via the eth0 networking device. Do not dissect and print the
+content to the terminal and pin the process and NIC IRQ affinity to CPU 0.
+Also trigger the kernel every 1000us to traverse the TX_RING instead of every
+10us. Note that the pcap magic type is detected automatically from the pcap
+file header.
+
+.SS netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
+Redirect network traffic from the networking device eth0 to eth1 for traffic
+that is destined for our host, thus ignore broadcast, multicast and promiscuous
+traffic. Randomize the order of packets for the outgoing device and do not
+print any packet contents to the terminal. Also, pin the process and NIC IRQ
+affinity to CPU 0.
+
+.SS netsniff-ng --in team0 --out /opt/probe/ -s -m -J --interval 100MiB -b 0
+Capture on an aggregated team0 networking device and dump packets into multiple
+pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write
+method, enable support for super jumbo frames up to 64KB, and do not print
+the captured data to the terminal. Pin netsniff-ng to and NIC IRQ affinity to
+CPU 0. The default pcap magic type is 0xa1b2c3d4 (tcpdump-capable pcap).
+
+.SS netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
+Capture network traffic on device wlan0 into a pcap file called dump.pcap
+by using normal read(2), write(2) I/O for the pcap file (slower but less
+latency). Also, after setting up the RX_RING for capture, drop privileges
+from root to the user/group ``bob''. Invoke the packet dissector and print
+packet contents to the terminal for further analysis.
+
+.SS netsniff-ng --in any --filter http.bpf -B --jumbo-support --ascii -V
+Capture from all available networking interfaces and install a low-level
+filter that was previously compiled by bpfc(8) into http.bpf in order to
+filter HTTP traffic. Enable super jumbo frame support and only print
+human readable packet data to the terminal, and also be more verbose during
+setup phase. Moreover, dump a BPF disassembly of http.bpf.
+
+.SS netsniff-ng --in dump.pcap --out dump.cfg --silent
+Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg.
+Do not print pcap contents to the terminal.
+
+.SS netsniff-ng -i dump.pcap -f beacon.bpf -o -
+Convert the pcap file dump.pcap into a trafgen(8) configuration file and write
+it to stdout. However, do not dump all of its content, but only the one that
+passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine
+here is invoked in user space inside of netsniff-ng, so Linux extensions
+are not available.
+
+.SS cat foo.pcap | netsniff-ng -i - -o -
+Read a pcap file from stdin and convert it into a trafgen(8) configuration
+file to stdout.
+
+.SH CONFIG FILES
+
+Under /etc/netsniff-ng/ there are the following files stored that are used
+by netsniff-ng and can be extended if wished:
+
+ * oui.conf - OUI/MAC vendor database
+ * ether.conf - Ethernet type descriptions
+ * tcp.conf - TCP port/services map
+ * udp.conf - UDP port/services map
+ * geoip.conf - GeoIP database mirrors
+
+.SH FILTER EXAMPLE
+
+netsniff-ng supports both, low-level and high-level filters that are
+attached to its packet(7) socket. Low-level filters are described in
+the bpfc(8) man page.
+
+Low-level filters can be used with netsniff-ng in the following way:
+
+ 1. bpfc foo > bar
+ 2. netsniff-ng -f bar
+
+Here, foo is the bpfc program that will be translated into a netsniff-ng
+readable ``opcodes'' file and passed to netsniff-ng through the -f option.
+
+Similarly, high-level filter can be either passed through the -f option,
+e.g. -f "tcp or udp" or at the end of all options without the ``-f''.
+
+The filter syntax is the same as in tcpdump(8), which is described in
+the man page pcap-filter(7). Just to quote some examples from pcap-filter(7):
+
+.SS host sundown
+To select all packets arriving at or departing from sundown.
+
+.SS host helios and \( hot or ace \)
+To select traffic between helios and either hot or ace.
+
+.SS ip host ace and not helios
+To select all IP packets between ace and any host except helios.
+
+.SS net ucb-ether
+To select all traffic between local hosts and hosts at Berkeley.
+
+.SS gateway snup and (port ftp or ftp-data)
+To select all ftp traffic through internet gateway snup.
+
+.SS ip and not net localnet
+To select traffic neither sourced from nor destined for local hosts (if you
+gateway to one other net, this stuff should never make it onto your local net).
+
+.SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
+To select the start and end packets (the SYN and FIN packets) of each TCP
+conversation that involve a non-local host.
+
+.SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
+To select all IPv4 HTTP packets to and from port 80, i.e. print only packets
+that contain data, not, for example, SYN and FIN packets and ACK-only packets.
+(IPv6 is left as an exercise for the reader.)
+
+.SS gateway snup and ip[2:2] > 576
+To select IP packets longer than 576 bytes sent through gateway snup.
+
+.SS ether[0] & 1 = 0 and ip[16] >= 224
+To select IP broadcast or multicast packets that were not sent via Ethernet
+broadcast or multicast.
+
+.SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
+To select all ICMP packets that are not echo requests/replies (i.e., not
+ping packets).
+
+.SH NOTE
+For introducing bit errors, delays with random variation and more
+while replaying pcaps, make use of tc(8) with its disciplines such
+as netem.
+
+netsniff-ng does only some basic, architecture generic tuning on
+startup. If you are considering to do high performance capturing,
+you need to carefully tune your machine, hardware and software-wise.
+Simply letting netsniff-ng run without thinking about your underlying
+system might not necessarily give you the desired performance. Note
+that tuning your system is always a tradeoff and fine-grained
+balancing act (e.g. throughput vs. latency). You should know what
+you're doing!
+
+One recommendation for software-based tuning is tuned(8). Besides
+that, there are many other things to consider. Just to throw you
+a few things that you might want to look at: NAPI networking drivers,
+tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based
+file systems, multi-queues, and many more things. Also, you might
+want to read the kernel's Documentation/networking/scaling.txt file
+regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also
+check your ethtool(8) settings, e.g. regarding offloading or
+Ethernet pause frames etc.
+
+Moreover, to get a deeper understanding of netsniff-ng internals
+and how it interacts with the Linux kernel, the kernel documentation
+under Documentation/networking/{packet_mmap.txt, filter.txt,
+multiqueue.txt} might be of interest.
+
+How do you sniff in a switched environment? I rudely refer to dSniff's
+documentation that says:
+
+The easiest route is simply to impersonate the local gateway, stealing
+client traffic en route to some remote destination. Of course, the traffic
+must be forwarded by your attacking machine, either by enabling kernel IP
+forwarding or with a userland program that acccomplishes the same
+(fragrouter -B1).
+
+Several people have reportedly destroyed connectivity on their LAN to the
+outside world by arpspoof'ing the gateway, and forgetting to enable IP
+forwarding on the attacking machine. Don't do this. You have been warned.
+
+If you do not need to dump all possible traffic, you have to consider
+running netsniff-ng with a BPF filter for the ingress path. For that
+purpose, read the bpfc(8) man page.
+
+Also, to aggregate multiple NICs that you want to capture on, you
+should consider using team devices, further explained in libteam resp.
+teamd(8).
+
+The following netsniff-ng pcap magic numbers are compatible with other
+tools, at least tcpdump or Wireshark:
+
+ 0xa1b2c3d4 (tcpdump-capable pcap)
+ 0xa1b23c4d (tcpdump-capable pcap with ns resolution)
+ 0xa1b2cd34 (Alexey Kuznetzov's pcap)
+
+Pcap files with different meta data endianess are supported by netsniff-ng
+as well.
+
+.SH BUGS
+
+When replaying pcap files, the timing information from the pcap packet
+header is currently ignored.
+
+Also, when replaying pcap files, demultiplexing traffic among multiple
+networking interfaces does not work. Currently, it is only sent via the
+interface that is given by the --out parameter.
+
+When performing traffic capture on the Ethernet interface, the pcap file
+is created and packets are received but without a 802.1Q header. When one
+uses tshark, all headers are visible, but netsniff-ng removes 802.1Q
+headers. Is that normal behavior?
+
+Yes and no. The way how VLAN headers are handled in PF_PACKET sockets by the
+kernel is somewhat ``problematic'' [1]. The problem in the Linux kernel is that
+some drivers already handle VLAN, others not. Those who handle it can have
+different implementations, i.e. hardware acceleration and so on. So in some
+cases the VLAN tag is even stripped before entering the protocol stack, in
+some cases probably not. Bottom line is that a "hack" was introduced in
+PF_PACKET so that a VLAN ID is visible in some helper data structure that is
+accessible from the RX_RING.
+
+And then it gets really messy in the user space to artificially put the VLAN
+header back into the right place. Not mentioning about the resulting performance
+implications on that of all libpcap(3) tools since parts of the packet need to
+be copied for reassembly via memmove(3).
+
+A user reported the following, just to demonstrate this mess: some tests were
+made with two machines, and it seems that results depends on the driver ...
+ AR8131:
+ ethtool -k eth0 gives "rx-vlan-offload: on"
+ - wireshark gets the vlan header
+ - netsniff-ng doesn't get the vlan header
+ ethtool -K eth0 rxvlan off
+ - wireshark gets a QinQ header even though noone sent QinQ
+ - netsniff-ng gets the vlan header
+ RTL8111/8168B:
+ ethtool -k eth0 gives "rx-vlan-offload: on"
+ - wireshark gets the vlan header
+ - netsniff-ng doesn't get the vlan header
+ ethtool -K eth0 rxvlan off
+ - wireshark gets the vlan header
+ - netsniff-ng doesn't get the vlan header
+Even if we would agree on doing the same workaround as libpcap, we still will
+not be able to see QinQ, for instance, due to the fact that only one VLAN tag
+is stored in the kernel helper data structure. We think that there should be
+a good consensus on the kernel space side about what gets transferred to the
+userland first.
+
+Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support
+for hardware accelerated VLAN filtering, even though tags might not be visible
+in the payload itself as reported here. However, the filtering for VLANs works
+reliable if your NIC supports it. See bpfc(8) for an example.
+
+ [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
+
+.SH LEGAL
+netsniff-ng is licensed under the GNU GPL version 2.0.
+
+.SH HISTORY
+.B netsniff-ng
+was originally written for the netsniff-ng toolkit by Daniel Borkmann. Bigger
+contributions were made by Emmanuel Roullit, Markus Amend, Tobias Klauser and
+Christoph Jaeger. It is currently maintained by Tobias Klauser
+<tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
+
+.SH SEE ALSO
+.BR trafgen (8),
+.BR mausezahn (8),
+.BR ifpps (8),
+.BR bpfc (8),
+.BR flowtop (8),
+.BR astraceroute (8),
+.BR curvetun (8)
+
+.SH AUTHOR
+Manpage was written by Daniel Borkmann.