1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
|
.\" netsniff-ng - the packet sniffing beast
.\" Copyright 2013 Daniel Borkmann.
.\" Subject to the GPL, version 2.
.TH NETSNIFF-NG 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
.SH NAME
netsniff-ng \- the packet sniffing beast
.SH SYNOPSIS
\fB netsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] }
.SH DESCRIPTION
netsniff-ng is a fast, minimal tool to i) analyze network packets, ii) capture
pcap files, iii) replay pcap files or iv) redirect traffic between interfaces
with the help of zero-copy packet(7) sockets. netsniff-ng uses both, Linux
specific RX_RING and TX_RING interfaces to perform zero-copy, that is, to avoid
copies and system call overhead between kernel and user address space. At the
time, we started hacking on netsniff-ng, the pcap(3) library did not use this
zero-copy facility.
netsniff-ng is Linux specific only, meaning there is no support for other
operating systems, thus we can keep the code footprint quite minimal and to
the point. Linux' packet(7) sockets and its RX_RING and TX_RING interfaces
bypass the normal packet processing path through the networking stack. Thus,
this is the fastest one can get out of the box in terms of capturing or
transmission performance from user space, without having to load unsupported
or non-mainline third-party kernel modules. We explicitly refuse to build
netsniff-ng on top of ntop/PF_RING. Not because we do not like it (we do find
it interesting), but because of the fact that it is not part of the mainline
kernel. Therefore, the ntop project has to maintain/sync out-of-tree drivers
to adapt them to their DNA. Eventually, we went for untainted Linux kernel,
since its code has a higher rate of reviews, maintenance, security and bug
fixes.
netsniff-ng also supports early packet filtering in the kernel. It has support
for low-level and high-level packet filters that are translated into Berkeley
Packet Filter instructions.
netsniff-ng can capture pcap files in several different pcap formats that
are interoperable with other tools. It has different pcap I/O methods supported
(scatter-gather, mmap(2), read(2)/write(2)) for efficient to-disc capturing.
netsniff-ng is also able to rotate pcap files based on data size or time
intervals, thus, making it a useful backend tool for subsequent traffic
analysis.
netsniff-ng itself also supports analysis, dumping or replay of raw 802.11
frames. For online or offline analysis netsniff-ng has a built-in packet
dissector for currently 802.3 (Ethernet), 802.11* (WLAN), ARP, MPLS, 802.1Q
(VLAN), 802.1QinQ, LLDP, IPv4, IPv6, ICMPv4, ICMPv6, IGMP, TCP and UDP,
including GeoIP location analysis. Since netsniff-ng does not establish any
state or reassembly during packet dissection, its memory footprint is quite
low, thus, making netsniff-ng quite efficient for offline analysis of large
pcap files as well.
.SH OPTIONS
.SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
Defines an input device, that can either be a networking device, a pcap file
or stdin (``-''). In case of a pcap file, the pcap type (``-D'' option) is
determined automatically by the pcap file magic. In case of stdin, it is
assumed that the input stream is a pcap file.
.SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
Defines the output device, that can either be a networking device, a pcap file,
a folder, a trafgen(8) configuration file or stdout (``-''). In case of a pcap
file, that should not have the default pcap type (0xa1b2c3d4), the additional
option ``-T'' must be provided. If a directory is given, then, instead of a
single pcap file, multiple pcap files are generated with rotation based on
maximum file size or a given interval (``-F'' option). A trafgen configuration
file can currently only be specified if the input device is a pcap file. If
stdout is given as a device, then a trafgen configuration will be written to
stdout if the input device is a pcap file, or a pcap file if the input device
is a networking device.
.SS -f, --filter <bpf-file|expr>
Specifies to not dump all traffic, but to filter the network packet haystack.
As a filter, either a bpfc(8) compiled file can be passed as a parameter or
a tcpdump(1)-like filter expression in quotes. For details regarding the
bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter
have a look at section ``filter example'' or at pcap-filter(7). A filter
expression may also be passed to netsniff-ng without option ``-f'' in case
there is no subsequent option following after the command-line filter expression.
.SS -t, --type <type>
This defines some sort of filtering mechanisms in terms of addressing. Possible
values for type are ``host'' (to us), ``broadcast'' (to all), ``multicast'' (to
group), ``others'' (promiscuous mode) or ``outgoing'' (from us).
.SS -F, --interval <size|time>
If the output device is a folder, with ``-F'' it is possible to define the pcap
file rotation interval either in terms of size or time. Thus, when the interval
limit has been reached, a new pcap file will be started. As size parameter, the
following values are possible ``<num>KiB/MiB/GiB'' while as a time parameter
it can be ``<num>s/sec/min/hrs''.
.SS -J, --jumbo-support
On default netsniff-ng's ring buffer frames are of a fixed size of 2048 bytes.
This means that if you're expecting jumbo frames or even super jumbo frames to
pass your line, then you need to enable support for that with the help of this
option. However, this has the disadvantage of a performance regression and a
bigger memory footprint for the ring buffer.
.SS -R, --rfraw
In case the input or output networking device is a wireless device, it is
possible with netsniff-ng to turn this into monitor mode and create a mon<X>
device that netsniff-ng will be listening on instead of wlan<X>, for instance.
This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames.
.SS -n <0|uint>, --num <0|uint>
Process a number of packets and then exit. If the number of packets is 0, then
this is equivalent to infinite packets resp. processing until interrupted.
Otherwise, a number given as an unsigned integer will limit processing.
.SS -P <name>, --prefix <name>
When dumping pcap files into a folder, a file name prefix can be defined with
this option. If not otherwise specified, the default prefix is ``dump-'' followed
by a unix timestamp.
.SS -T <pcap-magic>, --magic <pcap-magic>
Specify a pcap type for storage. Different pcap types with their various meta
data capabilities are shown with option ``-D''. If not otherwise specified, the
pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is
used. Pcap files with swapped endianess are also supported.
.SS -D, --dump-pcap-types
Dump all available pcap types with their capabilities and magic numbers that
can be used with option ``-T'' and exit.
.SS -B, --dump-bpf
If a Berkeley Packet Filter is given, e.g. via option ``-f'', then dump the BPF
disassembly to stdout during ring setup. This only serves for informative or
verification purposes.
.SS -r, --rand
If the input and output device are both networking devices, then this option will
randomize packet order in the output ring buffer.
.SS -M, --no-promisc
The networking interface will not be put into promiscuous mode. On default,
promiscuous mode is turned on.
.SS -A, --no-sock-mem
On startup (and shutdown), netsniff-ng is trying to increase socket read and
write buffers if appropriate. This option will prevent netsniff-ng from doing
that.
.SS -m, --mmap
Use mmap(2) as pcap file I/O. This is default in case of replaying pcap files.
.SS -G, --sg
Use scatter-gather as pcap file I/O. This is default in case when capturing
pcap files.
.SS -c, --clrw
Use slower read(2)/write(2) I/O. This is not the default case anywhere, but in
some situations it could be preferred as it has a lower latency on write-back
to disc.
.SS -S <size>, --ring-size <size>
Manually define the RX_RING resp. TX_RING size in ``<num>KiB/MiB/GiB''. On
default the size is being determined based on the network connectivity rate.
.SS -k <uint>, --kernel-pull <uint>
Manually define
.SS -b <cpu>, --bind-cpu <cpu>
Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ
CPU affinity to this CPU. This option should be preferred in combination with
``-s'' in case a middle till high packet rate is expected.
.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
After ring setup drop privileges to a non-root user/group combination.
.SS -H, --prio-high
Set this process as a high priority process in order to achieve a higher
scheduling rate resp. CPU time. This is however not default setting, since
it could lead to starvation of other processes, e.g. low priority kernel
threads.
.SS -Q, --notouch-irq
Do not reassign the NIC's IRQ CPU affinity settings.
.SS -s, --silent
Do not enter the packet dissector at all and do not print any packet information
to the terminal. Just shut up and be silent. This option should be preferred in
combination with pcap recording or replay, since it will not flood your terminal
which causes a significant performance regression.
.SS -q, --less
Print a less verbose one-line information for each packet to the terminal.
.SS -X, --hex
Only dump packets in hex format to the terminal.
.SS -l, --ascii
Only display ASCII prinable characters.
.SS -U, --update
If geographical IP locationing should be used, the built-in database update
mechanism will be invoked to get Maxmind's latest database. To configure
search locations for databases, the file /etc/netsniff-ng/geoip.conf contains
possible addresses. Thus, to save bandwidth or for mirroring Maxmind's
databases (to bypass their traffic limit policy), different hosts or IP
addresses can be placed into geoip.conf, separated by a newline.
.SS -V, --verbose
Be more verbose during startup, i.e. show detailled ring setup information.
.SS -v, --version
Show versioning information.
.SS -h, --help
Show user help.
.SH USAGE EXAMPLE
.SS netsniff-ng
The most simple command is to just run ``netsniff-ng''. This will start
listening on all available networking devices in promiscuous mode and dump
the packet dissector output to the terminal. No files will be recorded.
.SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
Capture TCP or UDP traffic from the networking device eth0 into the pcap file
named dump.pcap, which has netsniff-ng specific pcap extensions (see
``netsniff-ng -D'' for capabilities). Also, do not print the content to the
terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write
method is scatter-gather I/O.
.SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
Put the wlan0 device into monitoring mode and capture all raw 802.11 frames
into the file dump.pcap. Do not dissect and print the content to the terminal
and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is
scatter-gather I/O.
.SS netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
Replay the pcap file dump.pcap which is read through mmap(2) I/O and send
the packets out via the eth0 networking device. Do not dissect and print the
content to the terminal and pin the process and NIC IRQ affinity to CPU 0.
Also trigger the kernel every 1000us to traverse the TX_RING instead of every
10us. Note that the pcap magic type is detected automatically from the pcap
file header.
.SS netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
Redirect network traffic from the networking device eth0 to eth1 for traffic
that is destined for our host, thus ignore broadcast, multicast and promiscuous
traffic. Randomize the order of packets for the outgoing device and do not
print any packet contents to the terminal. Also, pin the process and NIC IRQ
affinity to CPU 0.
.SS netsniff-ng --in team0 --out /opt/probe/ -s -m -J --interval 100MiB -b 0
Capture on an aggregated team0 networking device and dump packets into multiple
pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write
method, enable support for super jumbo frames up to 64KB, and do not print
the captured data to the terminal. Pin netsniff-ng to and NIC IRQ affinity to
CPU 0. The default pcap magic type is 0xa1b2c3d4 (tcpdump-capable pcap).
.SS netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
Capture network traffic on device wlan0 into a pcap file called dump.pcap
by using normal read(2), write(2) I/O for the pcap file (slower but less
latency). Also, after setting up the RX_RING for capture, drop privileges
from root to the user/group ``bob''. Invoke the packet dissector and print
packet contents to the terminal for further analysis.
.SS netsniff-ng --in any --filter http.bpf -B --jumbo-support --ascii -V
Capture from all available networking interfaces and install a low-level
filter that was previously compiled by bpfc(8) into http.bpf in order to
filter HTTP traffic. Enable super jumbo frame support and only print
human readable packet data to the terminal, and also be more verbose during
setup phase. Moreover, dump a BPF disassembly of http.bpf.
.SS netsniff-ng --in dump.pcap --out dump.cfg --silent
Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg.
Do not print pcap contents to the terminal.
.SS netsniff-ng -i dump.pcap -f beacon.bpf -o -
Convert the pcap file dump.pcap into a trafgen(8) configuration file and write
it to stdout. However, do not dump all of its content, but only the one that
passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine
here is invoked in user space inside of netsniff-ng, so Linux extensions
are not available.
.SS cat foo.pcap | netsniff-ng -i - -o -
Read a pcap file from stdin and convert it into a trafgen(8) configuration
file to stdout.
.SH CONFIG FILES
Under /etc/netsniff-ng/ there are the following files stored that are used
by netsniff-ng and can be extended if wished:
* oui.conf - OUI/MAC vendor database
* ether.conf - Ethernet type descriptions
* tcp.conf - TCP port/services map
* udp.conf - UDP port/services map
* geoip.conf - GeoIP database mirrors
.SH FILTER EXAMPLE
netsniff-ng supports both, low-level and high-level filters that are
attached to its packet(7) socket. Low-level filters are described in
the bpfc(8) man page.
Low-level filters can be used with netsniff-ng in the following way:
1. bpfc foo > bar
2. netsniff-ng -f bar
Here, foo is the bpfc program that will be translated into a netsniff-ng
readable ``opcodes'' file and passed to netsniff-ng through the -f option.
Similarly, high-level filter can be either passed through the -f option,
e.g. -f "tcp or udp" or at the end of all options without the ``-f''.
The filter syntax is the same as in tcpdump(8), which is described in
the man page pcap-filter(7). Just to quote some examples from pcap-filter(7):
.SS host sundown
To select all packets arriving at or departing from sundown.
.SS host helios and \( hot or ace \)
To select traffic between helios and either hot or ace.
.SS ip host ace and not helios
To select all IP packets between ace and any host except helios.
.SS net ucb-ether
To select all traffic between local hosts and hosts at Berkeley.
.SS gateway snup and (port ftp or ftp-data)
To select all ftp traffic through internet gateway snup.
.SS ip and not net localnet
To select traffic neither sourced from nor destined for local hosts (if you
gateway to one other net, this stuff should never make it onto your local net).
.SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
To select the start and end packets (the SYN and FIN packets) of each TCP
conversation that involve a non-local host.
.SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
To select all IPv4 HTTP packets to and from port 80, i.e. print only packets
that contain data, not, for example, SYN and FIN packets and ACK-only packets.
(IPv6 is left as an exercise for the reader.)
.SS gateway snup and ip[2:2] > 576
To select IP packets longer than 576 bytes sent through gateway snup.
.SS ether[0] & 1 = 0 and ip[16] >= 224
To select IP broadcast or multicast packets that were not sent via Ethernet
broadcast or multicast.
.SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
To select all ICMP packets that are not echo requests/replies (i.e., not
ping packets).
.SH NOTE
For introducing bit errors, delays with random variation and more
while replaying pcaps, make use of tc(8) with its disciplines such
as netem.
netsniff-ng does only some basic, architecture generic tuning on
startup. If you are considering to do high performance capturing,
you need to carefully tune your machine, hardware and software-wise.
Simply letting netsniff-ng run without thinking about your underlying
system might not necessarily give you the desired performance. Note
that tuning your system is always a tradeoff and fine-grained
balancing act (e.g. throughput vs. latency). You should know what
you're doing!
One recommendation for software-based tuning is tuned(8). Besides
that, there are many other things to consider. Just to throw you
a few things that you might want to look at: NAPI networking drivers,
tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based
file systems, multi-queues, and many more things. Also, you might
want to read the kernel's Documentation/networking/scaling.txt file
regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also
check your ethtool(8) settings, e.g. regarding offloading or
Ethernet pause frames etc.
Moreover, to get a deeper understanding of netsniff-ng internals
and how it interacts with the Linux kernel, the kernel documentation
under Documentation/networking/{packet_mmap.txt, filter.txt,
multiqueue.txt} might be of interest.
How do you sniff in a switched environment? I rudely refer to dSniff's
documentation that says:
The easiest route is simply to impersonate the local gateway, stealing
client traffic en route to some remote destination. Of course, the traffic
must be forwarded by your attacking machine, either by enabling kernel IP
forwarding or with a userland program that acccomplishes the same
(fragrouter -B1).
Several people have reportedly destroyed connectivity on their LAN to the
outside world by arpspoof'ing the gateway, and forgetting to enable IP
forwarding on the attacking machine. Don't do this. You have been warned.
If you do not need to dump all possible traffic, you have to consider
running netsniff-ng with a BPF filter for the ingress path. For that
purpose, read the bpfc(8) man page.
Also, to aggregate multiple NICs that you want to capture on, you
should consider using team devices, further explained in libteam resp.
teamd(8).
The following netsniff-ng pcap magic numbers are compatible with other
tools, at least tcpdump or Wireshark:
0xa1b2c3d4 (tcpdump-capable pcap)
0xa1b23c4d (tcpdump-capable pcap with ns resolution)
0xa1b2cd34 (Alexey Kuznetzov's pcap)
Pcap files with different meta data endianess are supported by netsniff-ng
as well.
.SH BUGS
When replaying pcap files, the timing information from the pcap packet
header is currently ignored.
Also, when replaying pcap files, demultiplexing traffic among multiple
networking interfaces does not work. Currently, it is only sent via the
interface that is given by the --out parameter.
When performing traffic capture on the Ethernet interface, the pcap file
is created and packets are received but without a 802.1Q header. When one
uses tshark, all headers are visible, but netsniff-ng removes 802.1Q
headers. Is that normal behavior?
Yes and no. The way how VLAN headers are handled in PF_PACKET sockets by the
kernel is somewhat ``problematic'' [1]. The problem in the Linux kernel is that
some drivers already handle VLAN, others not. Those who handle it can have
different implementations, i.e. hardware acceleration and so on. So in some
cases the VLAN tag is even stripped before entering the protocol stack, in
some cases probably not. Bottom line is that a "hack" was introduced in
PF_PACKET so that a VLAN ID is visible in some helper data structure that is
accessible from the RX_RING.
And then it gets really messy in the user space to artificially put the VLAN
header back into the right place. Not mentioning about the resulting performance
implications on that of all libpcap(3) tools since parts of the packet need to
be copied for reassembly via memmove(3).
A user reported the following, just to demonstrate this mess: some tests were
made with two machines, and it seems that results depends on the driver ...
AR8131:
ethtool -k eth0 gives "rx-vlan-offload: on"
- wireshark gets the vlan header
- netsniff-ng doesn't get the vlan header
ethtool -K eth0 rxvlan off
- wireshark gets a QinQ header even though noone sent QinQ
- netsniff-ng gets the vlan header
RTL8111/8168B:
ethtool -k eth0 gives "rx-vlan-offload: on"
- wireshark gets the vlan header
- netsniff-ng doesn't get the vlan header
ethtool -K eth0 rxvlan off
- wireshark gets the vlan header
- netsniff-ng doesn't get the vlan header
Even if we would agree on doing the same workaround as libpcap, we still will
not be able to see QinQ, for instance, due to the fact that only one VLAN tag
is stored in the kernel helper data structure. We think that there should be
a good consensus on the kernel space side about what gets transferred to the
userland first.
Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support
for hardware accelerated VLAN filtering, even though tags might not be visible
in the payload itself as reported here. However, the filtering for VLANs works
reliable if your NIC supports it. See bpfc(8) for an example.
[1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
.SH LEGAL
netsniff-ng is licensed under the GNU GPL version 2.0.
.SH HISTORY
.B netsniff-ng
was originally written for the netsniff-ng toolkit by Daniel Borkmann. Bigger
contributions were made by Emmanuel Roullit, Markus Amend, Tobias Klauser and
Christoph Jaeger. It is currently maintained by Tobias Klauser
<tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
.SH SEE ALSO
.BR trafgen (8),
.BR mausezahn (8),
.BR ifpps (8),
.BR bpfc (8),
.BR flowtop (8),
.BR astraceroute (8),
.BR curvetun (8)
.SH AUTHOR
Manpage was written by Daniel Borkmann.
|