Original author(s) | Daniel Borkmann |
---|---|
Developer(s) | Emmanuel Roullit, Daniel Borkmann and others |
Initial release | December, 2009 |
Stable release | 0.5.5.0 / March 17, 2011 |
Development status | Active |
Written in | C |
Operating system | Linux |
Available in | English |
Type | Computer security, Network management, Network engineering |
License | GNU General Public License v2 |
Website | netsniff-ng.org |
netsniff-ng is a free, performant Linux networking toolkit [1] originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets [2], so that the operating system does not need to copy packets from kernelspace to userspace via systemcalls [3].
Contents |
netsniff-ng was initially created as a network sniffer with support of the Linux kernel zero-copy interface for network packets, but later on, more tools have been added to make it a useful toolkit such as the iproute2 suite, for instance. Through the kernel's zero-copy interface, efficient packet processing can be reached even on commodity hardware. For instance, Gigabit Ethernet wire-speed has been reached with netsniff-ng's trafgen[4] [5]. The netsniff-ng toolkit does not depend on the libpcap library. Moreover, no special operating system patches are needed to run the toolkit. netsniff-ng is free software and has been released under the terms of the GNU General Public License version 2.
The toolkit currently consists of a network analyzer, packet capturer and replayer, a wire-rate traffic generator, an encrypted multiuser IP tunnel, a Berkeley Packet Filter compiler, networking statistic tools, an autonomous system trace route and more [6]:
Distribution specific packages are available for all major operating system distributions such as Debian or Fedora Linux [7] including its Security Spin [8]. It has also been added to Xplico's Network Forensic Toolkit [9], GRML Linux and to the to the Network Security Toolkit [10]. The netsniff-ng toolkit is also used in academia [11] [12].
In these examples, it is assumed that eth0 is the used network interface.
ashunt -d eth0 -N -S -H <host i.e., netsniff-ng.org>
ifpps -d eth0 -p
trafgen -d eth0 -c trafgen.txf -b 0
bpfc -i fubar.bpf
curvetun -s -4 -u -p 6666 --stun stunserver.org
curvetun --client=bob-server
netsniff-ng -i eth0 -o dump.pcap -s -b 0
netsniff-ng -i dump.pcap -o eth0 -s -b 0
netsniff-ng -i eth0 -o eth1 -s -b 0
netsniff-ng -i any
The netsniff-ng toolkit currently runs only on Linux systems. Its developers decline a port to Microsoft Windows [13].