netsniff-ng
The most simple command is to just run 'netsniff-ng'. This
will start listening on all available networking devices
in promiscuous mode and dump the packet dissector output
to the terminal. No files will be recorded.
netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp
or udp
Capture TCP or UDP traffic from the networking device eth0
into the pcap file named dump.pcap, which has netsniff-ng
specific pcap extensions (see 'netsniff-ng -D' for
capabilities). Also, do not print the content to the
terminal and pin the process and NIC IRQ affinity to CPU
0. The pcap write method is scatter-gather I/O.
netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-
cpu 0
Put the wlan0 device into monitoring mode and capture all
raw 802.11 frames into the file dump.pcap. Do not dissect
and print the content to the terminal and pin the process
and NIC IRQ affinity to CPU 0. The pcap write method is
scatter-gather I/O.
netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent
--bind-cpu 0
Replay the pcap file dump.pcap which is read through
mmap(2) I/O and send the packets out via the eth0
networking device. Do not dissect and print the content to
the terminal and pin the process and NIC IRQ affinity to
CPU 0. Also, trigger the kernel every 1000us to traverse
the TX_RING instead of every 10us. Note that the pcap
magic type is detected automatically from the pcap file
header.
netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type
host -r
Redirect network traffic from the networking device eth0
to eth1 for traffic that is destined for our host, thus
ignore broadcast, multicast and promiscuous traffic.
Randomize the order of packets for the outgoing device and
do not print any packet contents to the terminal. Also,
pin the process and NIC IRQ affinity to CPU 0.
netsniff-ng --in team0 --out /opt/probe/ -s -m --interval 100MiB
-b 0
Capture on an aggregated team0 networking device and dump
packets into multiple pcap files that are split into
100MiB each. Use mmap(2) I/O as a pcap write method,
support for super jumbo frames is built-in (does not need
to be configured here), and do not print the captured data
to the terminal. Pin netsniff-ng and NIC IRQ affinity to
CPU 0. The default pcap magic type is 0xa1b2c3d4 (tcpdump-
capable pcap).
netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id
-g bob`
Capture network traffic on device vlan0 into a pcap file
called dump.pcap by using normal read(2), write(2) I/O for
the pcap file (slower but less latency). Also, after
setting up the RX_RING for capture, drop privileges from
root to the user and group 'bob'. Invoke the packet
dissector and print packet contents to the terminal for
further analysis.
netsniff-ng --in any --filter http.bpf -B --ascii -V
Capture from all available networking interfaces and
install a low-level filter that was previously compiled by
bpfc(8) into http.bpf in order to filter HTTP traffic.
Super jumbo frame support is automatically enabled and
only print human readable packet data to the terminal, and
also be more verbose during setup phase. Moreover, dump a
BPF disassembly of http.bpf.
netsniff-ng --in dump.pcap --out dump.cfg --silent
Convert the pcap file dump.pcap into a trafgen(8)
configuration file dump.cfg. Do not print pcap contents to
the terminal.
netsniff-ng -i dump.pcap -f beacon.bpf -o -
Convert the pcap file dump.pcap into a trafgen(8)
configuration file and write it to stdout. However, do not
dump all of its content, but only the one that passes the
low-level filter for raw 802.11 from beacon.bpf. The BPF
engine here is invoked in user space inside of netsniff-
ng, so Linux extensions are not available.
cat foo.pcap | netsniff-ng -i - -o -
Read a pcap file from stdin and convert it into a
trafgen(8) configuration file to stdout.
netsniff-ng -i nlmon0 -o dump.pcap -s
Capture netlink traffic to a pcap file. This command needs
a netlink monitoring device to be set up beforehand using
the follwing commands using ip(1) from the iproute2
utility collection:
modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
To tear down the nlmon0 device, use the following
commands:
ip link set nlmon0 down
ip link del dev nlmon0
rmmod nlmon
netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts
defrag --bind-cpu 0 --notouch-irq --silent --in em1 --out
/var/cap/cpu0/ --interval 120sec
Start two netsniff-ng fanout instances. Both are assigned
into the same fanout group membership and traffic is
splitted among them by incoming cpu. Furthermore, the
kernel is supposed to defragment possible incoming
fragments. First instance is assigned to CPU 0 and the
second one to CPU 1, IRQ bindings are not altered as they
might have been adapted to this scenario by the user a-
priori, and traffic is captured on interface em1, and
written out in 120 second intervals as pcap files into
/var/cap/cpu0/. Tools like mergecap(1) will be able to
merge the cpu0/1 split back together if needed.
