зверь, обнюхивающий пакеты (the packet sniffing beast)
Примечание (Note)
To avoid confusion, it should be noted that there is another
network analyzer with a similar name, called NetSniff, that is
unrelated to the netsniff-ng project.
For introducing bit errors, delays with random variation and more
while replaying pcaps, make use of tc(8) with its disciplines
such as netem.
netsniff-ng does only some basic, architecture generic tuning on
startup. If you are considering to do high performance capturing,
you need to carefully tune your machine, both hardware and
software. Simply letting netsniff-ng run without thinking about
your underlying system might not necessarily give you the desired
performance. Note that tuning your system is always a tradeoff
and fine-grained balancing act (throughput versus latency). You
should know what you are doing!
One recommendation for software-based tuning is tuned(8).
Besides that, there are many other things to consider. Just to
throw you a few things that you might want to look at: NAPI
networking drivers, tickless kernel, I/OAT DMA engine, Direct
Cache Access, RAM-based file systems, multi-queues, and many more
things. Also, you might want to read the kernel's
Documentation/networking/scaling.txt file regarding technologies
such as RSS, RPS, RFS, aRFS and XPS. Also check your ethtool(8)
settings, for example regarding offloading or Ethernet pause
frames.
Moreover, to get a deeper understanding of netsniff-ng internals
and how it interacts with the Linux kernel, the kernel
documentation under Documentation/networking/{packet_mmap.txt,
filter.txt, multiqueue.txt} might be of interest.
How do you sniff in a switched environment? I rudely refer to
dSniff's documentation that says:
The easiest route is simply to impersonate the local gateway,
stealing client traffic en route to some remote destination. Of
course, the traffic must be forwarded by your attacking machine,
either by enabling kernel IP forwarding or with a userland
program that accomplishes the same (fragrouter -B1).
Several people have reportedly destroyed connectivity on their
LAN to the outside world by ARP spoofing the gateway, and
forgetting to enable IP forwarding on the attacking machine. Do
not do this. You have been warned.
A safer option than ARP spoofing would be to use a "port mirror"
function if your switch hardware supports it and if you have
access to the switch.
If you do not need to dump all possible traffic, you have to
consider running netsniff-ng with a BPF filter for the ingress
path. For that purpose, read the bpfc(8) man page.
Also, to aggregate multiple NICs that you want to capture on, you
should consider using team devices, further explained in libteam
resp. teamd(8).
The following netsniff-ng pcap magic numbers are compatible with
other tools, at least tcpdump or Wireshark:
0xa1b2c3d4 (tcpdump-capable pcap)
0xa1b23c4d (tcpdump-capable pcap with ns resolution)
0xa1b2cd34 (Alexey Kuznetzov's pcap)
Pcap files with different meta data endianness are supported by
netsniff-ng as well.
