Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   netsniff-ng    ( 8 )

зверь, обнюхивающий пакеты (the packet sniffing beast)

Примечание (Note)

To avoid confusion, it should be noted that there is another network analyzer with a similar name, called NetSniff, that is unrelated to the netsniff-ng project.

For introducing bit errors, delays with random variation and more while replaying pcaps, make use of tc(8) with its disciplines such as netem.

netsniff-ng does only some basic, architecture generic tuning on startup. If you are considering to do high performance capturing, you need to carefully tune your machine, both hardware and software. Simply letting netsniff-ng run without thinking about your underlying system might not necessarily give you the desired performance. Note that tuning your system is always a tradeoff and fine-grained balancing act (throughput versus latency). You should know what you are doing!

One recommendation for software-based tuning is tuned(8). Besides that, there are many other things to consider. Just to throw you a few things that you might want to look at: NAPI networking drivers, tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based file systems, multi-queues, and many more things. Also, you might want to read the kernel's Documentation/networking/scaling.txt file regarding technologies such as RSS, RPS, RFS, aRFS and XPS. Also check your ethtool(8) settings, for example regarding offloading or Ethernet pause frames.

Moreover, to get a deeper understanding of netsniff-ng internals and how it interacts with the Linux kernel, the kernel documentation under Documentation/networking/{packet_mmap.txt, filter.txt, multiqueue.txt} might be of interest.

How do you sniff in a switched environment? I rudely refer to dSniff's documentation that says:

The easiest route is simply to impersonate the local gateway, stealing client traffic en route to some remote destination. Of course, the traffic must be forwarded by your attacking machine, either by enabling kernel IP forwarding or with a userland program that accomplishes the same (fragrouter -B1).

Several people have reportedly destroyed connectivity on their LAN to the outside world by ARP spoofing the gateway, and forgetting to enable IP forwarding on the attacking machine. Do not do this. You have been warned.

A safer option than ARP spoofing would be to use a "port mirror" function if your switch hardware supports it and if you have access to the switch.

If you do not need to dump all possible traffic, you have to consider running netsniff-ng with a BPF filter for the ingress path. For that purpose, read the bpfc(8) man page.

Also, to aggregate multiple NICs that you want to capture on, you should consider using team devices, further explained in libteam resp. teamd(8).

The following netsniff-ng pcap magic numbers are compatible with other tools, at least tcpdump or Wireshark:

0xa1b2c3d4 (tcpdump-capable pcap) 0xa1b23c4d (tcpdump-capable pcap with ns resolution) 0xa1b2cd34 (Alexey Kuznetzov's pcap)

Pcap files with different meta data endianness are supported by netsniff-ng as well.