NAME¶
netsniff-ng - the packet sniffing beast
SYNOPSIS¶
netsniff-ng -i|-d|--dev|--in <dev|pcap> -o|--out <dev|pcap|dir|txf>
[-f|--filter <bpf-file>][-t|--type <type>][-F|--interval
<uint>] [-s|--silent][-J|--jumbo-support][-n|--num
<uint>][-r|--rand] [-M|--no-promisc][-m|--mmap |
-c|--clrw][-S|--ring-size <size>] [-k|--kernel-pull
<uint>][-b|--bind-cpu <cpu> | -B|--unbind-cpu <cpu>]
[-H|--prio-high][-Q|--notouch-irq][-q|--less | -X|--hex | -l|--ascii]
[-v|--version][-h|--help]
DESCRIPTION¶
The first sniffer that invoked both, the zero-copy RX_RING as well as the
zero-copy TX_RING for high-performance network I/O and scatter/gather or
mmaped PCAP I/O.
EXAMPLES¶
- netsniff-ng --in eth0 --out dump.pcap
- Capture traffic from interface 'eth0' and save it pcap file
'dump.pcap'
- netsniff-ng --in any --filter http.bpf --payload
- Capture HTTP traffic from any interface and print its
payload on stdout
- netsniff-ng --in wlan0 --bind-cpu 0,1
- Capture all traffic from wlan0 interface. Schedule process
on CPU 0 and 1.
OPTIONS¶
- -i|-d|--dev|--in <dev|pcap>
- Input source. Can be a network device or pcap file.
- -o|--out <dev|pcap|dir|txf>
- Output sink. Can be a network device, pcap file, a trafgen
txf file or a directory. (There's only pcap to txf translation
possible.)
- -f|--filter <bpf-file>
- Use BPF filter file from bpfc.
- -t|--type <type>
- Only handle packets of defined type:
- - broadcast
- - multicast
- - others
- - outgoing
- -F|--interval <uint>
- Dump interval in seconds. if -o is a directory, a new pcap
will be created at each interval. The older files are left untouched.
(default value: 60 seconds)
- -s|--silent
- Do not print captured packets to stdout.
- -J|--jumbo-support
- Support for 64KB Super Jumbo Frames.
- -n|--num <uint>
- When zerp, capture/replay until SIGINT is received
(default). When non-zero, capture/replay the number of packets.
- -r|--rand
- Randomize packet forwarding order (replay mode only).
- -M|--no-promisc
- Do not place the interface in promiscuous mode.
- -m|--mmap
- Mmap pcap file i.e., for replaying. Default: scatter/gather
I/O.
- -c|--clrw
- Instead of using scatter/gather I/O use slower
read(2)/ write(2) I/O.
- -S|--ring-size <size>
- Manually set ring size in KB/MB/GB, e.g. '10MB'.
- -k|--kernel-pull <uint>
- Kernel pull from user interval in microseconds. Default is
10us. (replay mode only).
- -b|--bind-cpu <cpu>
- Bind to specific CPU (or CPU-range).
- -B|--unbind-cpu <cpu>
- Forbid to use specific CPU (or CPU-range).
- -H|--prio-high
- Run the process in high-priority mode.
- -Q|--notouch-irq
- Do not touch IRQ CPU affinity of NIC.
- -q|--less
- Print less-verbose packet information.
- -X|--hex
- Print packet data in hex format.
- -l|--ascii
- Print human-readable packet data.
- -v|--version
- Print version.
- -h|--help
- Print help text and lists all options.
AUTHOR¶
Written by Daniel Borkmann <daniel@netsniff-ng.org> and Emmanuel Roullit
<emmanuel@netsniff-ng.org>
DOCUMENTATION¶
Documentation by Emmanuel Roullit <emmanuel@netsniff-ng.org>
BUGS¶
Please report bugs to <bugs@netsniff-ng.org>
