netsniff-ng | Swiss army knife for Linux network plumbing

netsniff-ng is a free, performant Linux network analyzer and networking toolkit. If you will, the Swiss army knife for network packets.

The gain of performance is reached by built-in zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space, and vice versa.

The netsniff-ng toolkit’s primary usage goal is to facilitate a network developer’s / hacker’s daily Linux plumbing. It can be used for network development, debugging, analysis, auditing or network reconnaissance.
It consists of the following fixed set of utilities:

* netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
* trafgen: a multithreaded low-level zero-copy network packet generator
* mausezahn [*]: high-level packet generator for appliances with Cisco-CLI
* ifpps: a top-like kernel networking and system statistics tool
* curvetun [*]: a lightweight curve25519-based multiuser IP tunnel
* astraceroute: an autonomous system trace route and DPI testing utility
* flowtop: a top-like netfilter connection tracking tool
* bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

Each release can be verified with Git and GPG, here are the steps to do so:

1) Import the maintainers public keys:
git show maint-tklauser-pgp-pub | gpg –import
git show maint-dborkman-pgp-pub | gpg –import
2) Verify the Git tag:
git tag -v


netsniff-ng is a fast network analyzer based on packet mmap(2) mechanisms. It can record pcap files to disc, replay them and also do an offline and online analysis. Capturing, analysis or replay of raw 802.11 frames are supported as well. pcap files are also compatible with tcpdump or Wireshark traces. netsniff-ng processes those pcap traces either in scatter-gather I/O or by mmap(2) I/O.

trafgen is a multi-threaded network traffic generator based on packet mmap(2) mechanisms. It has its own flexible, macro-based low-level packet configuration language. Injection of raw 802.11 frames are supported as well. trafgen has a significantly higher speed than mausezahn and comes very close to pktgen, but runs from user space. pcap traces can also be converted into a trafgen packet configuration.

mausezahn is a high-level packet generator that can run on a hardware-software appliance and comes with a Cisco-like CLI. It can craft nearly every possible or impossible packet. Thus, it can be used, for example, to test network behaviour under strange circumstances (stress test, malformed packets) or to test hardware-software appliances for several kind of attacks.

bpfc is a Berkeley Packet Filter (BPF) compiler that understands the original BPF language developed by McCanne and Jacobson. It accepts BPF mnemonics and converts them into kernel/netsniff-ng readable BPF “opcodes”. It also supports undocumented Linux filter extensions. This can especially be useful for more complicated filters, that high-level filters fail to support.

ifpps is a tool which periodically provides top-like networking and system statistics from the Linux kernel. It gathers statistical data directly from procfs files and does not apply any user space traffic monitoring that would falsify statistics on high packet rates. For wireless, data about link connectivity is provided as well.

flowtop is a top-like connection tracking tool that can run on an end host or router. It is able to present TCP or UDP flows that have been collected by the kernel’s netfilter framework. GeoIP and TCP state machine information is displayed. Also, on end hosts flowtop can show PIDs and application names that flows relate to. No user space traffic monitoring is done, thus all data is gathered by the kernel.

curvetun is a lightweight, high-speed ECDH multiuser tunnel for Linux. curvetun uses the Linux TUN/TAP interface and supports {IPv4,IPv6} over {IPv4,IPv6} with UDP or TCP as carrier protocols. Packets are encrypted end-to-end by a symmetric stream cipher (Salsa20) and authenticated by a MAC (Poly1305), where keys have previously been computed with the ECDH key agreement protocol (Curve25519).

astraceroute is an autonomous system (AS) trace route utility. Unlike traceroute or tcptraceroute, it not only display hops, but also their AS information they belong to as well as GeoIP information and other interesting things. On default, it uses a TCP probe packet and falls back to ICMP probes in case no ICMP answer has been received.

Concluding, the toolkit is split into small, useful utilities that are or are not necessarily related to each other. Each program for itself fills a gap as a helper in your daily network debugging, development or audit.


git clone git://
cd netsniff-ng

More info, visit here.

The post netsniff-ng | Swiss army knife for Linux network plumbing appeared first on Penetration Testing in Linux.


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s