netsniff-ng

netsniff-ng [-i ] [-o ] [-s ] [-f ] [-N] [-X] [-H] [-L] [-S ] [-t ] [-c ] [-b ] [-P ] [-k] [-v] [-h]

-i
    Specify the network interface to capture packets from (e.g., eth0, wlan0).

-o
    Write captured packets to a PCAP formatted file for later analysis.

-s
    Set the snapshot length (snaplen) for captured packets. Only capture the first bytes of each packet. Use 0 for full packets.

-f
    Apply a Berkeley Packet Filter (BPF) expression to filter captured packets based on criteria like IP address, port, or protocol.

-N
    Do not put the specified network interface into promiscuous mode, capturing only traffic destined for the host.

-X
    Dump the PCAP index, showing offsets and timestamps of packets within the capture file.

-H
    Dump packet headers only, rather than the entire packet payload.

-L
    Dump link-layer information, such as MAC addresses.

-S
    Set a specific ring buffer packet size (e.g., 2048) in bytes for internal operations.

-t
    Stop capturing packets after a specified timeout duration (in seconds).

-c
    Stop capturing packets after a specified number of packets have been captured.

-b
    Set the ring buffer size (e.g., 64MB) to allocate memory for packet capture.

-P
    Replay packets from a specified PCAP file onto a network interface.

-k
    Show kernel statistics related to packet capture, such as dropped packets and errors.

-v
    Enable verbose output, providing more detailed information during operation.

-h
    Display the help message and exit.

netsniff-ng is a free, high-performance, and versatile Linux network sniffer and packet analyzer. It is a core component of the `netsniff-ng` toolkit, engineered for zero-copy packet capturing, replaying, and analysis directly from the kernel space.

Unlike traditional sniffers that often rely on libpcap, netsniff-ng leverages the `mmap()` interface and `PACKET_MMAP` ring buffers for enhanced efficiency and reduced CPU overhead. This design makes it exceptionally suitable for high-throughput network environments, minimizing dropped packets under heavy load.

It supports various output formats, including standard PCAP and PCAP-ng, and allows for powerful filtering using Berkeley Packet Filter (BPF) syntax. Beyond live capturing, netsniff-ng can also perform offline analysis and packet injection/replay, making it an indispensable tool for network security monitoring, performance testing, and deep protocol analysis.

Using netsniff-ng for most operations requires root privileges. Its reliance on Linux-specific kernel features like PACKET_MMAP means it is not portable to other operating systems. While highly efficient, large ring buffer sizes can consume significant system memory. Understanding Berkeley Packet Filter (BPF) syntax can be challenging for new users.

netsniff-ng utilizes the widely adopted Berkeley Packet Filter (BPF) syntax for packet filtering. This allows users to create highly precise rules to capture only packets matching specific criteria, such as source/destination IP addresses, port numbers, protocols (e.g., tcp, udp, icmp), or even packet sizes. This powerful filtering mechanism significantly reduces the amount of irrelevant data captured, making analysis more efficient.

The core performance advantage of netsniff-ng is its implementation of a zero-copy mechanism, primarily through the use of PACKET_MMAP. Instead of copying packet data multiple times between the kernel and user space, `PACKET_MMAP` allows direct memory mapping. This direct access minimizes CPU cycles spent on data movement, enabling netsniff-ng to handle extremely high packet rates with significantly less overhead and fewer dropped packets compared to traditional methods.

Beyond its robust capturing capabilities, netsniff-ng also offers a valuable packet replay feature. Using the -P option, users can take a previously captured PCAP file and re-inject those packets onto a network interface. This is immensely useful for network device testing, simulating specific traffic conditions, reproducing security incidents, or benchmarking network performance in a controlled environment.

netsniff-ng is part of the `netsniff-ng` toolkit, primarily developed by Daniel Borkmann. Its inception was driven by the need for a high-performance packet sniffer that could overcome the limitations of traditional libpcap-based tools in high-speed network environments. Developed from the ground up, it leverages Linux-specific kernel features such as PACKET_MMAP ring buffers and zero-copy mechanisms to ensure maximum efficiency and minimal CPU overhead. This focus on kernel-level integration and performance makes it a modern and powerful alternative for demanding packet capture and analysis tasks.

tcpdump(1), wireshark(1), tshark(1), pktgen(8), ethtool(8)