netsniff-ng

netsniff-ng [options] [filter-expression]

netsniff-ng is a high-performance, zero-copy network analyzer, packet capture and replay tool. It uses the Linux kernel's PACKET_MMAP RXRING/TXRING interface to move packets between kernel and user space without copying, allowing capture and transmission close to line rate.It can capture live traffic to a pcap file, replay a pcap back onto an interface, and rotate captures into per-interval files for long-running collection. Filtering accepts both raw BPF and tcpdump-style expressions.

-i, -d, --in, --dev INPUT

Input source: a network device, a pcap file, or - for stdin.

Output sink: a network device, a pcap file, a directory (with --interval), or - for stdout.

Apply a low-level (BPF) or high-level (tcpdump-style) packet filter. A bare filter expression on the command line is also accepted.

Set the mmap ring buffer size, e.g. 10MiB, 1GiB.

When writing to a directory, start a new pcap file every NUM packets, or by time/size (e.g. 60sec, 100MiB).

Do not print captured packets to the console.

Print/dump each captured packet in verbose form.

Set the pcap file format magic (link-layer/timestamp variant).

Pin the capture process to the given CPU.

Run the process with high scheduling priority.

Show version or help information.

Requires root (or CAP_NET_RAW / CAP_NET_ADMIN). It is part of the netsniff-ng toolkit, which also includes trafgen, mausezahn, ifpps, flowtop, and astraceroute. Some link types and timestamp formats depend on driver and kernel support.

netsniff-ng was created by Daniel Borkmann in 2009 as a free, Linux-native, zero-copy packet analyzer, and grew into the broader netsniff-ng networking toolkit. It is licensed under the GPLv2.

tcpdump(1), wireshark(1), tshark(1)