Packages and Binaries:

netsniff-ng

netsniff-ng is a high performance Linux network sniffer for packet inspection. It can be used for protocol analysis, reverse engineering or network debugging. The gain of performance is reached by ‘zero-copy’ mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace.

netsniff-ng toolkit currently consists of the following utilities:

  • netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
  • trafgen: a multithreaded low-level zero-copy network packet generator
  • mausezahn: high-level packet generator for appliances with Cisco-CLI
  • ifpps: a top-like kernel networking and system statistics tool
  • curvetun: a lightweight curve25519-based multiuser IP tunnel
  • astraceroute: an autonomous system trace route and DPI testing utility
  • flowtop: a top-like netfilter connection tracking tool
  • bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

Installed size: 2.04 MB
How to install: sudo apt install netsniff-ng

Dependencies:
  • libc6
  • libcli1.10
  • libgeoip1
  • libncurses6
  • libnet1
  • libnetfilter-conntrack3
  • libnl-3-200
  • libnl-genl-3-200
  • libnl-route-3-200
  • libpcap0.8
  • libsodium23
  • libtinfo6
  • liburcu8
  • zlib1g
astraceroute

Autonomous system trace route utility

root@kali:~# astraceroute -h
astraceroute 0.6.8, autonomous system trace route utility
http://www.netsniff-ng.org

Usage: astraceroute [options]
Options:
 -H|--host <host>        Host/IPv4/IPv6 to lookup AS route to
 -p|--port <port>        Hosts port to lookup AS route to
 -i|-d|--dev <device>    Networking device, e.g. eth0
 -b|--bind <IP>          IP address to bind to, Must specify -6 for an IPv6 address
 -f|--init-ttl <ttl>     Set initial TTL
 -m|--max-ttl <ttl>      Set maximum TTL (def: 30)
 -q|--num-probes <num>   Number of max probes for each hop (def: 2)
 -x|--timeout <sec>      Probe response timeout in sec (def: 3)
 -X|--payload <string>   Specify a payload string to test DPIs
 -l|--totlen <len>       Specify total packet len
 -4|--ipv4               Use IPv4-only requests
 -6|--ipv6               Use IPv6-only requests
 -n|--numeric            Do not do reverse DNS lookup for hops
 -u|--update             Update GeoIP databases
 -L|--latitude           Show latitude and longitude
 -N|--dns                Do a reverse DNS lookup for hops
 -S|--syn                Set TCP SYN flag
 -A|--ack                Set TCP ACK flag
 -F|--fin                Set TCP FIN flag
 -P|--psh                Set TCP PSH flag
 -U|--urg                Set TCP URG flag
 -R|--rst                Set TCP RST flag
 -E|--ecn-syn            Send ECN SYN packets (RFC3168)
 -t|--tos <tos>          Set the IP TOS field
 -G|--nofrag             Set do not fragment bit
 -Z|--show-packet        Show returned packet on each hop
 -v|--version            Print version and exit
 -h|--help               Print this help and exit

Examples:
  IPv4 trace of AS with TCP SYN probe (this will most-likely pass):
    astraceroute -i eth0 -N -S -H netsniff-ng.org
  IPv4 trace of AS with TCP ECN SYN probe:
    astraceroute -i eth0 -N -E -H netsniff-ng.org
  IPv4 trace of AS with TCP FIN probe:
    astraceroute -i eth0 -N -F -H netsniff-ng.org
  IPv4 trace of AS with Xmas probe:
    astraceroute -i eth0 -N -FPU -H netsniff-ng.org
  IPv4 trace of AS with Null probe with ASCII payload:
    astraceroute -i eth0 -N -H netsniff-ng.org -X "censor-me" -Z
  IPv6 trace of AS up to www.6bone.net:
    astraceroute -6 -i eth0 -S -E -N -H www.6bone.net

Note:
  If the TCP probe did not give any results, then astraceroute will
  automatically probe for classic ICMP packets! To gather more
  information about astraceroute's fetched AS numbers, see e.g.
  http://bgp.he.net/AS<number>!

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2011-2013 Daniel Borkmann <[email protected]>
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

bpfc

A Berkeley Packet Filter assembler and compiler

root@kali:~# bpfc -h
bpfc 0.6.8, a tiny BPF compiler
http://www.netsniff-ng.org

Usage: bpfc [options] || bpfc <program>
Options:
  -i|--input <program/->  Berkeley Packet Filter file/stdin
  -p|--cpp                Run bpf program through C preprocessor
  -D|--define             Add macro/define for C preprocessor
  -f|--format <format>    Output format: C|netsniff-ng|xt_bpf|tcpdump
  -b|--bypass             Bypass filter validation (e.g. for bug testing)
  -V|--verbose            Be more verbose
  -d|--dump               Dump supported instruction table
  -v|--version            Print version and exit
  -h|--help               Print this help and exit

Examples:
  bpfc fubar
  bpfc fubar > foo (bpfc -f C -i fubar > foo) -->  netsniff-ng -f foo ...
  bpfc -f tcpdump -i fubar > foo -->  tcpdump -ddd like ...
  bpfc -f xt_bpf -b -p -i fubar
  iptables -A INPUT -m bpf --bytecode "`./bpfc -f xt_bpf -i fubar`" -j LOG
  bpfc -   (read from stdin)
Note:
  Generation of seccomp-BPF filters are fully supported as well.

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2011-2013 Daniel Borkmann <[email protected]>,
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

curvetun

A lightweight curve25519 ip4/6 tunnel

root@kali:~# curvetun -h
curvetun 0.6.8, lightweight curve25519-based IP tunnel
http://www.netsniff-ng.org

Usage: curvetun [options]
Options, general:
  -d|--dev <tun>          Networking tunnel device, e.g. tun0
  -p|--port <num>         Server port number (mandatory)
  -t|--stun <server>      Show public IP/Port mapping via STUN
  -c|--client[=alias]     Client mode, server alias optional
  -k|--keygen             Generate public/private keypair
  -x|--export             Export your public data for remote servers
  -C|--dumpc              Dump parsed clients
  -S|--dumps              Dump parsed servers
  -D|--nofork             Do not daemonize
  -s|--server             Server mode, options follow below
  -N|--no-logging         Disable server logging (for better anonymity)
  -u|--udp                Use UDP as carrier instead of TCP
  -4|--ipv4               Tunnel devices are IPv4
  -6|--ipv6               Tunnel devices are IPv6
  -v|--version            Print version and exit
  -h|--help               Print this help and exit

Example:
  See curvetun's man page for a configuration example.
  curvetun --server -4 -u -N --port 6666 --stun stunserver.org
  curvetun --client=ethz

  curvetun --keygen
  curvetun --export
Note:
  There is no default port specified, so that you are forced
  to select your own! For client/server status messages see syslog!
  This software is an experimental prototype intended for researchers.

Secret ingredient: 7647-14-5


Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2011-2013 Daniel Borkmann <[email protected]>,
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

flowtop

Top-like netfilter TCP/UDP/SCTP/DCCP/ICMP(v6) flow tracking

root@kali:~# flowtop -h
flowtop 0.6.8, top-like netfilter TCP/UDP/SCTP/.. flow tracking
http://www.netsniff-ng.org

Usage: flowtop [options]
Options:
  -4|--ipv4              Show only IPv4 flows (default)
  -6|--ipv6              Show only IPv6 flows (default)
  -T|--tcp               Show only TCP flows (default)
  -U|--udp               Show only UDP flows
  -D|--dccp              Show only DCCP flows
  -I|--icmp              Show only ICMP/ICMPv6 flows
  -S|--sctp              Show only SCTP flows
  -n|--no-dns            Don't perform hostname lookup
  -G|--no-geoip          Don't perform GeoIP lookup
  -s|--show-src          Also show source, not only dest
  -b|--bits              Show rates in bits/s instead of bytes/s
  -u|--update            Update GeoIP databases
  -t|--interval <time>   Refresh time in seconds (default 1s)
  -v|--version           Print version and exit
  -h|--help              Print this help and exit

Examples:
  flowtop
  flowtop -46UTDISs

Note:
  If netfilter is not running, you can activate it with e.g.:
   iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2011-2013 Daniel Borkmann <[email protected]>
Copyright (C) 2011-2012 Emmanuel Roullit <[email protected]>
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

ifpps

Top-like networking and system statistics

root@kali:~# ifpps -h
ifpps 0.6.8, top-like kernel networking and system statistics
http://www.netsniff-ng.org

Usage: ifpps [options] || ifpps <netdev>
Options:
  -d|--dev <netdev>      Device to fetch statistics for e.g., eth0
  -n|--num-cpus <num>    Number of top hitter CPUs in ncurses mode (def: 5)
  -t|--interval <time>   Refresh time in ms (default 1000 ms)
  -c|--csv               Output to terminal as Gnuplot-ready data
  -l|--loop              Continuous CSV output
  -m|--median            Display median values
  -o|--omit-header       Do not print the CSV header
  -p|--promisc           Promiscuous mode
  -P|--percentage        Show percentage of theoretical line rate
  -W|--no-warn           Suppress warnings
  -v|--version           Print version and exit
  -h|--help              Print this help and exit

Examples:
  ifpps eth0
  ifpps -pd eth0
  ifpps -lpcd wlan0 > plot.dat

Note:
  On 10G cards, RX/TX statistics are usually accumulated each > 1sec.
  Thus, in those situations, it's good to use a -t of 10sec.

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2009-2013 Daniel Borkmann <[email protected]>
Swiss federal institute of technology (ETH Zurich)
Copyright (C) 2013 Tobias Klauser <[email protected]>
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

mausezahn

A fast versatile packet generator with Cisco-cli

root@kali:~# mausezahn -h

mausezahn 0.6.8, a fast versatile traffic generator
http://www.netsniff-ng.org

Usage: mausezahn [options] [interface] <keyword>|<arg-string>|<hex-string>
Options:
  -x <port>             Interactive mode with telnet CLI, default port: 25542
  -l <ip>               Listen address to bind to when in interactive mode, default: 0.0.0.0
  -4                    IPv4 mode (default)
  -6                    IPv6 mode
  -R <PRIO>             Set socket priority
  -c <count>            Send packet count times, default:1, infinite:0
  -d <delay>            Apply delay between transmissions. The delay value can be
                        specified in usec (default, no additional unit needed), or in
                        msec (e.g. 100m or 100msec), or in seconds (e.g. 100s or 100sec)
  -r                    Multiplies the specified delay with a random value
  -p <length>           Pad the raw frame to specified length (using random bytes)
  -a <srcmac|keyword>   Use specified source mac address, no matter what has
                        been specified with other arguments; keywords see below,
                        Default is own interface
  -b <dstmac|keyword>   Same with destination mac address; keywords:
     rand               Use a random MAC address
     bc                 Use a broadcast MAC address
     own                Use own interface MAC address (default for source MAC)
     stp                Use IEEE 802.1d STP multicast address
     cisco              Use Cisco multicast address as used for CDP, VTP, or PVST+
  -A <srcip>            Use specified source IP address (default is own interface IP)
  -B <dstip|dnsname>    Send packet to specified destination IP or domain name
  -P <ascii payload>    Use the specified ASCII payload
  -f <filename>         Read the ASCII payload from a file
  -F <filename>         Read the hexadecimal payload from a file
  -Q <[CoS:]vlan>       Specify 802.1Q VLAN tag and optional Class of Service, you can
                        specify multiple 802.1Q VLAN tags (QinQ...) by separating them
                        via a comma or a period (e.g. '5:10,20,2:30')
  -t <packet-type|help> Specify packet type for autobuild (you don't need to care for
                        encapsulations in lower layers, most packet types allow/require
                        additional packet-specific arguments in an <arg-string>;
                        Currently supported types: arp, bpdu, cdp, ip, icmp, udp, tcp,
                        dns, rtp, syslog, lldp and more;
                        For context-help use 'help' as <arg-string>!
  -T <packet-type>      Specify packet type for server mode, currently only rtp is supported;
                        Enter -T help or -T rtp help for further information
  -M <MPLS-label>       Insert a MPLS label, enter '-M help' for a syntax description
  -V|VV|...             Verbose and more verbose mode
  -q                    Quiet mode, even omit 'important' standard short messages
  -S                    Simulation mode: DOES NOT put anything on the wire, this is
                        typically combined with one of the verbose modes (v or V)
  -v                    Show version
  -h                    Print this help

Examples:
  mausezahn -x 99
  mausezahn -c 0 -d 2s -t bpdu conf
  mausezahn -t cdp change -c 0
  mausezahn -t syslog sev=3 -P "You have been mausezahned." -A 10.1.1.109 -B 192.168.7.7
  mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"

Note:
  This tool is targeted for network developers! You should
  be aware of what you are doing and what these options above
  mean! Only use this tool in an isolated LAN that you own!

Please report bugs to <[email protected]>
Copyright (C) 2008-2010 Herbert Haas <[email protected]>,
Copyright (C) 2011 Daniel Borkmann <[email protected]>,
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


netsniff-ng

The packet sniffing beast

root@kali:~# netsniff-ng -h
netsniff-ng 0.6.8, the packet sniffing beast
http://www.netsniff-ng.org

Usage: netsniff-ng [options] [filter-expression]
Options:
  -i|-d|--dev|--in <dev|pcap|->  Input source as netdev, pcap or pcap stdin
  -o|--out <dev|pcap|dir|cfg|->  Output sink as netdev, pcap, directory, trafgen, or stdout
  -C|--fanout-group <id>         Join packet fanout group
  -K|--fanout-type <type>        Apply fanout discipline: hash|lb|cpu|rnd|roll|qm
  -L|--fanout-opts <opts>        Additional fanout options: defrag|roll
  -f|--filter <bpf-file|-|expr>  Use BPF filter from bpfc file/stdin or tcpdump-like expression
  -t|--type <type>               Filter for: host|broadcast|multicast|others|outgoing
  -F|--interval <size|time>      Dump interval if -o is a dir: <num>KiB/MiB/GiB/s/sec/min/hrs
  -R|--rfraw                     Capture or inject raw 802.11 frames
  -n|--num <0|uint>              Number of packets until exit (def: 0)
  -P|--prefix <name>             Prefix for pcaps stored in directory
  -O|--overwrite <N>             Limit the number of pcaps to N (file names use numbers 0 to N-1)
  -T|--magic <pcap-magic>        Pcap magic number/pcap format to store, see -D
  -w|--cooked                    Use Linux "cooked" header instead of link header
  -D|--dump-pcap-types           Dump pcap types and magic numbers and quit
  -B|--dump-bpf                  Dump generated BPF assembly
  -r|--rand                      Randomize packet forwarding order (dev->dev)
  -M|--no-promisc                No promiscuous mode for netdev
  -A|--no-sock-mem               Don't tune core socket memory
  -N|--no-hwtimestamp            Disable hardware time stamping
  -m|--mmap                      Mmap(2) pcap file I/O, e.g. for replaying pcaps
  -G|--sg                        Scatter/gather pcap file I/O
  -c|--clrw                      Use slower read(2)/write(2) I/O
  -S|--ring-size <size>          Specify ring size to: <num>KiB/MiB/GiB
  -k|--kernel-pull <uint>        Kernel pull from user interval in us (def: 10us)
  -J|--jumbo-support             Support replay/fwd 64KB Super Jumbo Frames (def: 2048B)
  -b|--bind-cpu <cpu>            Bind to specific CPU
  -u|--user <userid>             Drop privileges and change to userid
  -g|--group <groupid>           Drop privileges and change to groupid
  -H|--prio-high                 Make this high priority process
  -Q|--notouch-irq               Do not touch IRQ CPU affinity of NIC
  -s|--silent                    Do not print captured packets
  -q|--less                      Print less-verbose packet information
  -X|--hex                       Print packet data in hex format
  -l|--ascii                     Print human-readable packet data
  -U|--update                    Update GeoIP databases
  -V|--verbose                   Be more verbose
  -v|--version                   Show version and exit
  -h|--help                      Guess what?!

Examples:
  netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1b2c3d4 --bind-cpu 0 tcp or udp
  netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
  netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
  netsniff-ng --in dump.pcap --out dump.cfg --silent --bind-cpu 0
  netsniff-ng --in dump.pcap --out dump2.pcap --silent tcp
  netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 -J --type host
  netsniff-ng --in eth1 --out /opt/probe/ -s -m --interval 100MiB -b 0
  netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
  netsniff-ng --in any --filter http.bpf --jumbo-support --ascii -V

Note:
  For introducing bit errors, delays with random variation and more
  while replaying pcaps, make use of tc(8) with its disciplines (e.g. netem).

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2009-2013 Daniel Borkmann <[email protected]>
Copyright (C) 2009-2012 Emmanuel Roullit <[email protected]>
Copyright (C) 2012 Markus Amend <[email protected]>
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

trafgen

A fast, multithreaded network packet generator

root@kali:~# trafgen -h
trafgen 0.6.8, multithreaded zero-copy network packet generator
http://www.netsniff-ng.org

Usage: trafgen [options] [packet]
Options:
  -i|-c|--in|--conf <cfg/->             Packet configuration file/stdin
  -o|-d|--out|--dev <netdev|.cfg|.pcap> Networking device or configuration file i.e., eth0
  -p|--cpp                              Run packet config through C preprocessor
  -D|--define                           Add macro/define for C preprocessor
  -J|--jumbo-support                    Support 64KB super jumbo frames (def: 2048B)
  -R|--rfraw                            Inject raw 802.11 frames
  -s|--smoke-test <ipv4>                Probe if machine survived fuzz-tested packet
  -n|--num <uint>                       Number of packets until exit (def: 0)
  -r|--rand                             Randomize packet selection (def: round robin)
  -P|--cpus <uint>                      Specify number of forks(<= CPUs) (def: #CPUs)
  -t|--gap <time>                       Set approx. interpacket gap (s/ms/us/ns, def: us)
  -b|--rate <rate>                      Send traffic at specified rate (pps/B/kB/MB/GB/kbit/Mbit/Gbit/KiB/MiB/GiB)
  -S|--ring-size <size>                 Manually set mmap size (KiB/MiB/GiB)
  -E|--seed <uint>                      Manually set srand(3) seed
  -u|--user <userid>                    Drop privileges and change to userid
  -g|--group <groupid>                  Drop privileges and change to groupid
  -H|--prio-high                        Make this high priority process
  -A|--no-sock-mem                      Don't tune core socket memory
  -Q|--notouch-irq                      Do not touch IRQ CPU affinity of NIC
  -q|--qdisc-path                       Enable qdisc kernel path (default off since 3.14)
  -V|--verbose                          Be more verbose
  -C|--no-cpu-stats                     Do not print CPU time statistics on exit
  -v|--version                          Show version and exit
  -e|--example                          Show built-in packet config example
  -h|--help                             Guess what?!

Examples:
  trafgen --dev eth0 --conf trafgen.cfg
  trafgen -e | trafgen -i - -o eth0 --cpp -n 1
  trafgen --dev eth0 --conf fuzzing.cfg --smoke-test 10.0.0.1
  trafgen --dev wlan0 --rfraw --conf beacon-test.txf -V --cpus 2
  trafgen --dev eth0 --conf frag_dos.cfg --rand --gap 1000us
  trafgen --dev eth0 --conf icmp.cfg --rand --num 1400000 -k1000
  trafgen --dev eth0 --conf tcp_syn.cfg -u `id -u bob` -g `id -g bob`
  trafgen --dev eth0 '{ fill(0xff, 6), 0x00, 0x02, 0xb3, rnd(3), c16(0x0800), fill(0xca, 64) }'

Arbitrary packet config examples (e.g. trafgen -e > trafgen.cfg):
  Run packet on  all CPUs:              { fill(0xff, 64) csum16(0, 64) }
  Run packet only on CPU1:    cpu(1):   { rnd(64), 0b11001100, 0xaa }
  Run packet only on CPU1-2:  cpu(1-2): { drnd(64),'a',csum16(1, 8),'b',42 }

Generate config files from existing pcap using netsniff-ng:
  netsniff-ng --in dump.pcap --out dump.cfg

Note:
  Smoke/fuzz test example: machine A, 10.0.0.2 (trafgen) is directly
  connected to machine B (test kernel), 10.0.0.1. If ICMP reply fails
  we assume the kernel crashed, thus we print the packet and quit.
  In case you find a ping-of-death, please mention trafgen in your
  commit message of the fix!

  For introducing bit errors, delays with random variation and more,
  make use of tc(8) with its different disciplines, i.e. netem.

  For generating different package distributions, you can use scripting
  to generate a trafgen config file with packet ratios as:

     IMIX             64:7,  570:4,  1518:1
     Tolly            64:55,  78:5,   576:17, 1518:23
     Cisco            64:7,  594:4,  1518:1
     RPR Trimodal     64:60, 512:20, 1518:20
     RPR Quadrimodal  64:50, 512:15, 1518:15, 9218:20

Please report bugs at https://github.com/netsniff-ng/netsniff-ng/issues
Copyright (C) 2011-2013 Daniel Borkmann <[email protected]>,
Swiss federal institute of technology (ETH Zurich)
License: GNU GPL version 2.0
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Updated on: 2023-Mar-08