netsniff-ng – Swiss Army Knife for Daily Linux Network Plumbing

Table of Contents#

1. Introduction to netsniff-ng
2. What Is netsniff-ng?
3. Installation: Getting Started 3.1. Installing on Debian/Ubuntu 3.2. Installing on RHEL/CentOS 3.3. Building from Source
4. Core Tools in the netsniff-ng Suite 4.1. netsniff-ng: High-Speed Packet Sniffer 4.2. trafgen: Batch Traffic Generator 4.3. mausezahn: Interactive Traffic Generator 4.4. ifpps: Real-Time Interface Statistics 4.5. flowtop: Flow Monitoring Like top 4.6. curvetun: Curve25519 VPN 4.7. astraceroute: Asynchronous Traceroute
5. Practical Use Cases 5.1. Troubleshooting Network Latency and Packet Loss 5.2. Performance Testing with Custom Traffic 5.3. Security Auditing: Sniffing for Cleartext Credentials 5.4. Real-Time Flow Monitoring for Bandwidth Hogs
6. Best Practices for Safe and Effective Use
7. Troubleshooting Common Issues
8. Advanced Topics 8.1. Custom Packet Crafting with trafgen 8.2. Integrating with Wireshark and Other Tools 8.3. Scripting netsniff-ng for Automation 8.4. Optimizing for High-Speed Networks (10Gbps+)
9. Conclusion
10. References

2. What Is netsniff-ng?#

netsniff-ng is a modular suite of network tools written in C for Linux. It’s designed to be:

• Fast: Uses zero-copy (avoids copying data between kernel and user space) and multi-threading to handle 10Gbps+ networks.
• Versatile: Combines sniffing, traffic generation, monitoring, and VPN into one package.
• Standard-compliant: Saves captures in pcap format (compatible with Wireshark) and supports BPF filters (the same syntax as tcpdump).
• Lightweight: Minimal dependencies, no GUI—perfect for servers and embedded systems.

The suite includes 7 core tools (see Section 4), each optimized for a specific task. Unlike bloated alternatives (e.g., Wireshark), netsniff-ng is built for command-line efficiency—ideal for remote servers or headless systems.

3. Installation: Getting Started#

netsniff-ng is available in most Linux distro repositories, but building from source gives you the latest features.

3.1. Installing on Debian/Ubuntu#

Debian/Ubuntu users can install via apt:

sudo apt update && sudo apt install netsniff-ng

3.2. Installing on RHEL/CentOS#

For RHEL/CentOS, enable the EPEL repository first:

sudo yum install epel-release
sudo yum install netsniff-ng

3.3. Building from Source#

To get the latest version (recommended for 10Gbps+ networks), build from the GitHub repo:

Step 1: Install Dependencies#

# Debian/Ubuntu
sudo apt install git build-essential libnl-3-dev libnl-genl-3-dev \
libpcap-dev libncurses5-dev libgeoip-dev libsodium-dev
 
# RHEL/CentOS
sudo yum install git gcc make libnl3-devel libpcap-devel ncurses-devel \
GeoIP-devel libsodium-devel

Step 2: Clone and Build#

git clone https://github.com/netsniff-ng/netsniff-ng.git
cd netsniff-ng
make
sudo make install

Step 3: Verify Installation#

Run netsniff-ng --version to confirm:

netsniff-ng 0.6.8

4. Core Tools in the netsniff-ng Suite#

Let’s dive into each tool—what it does, key features, and example usage.

4.1. netsniff-ng: High-Speed Packet Sniffer#

Purpose: Capture packets from a network interface (like tcpdump, but faster).
Key Features:

• Zero-copy (-z): Reduces CPU usage by avoiding kernel-to-user space data copies.
• Multi-threading (-m): Distributes work across CPU cores.
• BPF filters (-f): Filter packets at the kernel level (e.g., tcp port 80).
• Packet splitting (-s, -t): Split captures into smaller files by size or time.
• RSS support (-R): Use Receive Side Scaling for 10Gbps+ networks.

Example 1: Basic Capture#

Capture all traffic on eth0 and save to capture.pcap:

sudo netsniff-ng -i eth0 -o capture.pcap

Example 2: Filter HTTP Traffic#

Use a BPF filter to capture only HTTP (TCP port 80) traffic:

sudo netsniff-ng -i eth0 -f "tcp port 80" -o http.pcap

Example 3: Split Large Captures#

Split captures into 100MB files (prevents filling your disk):

sudo netsniff-ng -i eth0 -o capture -s 100M

This creates files like capture_00001.pcap, capture_00002.pcap, etc.

Example 4: Zero-Copy for Speed#

Enable zero-copy to reduce CPU usage on high-traffic interfaces:

sudo netsniff-ng -i eth0 -z -o capture.pcap

4.2. trafgen: Batch Traffic Generator#

Purpose: Generate high-speed custom traffic for performance testing (e.g., stress-testing firewalls or measuring throughput).
Key Features:

• Batch processing: Use config files to define packet structures.
• Custom payloads: Generate random data, patterns (e.g., 0xDEADBEEF), or file content.
• High speed: Can generate 10M+ packets per second (depending on hardware).

Example: Send Custom UDP Packets#

1. Create a trafgen Config File (udp.trafgen): This defines an Ethernet frame with an IP header, UDP header, and a 32-byte payload:

   # Ethernet header: Destination MAC, Source MAC, EtherType (IP)
   eth dst=00:11:22:33:44:55, src=66:77:88:99:AA:BB, type=0x0800
    
   # IP header: Source IP, Destination IP, Protocol (UDP), TTL
   ip saddr=10.0.0.1, daddr=10.0.0.2, proto=17, ttl=64
    
   # UDP header: Source port, Destination port
   udp sport=12345, dport=54321
    
   # Payload: 32 bytes of 0xDEADBEEF
   payload pattern=0xDEADBEEF, len=32

2. Send 1,000 Packets:

   sudo trafgen -i eth0 -c udp.trafgen -n 1000

   • -i eth0: Use interface eth0.
   • -c udp.trafgen: Load the config file.
   • -n 1000: Send 1,000 packets.

4.3. mausezahn: External Interactive Traffic Generator#

Purpose: Generate traffic interactively for quick testing (e.g., verifying firewall rules or testing reachability). Note: mausezahn is a separate project, not part of the netsniff-ng suite.
Key Features:

• Supports 20+ protocols (ICMP, TCP, UDP, ARP, DNS).
• Easy to use: No config files—all options are command-line flags.
• Real-time feedback: Shows how many packets were sent.

Example 1: Send ICMP Echoes#

Test connectivity to 10.0.0.2 with 10 ICMP pings:

sudo mausezahn eth0 -a 10.0.0.1 -b 10.0.0.2 -t icmp -c 10

• -a: Source IP.
• -b: Destination IP.
• -t icmp: Protocol (ICMP).
• -c 10: Send 10 packets.

Example 2: Test Firewall Rules#

Send TCP SYN packets to port 443 on 10.0.0.2 (tests if HTTPS is allowed):

sudo mausezahn eth0 -a 10.0.0.1 -b 10.0.0.2 -t tcp -p 12345 -P 443 -f syn -c 5

• -p 12345: Source port.
• -P 443: Destination port.
• -f syn: Set TCP flag to SYN.

4.4. ifpps: Real-Time Interface Statistics#

Purpose: Monitor real-time interface statistics (bytes, packets, errors, drops).
Key Features:

• Shows per-second and total stats.
• Supports multiple interfaces (e.g., eth0, wlan0).
• Color-coded output for readability.

Example: Monitor eth0#

sudo ifpps -i eth0

Output includes:

• Bytes: Total bytes transmitted/received.
• Packets: Total packets transmitted/received.
• Errors: CRC errors, frame errors.
• Drops: Packets dropped by the kernel.

4.5. flowtop: Flow Monitoring Like top#

Purpose: Track active network flows (e.g., 10.0.0.1:1234 → 8.8.8.8:53) and identify bandwidth hogs.
Key Features:

• Real-time updates: Refreshes every second.
• Sort by: Bytes, packets, duration, or rate.
• Filters: Show only TCP/UDP flows.

Example: Monitor Flows on eth0#

sudo flowtop -i eth0

Use these keys to interact:

• s: Sort by bytes (default).
• p: Sort by packets.
• r: Sort by rate (bytes per second).
• q: Quit.

4.6. curvetun: External Curve25519 VPN Tool#

Purpose: Set up a lightweight VPN using Curve25519 (a secure elliptic curve) for key exchange. Note: curvetun is a separate project, not part of the netsniff-ng suite.
Key Features:

• Simple: No complex configs (unlike OpenVPN).
• Fast: Minimal overhead—ideal for low-bandwidth links.
• Secure: Uses ChaCha20-Poly1305 for encryption.

Example: Set Up a VPN#

Step 1: Generate Keys#

Curvetun uses pre-shared keys (PSK) or public/private key pairs. For simplicity, use a PSK:

# Generate a 32-byte PSK (save to server.key and client.key)
dd if=/dev/urandom of=server.key bs=32 count=1
cp server.key client.key

Step 2: Start the Server#

Run curvetun on the server (listens on port 5555):

sudo curvetun -s -i tun0 -l 0.0.0.0:5555 -k server.key

• -s: Server mode.
• -i tun0: Use the tun0 interface.
• -l 0.0.0.0:5555: Listen on all interfaces, port 5555.
• -k server.key: Use the PSK.

Step 3: Start the Client#

Connect from the client to the server:

sudo curvetun -c -i tun0 -r server_ip:5555 -k client.key

• -c: Client mode.
• -r server_ip:5555: Server IP and port.

Step 4: Configure IP Addresses#

Assign IPs to the tun0 interface on both ends:

# Server
sudo ip addr add 10.10.0.1/24 dev tun0
sudo ip link set tun0 up
 
# Client
sudo ip addr add 10.10.0.2/24 dev tun0
sudo ip link set tun0 up

Test connectivity: ping 10.10.0.1 from the client.

4.7. astraceroute: Asynchronous Traceroute#

Purpose: Trace the path to a destination faster than traditional traceroute.
Key Features:

• Asynchronous: Sends multiple probes at once (reduces latency).
• Detailed: Shows IP, DNS name, RTT (round-trip time), and TTL.
• Supports IPv4/IPv6.

Example: Trace to Google DNS#

sudo astraceroute -i eth0 8.8.8.8

Output:

 1  10.0.0.1 (10.0.0.1)  1.2ms
 2  192.168.1.1 (192.168.1.1)  3.4ms
 3  203.0.113.1 (isp-gateway.example.com)  10.1ms
 ...
 8  8.8.8.8 (dns.google)  25.6ms

5. Practical Use Cases#

Let’s apply netsniff-ng to real-world problems.

5.1. Troubleshooting Network Latency and Packet Loss#

A user reports slow access to a web server (10.0.0.10). You suspect packet loss or retransmissions.

Step 1: Capture Traffic#

Use netsniff-ng to capture traffic between the user’s IP (10.0.0.5) and the server:

sudo netsniff-ng -i eth0 -f "host 10.0.0.5 and host 10.0.0.10" -o latency.pcap

Step 2: Analyze with Wireshark#

Open the capture in Wireshark:

wireshark latency.pcap

Look for:

• Retransmissions: Filter with tcp.analysis.retransmission.
• Duplicate ACKs: Filter with tcp.analysis.duplicate_ack.
• Packet Loss: Large gaps in sequence numbers.

Step 3: Verify Interface Health#

Use ifpps to check for errors/drops on the server’s interface:

sudo ifpps -i eth0

If Errors or Drops are increasing, the NIC or cable is faulty.

5.2. Performance Testing with Custom Traffic#

You need to test if your firewall can handle 1Gbps of UDP traffic.

Step 1: Create a trafgen Config#

Use trafgen to generate UDP packets with a 1KB payload (maximizes throughput):

# eth.trafgen
eth dst=firewall_mac, src=server_mac, type=0x0800
ip saddr=10.0.0.1, daddr=10.0.0.2, proto=17, ttl=64
udp sport=12345, dport=54321
payload len=1024  # 1KB payload

Step 2: Generate Traffic#

Send 100,000 packets per second (-r 100000):

sudo trafgen -i eth0 -c eth.trafgen -r 100000

Step 3: Monitor Throughput#

Use ifpps on the firewall to verify throughput:

sudo ifpps -i eth0

If the Bytes column shows ~1Gbps (125MB/s), the firewall is handling the load.

5.3. Security Auditing: Sniffing for Cleartext Credentials#

You want to check if any devices are sending cleartext FTP credentials (FTP uses TCP port 21).

Step 1: Capture FTP Traffic#

Use a BPF filter to capture only FTP traffic:

sudo netsniff-ng -i eth0 -f "tcp port 21" -o ftp.pcap

Step 2: Analyze in Wireshark#

Open ftp.pcap in Wireshark and filter for ftp commands:

ftp.request.command == "USER" or ftp.request.command == "PASS"

If you see lines like USER admin or PASS password123, the device is using insecure FTP.

5.4. Real-Time Flow Monitoring for Bandwidth Hogs#

Your internet is slow—find which device is using the most bandwidth.

Step 1: Run flowtop#

sudo flowtop -i eth0

Step 2: Identify the Hog#

Look for flows with high bytes or rate:

Rank  Src IP:Port       Dst IP:Port       Proto  Bytes    Packets  Rate
1     10.0.0.5:45678    192.168.1.10:80   TCP    1.2GB    150000   100Mbps
2     10.0.0.3:12345    8.8.8.8:53        UDP    200MB    50000    16Mbps
...

Here, 10.0.0.5 is using 100Mbps—likely streaming video or downloading large files.

6. Best Practices for Safe and Effective Use#

netsniff-ng is powerful—follow these rules to avoid mistakes:

1. Always Run as Root#

Most tools require raw socket access (e.g., sniffing or generating traffic). Use sudo or log in as root.

2. Use BPF Filters Liberally#

BPF filters reduce the number of packets sent to user space—critical for high-traffic interfaces. For example:

• Bad: netsniff-ng -i eth0 (captures all traffic).
• Good: netsniff-ng -i eth0 -f "host 10.0.0.10" (only captures traffic to/from the server).

3. Split Large Captures#

Use -s (size) or -t (time) to split captures. A 1TB pcap file is useless—split into 100MB chunks.

4. Secure Traffic Generation#

Never run trafgen or mausezahn on production networks without permission. You could accidentally DDoS a server or trigger firewall alarms.

5. Keep netsniff-ng Updated#

New versions fix bugs and add features (e.g., better 10Gbps support). Build from source or use your distro’s update tool.

6. Log Everything#

Save command history (e.g., history > netsniff-logs.txt) and document captures. This helps with audits or debugging.

7. Troubleshooting Common Issues#

Issue 1: "Permission Denied"#

Cause: You’re not running the tool as root.
Fix: Prepend sudo to the command.

Issue 2: No Packets Captured#

Causes:

• Wrong interface (e.g., using eth0 instead of wlan0).
• BPF filter is too strict (e.g., tcp port 8080 but traffic is on port 80).
• Interface is down (check with ip link show).
  Fix:
• List interfaces: ip link show.
• Test the filter with tcpdump: sudo tcpdump -i eth0 -f "tcp port 80".
• Bring the interface up: sudo ip link set eth0 up.

Issue 3: Traffic Generator Isn’t Sending Packets#

Causes:

• Firewall is blocking outgoing traffic (check iptables -L).
• Wrong MAC address (trafgen uses layer 2—you need the destination’s MAC).
• Interface is in promiscuous mode (disable with sudo ip link set eth0 promisc off).
  Fix:
• Allow traffic: sudo iptables -A OUTPUT -p udp --dport 54321 -j ACCEPT.
• Get the destination’s MAC: arp -a 10.0.0.2.
• Disable promiscuous mode.

Issue 4: Performance Issues (High CPU)#

Causes:

• Not using zero-copy (-z).
• Not using multi-threading (-m).
• No RSS (for 10Gbps+ networks).
  Fix:
• Enable zero-copy: netsniff-ng -i eth0 -z.
• Use multi-threading: netsniff-ng -i eth0 -m 4 (4 cores).
• Enable RSS (see Section 8.4).

8. Advanced Topics#

8.1. Custom Packet Crafting with trafgen#

trafgen lets you build arbitrary packets—perfect for testing edge cases (e.g., malformed packets to stress-test firewalls).

Example: Send a Malformed TCP Packet#

Create a TCP packet with an invalid checksum (-1):

# malformed.trafgen
eth dst=00:11:22:33:44:55, src=66:77:88:99:AA:BB, type=0x0800
ip saddr=10.0.0.1, daddr=10.0.0.2, proto=6, ttl=64
tcp sport=12345, dport=80, checksum=-1  # Invalid checksum
payload pattern=0xCAFEBABE, len=32

Send the packet:

sudo trafgen -i eth0 -c malformed.trafgen -n 1

8.2. Integrating with Wireshark and Other Tools#

netsniff-ng saves captures in pcap format—compatible with Wireshark, tcpdump, and tshark.

Example 1: Pipe Directly to Wireshark#

Capture traffic and open it in Wireshark in real time:

sudo netsniff-ng -i eth0 -f "tcp port 443" -w - | wireshark -k -i -

• -w -: Write to stdout.
• -k: Start capturing immediately.
• -i -: Read from stdin.

Example 2: Analyze with tshark#

Use tshark (Wireshark’s command-line tool) to count HTTP requests:

tshark -r http.pcap -Y "http.request" | wc -l

8.3. Scripting netsniff-ng for Automation#

Automate repetitive tasks (e.g., capturing traffic when CPU usage is high) with bash scripts.

Example: Capture Traffic on High CPU#

This script captures traffic for 5 minutes when CPU usage exceeds 80%:

#!/bin/bash
INTERFACE="eth0"
CAP_DIR="/var/log/netsniff"
THRESHOLD=80
 
# Create capture directory if it doesn't exist
mkdir -p $CAP_DIR
 
while true; do
    # Get CPU usage (100 - idle percentage)
    CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | \
        sed "s/.*, *$[0-9.]*$%* id.*/\1/" | awk '{print 100 - $1}')
    
    if (( $(echo "$CPU_USAGE > $THRESHOLD" | bc -l) )); then
        TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
        CAP_FILE="$CAP_DIR/capture_$TIMESTAMP.pcap"
        
        # Capture for 5 minutes (300 seconds)
        sudo netsniff-ng -i $INTERFACE -o $CAP_FILE -t 300
        
        # Email alert
        echo "High CPU ($CPU_USAGE%) detected. Capture saved to $CAP_FILE." | \
            mail -s "High CPU Capture" [email protected]
    fi
    
    sleep 60  # Check every minute
done

Save as cpu-capture.sh and run with sudo bash cpu-capture.sh.

8.4. Optimizing for High-Speed Networks (10Gbps+)#

To handle 10Gbps+ traffic, you need to:

1. Enable RSS: Distribute packets across CPU cores.
2. Use Multi-Queue NICs: Most 10Gbps NICs have 4+ receive queues.
3. Enable Zero-Copy: Avoid kernel-user space copies.

Step 1: Check RSS Support#

Use ethtool to see if your NIC supports RSS:

ethtool -l eth0

Output (if supported):

Channel parameters for eth0:
Pre-set maximums:
RX:             8
TX:             8
Other:          1
Combined:       0
Current hardware settings:
RX:             4
TX:             4
Other:          1
Combined:       0

Step 2: Set Receive Queues#

Increase the number of receive queues to 4:

sudo ethtool -L eth0 rx 4

Step 3: Enable RSS in netsniff-ng#

Use -R to enable RSS:

sudo netsniff-ng -i eth0 -R -z -m 4 -o capture.pcap

• -R: Enable RSS.
• -z: Zero-copy.
• -m 4: Use 4 CPU cores.

9. Conclusion#

netsniff-ng is the Swiss Army knife of Linux network tools—fast, versatile, and designed for command-line efficiency. Whether you’re troubleshooting latency, testing firewalls, or hunting bandwidth hogs, netsniff-ng has a tool for the job.

Key takeaways:

• Learn the core tools: Start with netsniff-ng (sniffing) and flowtop (monitoring).
• Use BPF filters: Reduce CPU load and focus on relevant traffic.
• Automate with scripts: Save time on repetitive tasks.
• Follow best practices: Avoid mistakes and keep your network safe.

The best way to master netsniff-ng is to experiment. Try capturing traffic, generating custom packets, and monitoring flows—you’ll be surprised how much you learn!

10. References#

1. Official Repo: netsniff-ng GitHub
2. Man Pages: Run man netsniff-ng, man trafgen, etc.
3. BPF Filter Syntax: tcpdump Manual
4. RSS Documentation: Linux Kernel RSS Guide
5. Wireshark Integration: Wireshark User Guide
6. Curvetun Security: Curve25519 Paper

Happy networking! 🚀