netsniff-ng is a high-performance Linux networking toolkit designed for packet sniffing, network analysis, and traffic generation. It is part of Kali Linux’s suite of penetration testing and network security tools. Unlike traditional sniffers like Wireshark or tcpdump, netsniff-ng is optimized for zero-copy packet processing, making it extremely fast and efficient.
What is netsniff-ng?
netsniff-ng is a suite of networking tools that includes:
- Packet capture (netsniff-ng)
- Traffic generation (trafgen)
- Flow-based analysis (flowtop)
- Packet filtering (bpfc)
- PCAP file manipulation (mausezahn)
It is designed for high-speed packet processing (e.g., gigabit networks) and supports BPF (Berkeley Packet Filter) for advanced filtering.
How Does netsniff-ng Work?
- Uses zero-copy techniques to minimize CPU overhead.
- Supports multiple input/output formats (PCAP, PcapNG, etc.).
- Can replay, modify, and generate network traffic.
- Works at kernel level for maximum efficiency.
Installation in Kali Linux
Since Kali Linux includes netsniff-ng by default, you can verify its presence with:
Bash
netsniff-ng --versionIf missing, install it via:
Bash
sudo apt update && sudo apt install netsniff-ngBasic Usage Examples
1. Capture Packets to a File
Bash
sudo netsniff-ng -i eth0 -o capture.pcap-i eth0: Interface to capture from.-o capture.pcap: Save packets to a PCAP file.
2. Live Packet Analysis
Bash
sudo netsniff-ng -i eth0 --in --silent --verbose--in: Read from network interface.--silent: Suppress stats.--verbose: Show packet details.
3. Read from a PCAP File
Bash
netsniff-ng -i capture.pcap --inAdvanced Usage Examples
1. Filter Traffic with BPF
Bash
sudo netsniff-ng -i eth0 -o http-only.pcap "tcp port 80"- Captures only HTTP traffic.
2. Replay Packets
Bash
sudo netsniff-ng -i capture.pcap --out eth0 --rate=1000- Replays packets at 1000 packets per second.
3. Generate Traffic with trafgen
Bash
sudo trafgen -i traffic.cfg -o eth0 --cpp -n 1000- Uses a config file (
traffic.cfg) to craft custom packets. --cpp: Preprocess with C preprocessor.-n 1000: Send 1000 packets.
Command-Line Options
I/O Configuration
| Option | Description |
|---|---|
-i/--in | Input source (interface, PCAP, or stdin -) |
-o/--out | Output destination (interface, PCAP, directory, or trafgen config) |
-T | Specify PCAP magic number (use -D to list types) |
-F | Dump interval for directory output (size/time) |
Performance Tuning
| Option | Description |
|---|---|
-S | Ring buffer size (e.g., 64MiB) |
-b | Bind to specific CPU core |
-J | Enable Jumbo Frame support (up to 64KB) |
-H | High-priority process scheduling |
-K | Fanout type (hash|lb|cpu|rnd) |
Filtering
| Option | Description |
|---|---|
-f | BPF filter file or expression |
-t | Traffic type filter (host|broadcast|multicast) |
-B | Dump BPF assembly code |
Miscellaneous
| Option | Description |
|---|---|
-s | Silent mode (no packet output) |
-X | Hex dump output |
-l | ASCII output |
-u/-g | Drop privileges to specified user/group |
-U | Update GeoIP databases |
Practical Examples
1. Basic Packet Capture
Bash
sudo netsniff-ng -i eth0 -o capture.pcap -s -b 0- Captures from
eth0tocapture.pcap - Silent mode (
-s), bound to CPU 0 (-b 0)
2. Advanced Traffic Filtering
Bash
sudo netsniff-ng -i eth0 -f "tcp port 80" -l -V- Filters HTTP traffic
- Shows ASCII output (
-l) with verbose metadata (-V)
3. PCAP Replay with Rate Limiting
Bash
sudo netsniff-ng -i attack.pcap -o eth0 -k 1000 -s -b 1- Replays at 1000 packets/sec (
-k) - Silent mode, bound to CPU 1
4. Distributed Capture (Fanout Groups)
Bash
# Terminal 1 (CPU 0):
sudo netsniff-ng -i eth0 -o /tmp/cap1 -C 123 -K cpu -b 0
# Terminal 2 (CPU 1):
sudo netsniff-ng -i eth0 -o /tmp/cap2 -C 123 -K cpu -b 1- Distributes capture load across CPUs using fanout group
123
5. Wireless Monitoring
Bash
sudo netsniff-ng -i wlan0 -R -o wlan_capture.pcap-Rcaptures raw 802.11 frames
Advanced Use Cases
Bypassing Network Filters
Bash
sudo netsniff-ng -i eth0 -t outgoing -o /dev/null -f "not src host 192.168.1.100"- Captures only outbound traffic excluding a specific host
Creating trafgen Configs
Bash
sudo netsniff-ng -i sample.pcap -o attack.cfg -s- Converts PCAP to trafgen-compatible config
Stealth Monitoring
Bash
sudo netsniff-ng -i eth0 -o /tmp/cap -F 100MiB -u nobody -g nogroup -s- Dumps every 100MB to new file
- Runs as unprivileged user
Performance Optimization Guide
- CPU Binding: Always use
-bfor NUMA optimization - Ring Buffers: Increase with
-Sfor high-speed networks - Fanout Groups: Use
-C/-Kfor multi-core scaling - Memory Mapped I/O:
-mfor faster PCAP replay - Priority:
-Hfor reduced packet drops
Pro Tips
- Combining with trafgen:
Bash
netsniff-ng -i capture.pcap -o attack.cfg && sudo trafgen -i attack.cfg -o eth0- Long-term Monitoring:
Bash
sudo netsniff-ng -i eth0 -o /var/log/pcaps/ -F 1hr -P "network_cap"- Debugging Complex Filters:
Bash
netsniff-ng -i eth0 -f "vlan and tcp" -BReal-World Use Cases
- Network Troubleshooting
- Capture and analyze traffic to diagnose connectivity issues.
- Example:
sudo netsniff-ng -i eth0 -o debug.pcap
- Security Analysis
- Detect malicious traffic (e.g., port scans, DDoS).
- Example:
sudo netsniff-ng -i eth0 "tcp port 22"
- Traffic Replay for Testing
- Simulate attacks (e.g., replaying captured attacks in a lab).
- Example:
sudo netsniff-ng -i attack.pcap --out eth0
- Custom Packet Crafting
- Generate test traffic (e.g., TCP SYN floods for stress testing).
- Example:
sudo trafgen -i syn-flood.cfg -o eth0
Troubleshooting Tips
1. Permission Errors
- Run with
sudo(requires root privileges). - Ensure the interface is up:
sudo ifconfig eth0 up
2. No Packets Captured
- Check interface name:
ip link show - Verify promiscuous mode:
sudo ifconfig eth0 promisc
3. BPF Filter Not Working
- Test filters with
tcpdumpfirst:
Bash
sudo tcpdump -i eth0 "tcp port 80"- Ensure correct syntax.
4. High CPU Usage
- Use
--silentto reduce overhead. - Limit capture rate:
sudo netsniff-ng -i eth0 --rate=1000
netsniff-ng Toolkit: Packages & Binaries Breakdown
The netsniff-ng suite consists of multiple specialized networking tools, each serving a unique purpose in packet analysis, traffic generation, and network diagnostics. Below is a detailed breakdown of each component, including installation, usage, and practical examples.
netsniff-ng (Packet Sniffer & Analyzer)
Purpose: High-performance packet capture and analysis.
Key Features:
- Zero-copy packet processing for maximum efficiency.
- Supports BPF filtering.
- Can read/write PCAP files.
Installation (Kali Linux)
Bash
sudo apt update && sudo apt install netsniff-ngBasic Usage
Bash
sudo netsniff-ng -i eth0 -o capture.pcap # Capture packets to file
sudo netsniff-ng -i capture.pcap --in # Read from PCAP fileAdvanced Usage
Bash
# Capture only HTTP traffic
sudo netsniff-ng -i eth0 -o http.pcap "tcp port 80"
# Replay packets at 1000 pps
sudo netsniff-ng -i attack.pcap --out eth0 --rate=1000trafgen (Traffic Generator)
Purpose: Craft and inject custom packets at high speed.
Key Features:
- Supports custom packet templates.
- Useful for stress testing and DoS simulations.
Basic Usage
Bash
# Generate random traffic on eth0
sudo trafgen -i /dev/urandom -o eth0 -n 1000
# Craft packets from a config file
sudo trafgen -i custom.cfg -o eth0 --cppExample Config (custom.cfg)
Bash
/* SYN Flood Example */
{
/* Ethernet Header */
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, /* Source MAC */
0x00, 0x11, 0x22, 0x33, 0x44, 0x56, /* Dest MAC */
0x08, 0x00, /* EtherType (IPv4) */
/* IPv4 Header */
0x45, 0x00, 0x00, 0x3c, /* Version, IHL, TOS, Total Length */
0x00, 0x01, 0x00, 0x00, /* ID, Flags, Fragment Offset */
0x40, 0x06, 0x00, 0x00, /* TTL, Protocol (TCP), Checksum */
0xc0, 0xa8, 0x01, 0x01, /* Source IP (192.168.1.1) */
0xc0, 0xa8, 0x01, 0x02, /* Dest IP (192.168.1.2) */
/* TCP Header */
0xde, 0xad, 0xbe, 0xef, /* Source Port (57005) */
0x00, 0x50, 0x00, 0x00, /* Dest Port (80), Seq Num */
0x00, 0x00, 0x00, 0x00, /* Ack Num */
0x50, 0x02, 0x00, 0x00, /* Header Length, SYN Flag */
0x00, 0x00, 0x00, 0x00, /* Window Size, Checksum, Urgent */
}mausezahn (Packet Crafting & Traffic Generation)
Purpose: Advanced packet crafting with a Cisco-like CLI.
Key Features:
- Supports ARP, TCP, UDP, ICMP, and more.
- Can simulate complex network scenarios.
Basic Usage
Bash
# Send a single ICMP ping
sudo mausezahn eth0 -c 1 -t icmp
# Flood UDP packets
sudo mausezahn eth0 -B 192.168.1.1 -t udp dp=80,p=1 -c 1000Advanced Usage
Bash
# Craft a custom TCP SYN packet
sudo mausezahn eth0 -a rand -b rand -A 192.168.1.1 -B 192.168.1.2 -t tcp "dp=80, flags=syn" -P "Hello World"flowtop (Flow-Based Traffic Monitor)
Purpose: Real-time flow statistics (like iftop but with more details).
Key Features:
- Displays active network flows.
- Supports sorting by bandwidth, packets, etc.
Basic Usage
Bash
sudo flowtop -i eth0Keybindings
s→ Sort by bandwidth.n→ Switch between numeric and hostname display.
ifpps (Interface Statistics)
Purpose: Displays real-time network stats (similar to ip -s but more detailed).
Key Features:
- Shows packets, errors, drops, and bandwidth.
Basic Usage
Bash
sudo ifpps eth0Output Example
Bash
eth0 [RX: 1.2 MB/s] [TX: 0.8 MB/s] [TOTAL: 2.0 MB/s]bpfc (BPF Compiler)
Purpose: Compiles BPF filters for use with netsniff-ng/tcpdump.
Key Features:
- Converts human-readable filters to BPF bytecode.
Basic Usage
Bash
echo "tcp port 80" | bpfc > http.bpf
sudo netsniff-ng -i eth0 -f http.bpfastraceroute (AS Path Traceroute)
Purpose: Traceroute with AS (Autonomous System) information.
Key Features:
- Shows the AS path of each hop.
- Useful for network mapping.
Basic Usage
Bash
sudo astraceroute google.comOutput Example
Bash
1 AS1234 192.168.1.1 (Router1)
2 AS5678 10.0.0.1 (ISP-Gateway)
3 AS9101 216.239.32.1 (Google)curvetun (Secure VPN Tunnel)
Purpose: Lightweight VPN using Curve25519 encryption.
Key Features:
- Encrypts traffic with modern crypto (NaCl/Curve25519).
- Works over UDP.
Basic Setup
Bash
# Server
sudo curvetun -i eth0 -k server.key -p 5000 -d
# Client
sudo curvetun -i eth0 -k client.key -p 5000 -c server-ip -d
