description:
Packet sniffing program.
netsniff-ng is a fast and minimal tool that can analyze network packets, capture pcap files, replay pcap files, and redirect traffic between interfaces with the help of zero-copy packet(7) sockets. netsniff-ng uses Linux-specific RX_RING and TX_RING interfaces to perform zero copy. This is to avoid copying and system call overhead between the kernel and user address spaces. When we started to study netsniff-ng, the pcap(3) library did not use this zero copy function.
netsniff-ng is Linux-specific, which means other operating systems are not supported. Therefore, we can keep the code footprint to a minimum. The Linux packet(7) socket and its RX_RING and TX_RING interfaces bypass the normal packet processing path through the network stack. This is the fastest capture or transmission performance that the out-of-the-box user space can provide without having to load unsupported or non-mainline third-party kernel modules. We explicitly refuse to build netsniff-ng on top of ntop/PF_RING. Not because we don't like it (we did find it interesting), but because it is not part of the mainline kernel. Therefore, the ntop project must maintain and synchronize drivers outside the tree to adapt them to their DNA. In the end, we chose a non-polluted Linux kernel because its code has a higher rate of review, maintenance, security and bug fixes.
netsniff-ng also supports early packet filtering in the kernel. It supports the translation of low-level and high-level packet filters into Berkeley packet filter instructions.
netsniff-ng can capture several pcap files in pcap format that are interoperable with other tools. The following pcap I/O methods are supported for effective disk capture: scattered collection, mmap(2), read(2) and write(2). netsniff