netsniff usage

[b...@coco.fr]

Hi everybody,

here is the command I use to capture packets
netsniff-ng --dev eth2 --ring-size 50MB -H

works great but after the 50MB the console stop displaying new results.
I would like a way to capture infinitely, I mean having netsniff capture things night and days. (I use an external program to capture the output).
how should I do ?
Regards,

Zack

[Daniel Borkmann]

1. You should not let the output be printed, i.e. use netsniff-ng
in --silent mode

2. After X MiB/GiB, you should netsniff-ng let start a new pcap trace
that you can then analyze, e.g.

netsniff-ng --in eth0 --out /opt/dump/ -s -m --interval 1GiB -b 0

For more examples, have a look at, e.g.:

http://pub.netsniff-ng.org/paper/devconf_2013.pdf

[b...@coco.fr]

thank you Daniel,

but
1)
I use a java program which capture the output so I can't go in silent mode.
2)
I need the captured frames to last infinitely and can not print all to a File.

What should I do then to benefit from the high speed of netsniff-ng through my java program 24/24?

[Daniel Borkmann]

On 02/23/2013 11:05 PM, b...@coco.fr wrote:

> but
> 1)
> I use a java program which capture the output so I can't go in silent mode.

So how does this look like? You're analyzing what netsniff-ng is printing to the
terminal and redirecting into a Java program?

> 2)
> I need the captured frames to last infinitely and can not print all to a File.
>
> What should I do then to benefit from the high speed of netsniff-ng through my java program 24/24?

If you are indeed doing what I think you are, then there is no high-speed
anymore. ;-) Simply because each and every packet has to enter the packet
dissectors, going through the dissector stack and printing code to the
terminal. This is overkill. You should rather analyse in your Java program
recorded pcap files, that were recorded with netsniff-ng in the way I sent
you before.

[b...@coco.fr]

Le dimanche 24 février 2013 08:01:39 UTC+1, Daniel Borkmann a écrit :
> On 02/23/2013 11:05 PM, b...@coco.fr wrote:
>
>
>
> > but
>
> > 1)
>
> > I use a java program which capture the output so I can't go in silent mode.
>
>
>
> So how does this look like? You're analyzing what netsniff-ng is printing to the
>
> terminal and redirecting into a Java program?
>

Yes that's it. I capture the output of the terminal in my Java Thread.

>
> > 2)
>
> > I need the captured frames to last infinitely and can not print all to a File.
>
> >
>
> > What should I do then to benefit from the high speed of netsniff-ng through my java program 24/24?
>
>
>
> If you are indeed doing what I think you are, then there is no high-speed
>
> anymore. ;-) Simply because each and every packet has to enter the packet
>
> dissectors, going through the dissector stack and printing code to the
>
> terminal. This is overkill. You should rather analyse in your Java program
>
> recorded pcap files, that were recorded with netsniff-ng in the way I sent
>
> you before.

Ok so how not to go through the packet Dissector then , and get the data through console?
how can I have infinite packet capture?

Thank you

[Daniel Borkmann]

On 02/28/2013 05:14 PM, b...@coco.fr wrote:
> Ok so how not to go through the packet Dissector then , and get the data through console?
> how can I have infinite packet capture?

What you could do is the following:

1) Run netsniff-ng with pcap output to stdout:

netsniff-ng -i eth0 -o - -b 0 | your_tool

2) netsniff-ng will stdout in pcap file format, so you need to have
a look if there are some java libs that can read this format.
Instead of opening a pcap file in your program, you would then
read an infinite stream from stdin.

[b...@coco.fr]

>
> What you could do is the following:
>
>
>
> 1) Run netsniff-ng with pcap output to stdout:
>
>
>
> netsniff-ng -i eth0 -o - -b 0 | your_tool
>
>
>
> 2) netsniff-ng will stdout in pcap file format, so you need to have
>
> a look if there are some java libs that can read this format.
>
> Instead of opening a pcap file in your program, you would then
>
> read an infinite stream from stdin.

1) Will this bypass the packet Dissector?
2) will it be Zero-copy mode
3) Will I be able to handle 5 M pps?

thanks

[Daniel Borkmann]

On 03/04/2013 07:26 PM, b...@coco.fr wrote:
>
>> What you could do is the following:
>>
>> 1) Run netsniff-ng with pcap output to stdout:
>> netsniff-ng -i eth0 -o - -b 0 | your_tool
>>
>> 2) netsniff-ng will stdout in pcap file format, so you need to have
>> a look if there are some java libs that can read this format.
>> Instead of opening a pcap file in your program, you would then
>> read an infinite stream from stdin.
>
> 1) Will this bypass the packet Dissector?

Yes. Because no possible dissector will cope with 5 Mio pps. Your console is
just too slow for this.

> 2) will it be Zero-copy mode

Yes. By zero-copy is always meant that it will not copy packets from the
kernel address space to the user address space in the initial receive path.

> 3) Will I be able to handle 5 M pps?

This all depends on your hardware, OS settings, OS/HW tuning etc. A simple
answer like "yes" or "no" is impossible to give.

[b...@coco.fr]

Ok I will try that.

what is "--ring-size 500MB" option ?
Should I use it to increase capture speed?

what is "-o -" supposed to do ?

thanks

[Daniel Borkmann]

On 03/04/2013 07:50 PM, b...@coco.fr wrote:
> Ok I will try that.
>
> what is "--ring-size 500MB" option ?
> Should I use it to increase capture speed?

This might help, yes.

> what is "-o -" supposed to do ?

It will dump the captured packets to stdout instead to
a pcap file. However, the pcap file format is preserved.