netsniff-ng output file for TCP session / UDP flow with maxsize defined by user

71 views
Skip to first unread message

Roberto Martelloni

unread,
May 14, 2013, 6:25:23 AM5/14/13
to netsn...@googlegroups.com
Hi,

I've some question about netsniff-ng functionality:
  1. is netsniff-ng multi-thread and if yes, is multi-thread development improve the performance of the sniffer ? 
  2. is netsniff-ng capable to dump traffic in multiple files creating files with a max size X defined by user ? 
  3. is netsniff-ng capable to track tcp session and udp flow to allow dump of pcap files whithout split a session/flow between multiple files ?
  4. if question 3 is true, is netsniff-ng capable to handle corner side situation like tcp session without FIN or closed by RST pkt ? 
  5. if question 3 is true, is netsniff-ng capable to track UDP flow using a time based approach to follow UDP flow ?

What I need is to continuously sniff network traffic, dump TCP session and UDP flow in PCAP files that have a MAX size defined by user without breaking session or flow between multiple PCAP files .

Best Regards,

R.

Daniel Borkmann

unread,
May 14, 2013, 7:16:51 AM5/14/13
to netsn...@googlegroups.com, Roberto Martelloni
On 05/14/2013 12:25 PM, Roberto Martelloni wrote:
> I've some question about netsniff-ng functionality:
>
> 1. is netsniff-ng multi-thread and if yes, is multi-thread development
> improve the performance of the sniffer ?

Currently not, except you start multiple instances of it, bound to different
CPUs. Then yes, but this only makes sense if your hard drive will not become
a bottleneck and can keep up with the pace (otherwise use a ramfs or the like).

> 2. is netsniff-ng capable to dump traffic in multiple files creating
> files with a max size X defined by user ?

Yes. Please see the man-page or --help of the current Git tree version [1].

[1] https://github.com/borkmann/netsniff-ng

> 3. is netsniff-ng capable to track tcp session and udp flow to allow
> dump of pcap files whithout split a session/flow between multiple files ?

No, for performance reasons, we do not track tcp/udp sessions, but I'm
almost sure there are tools that can perform this offline on pcap files.

The only thing you can do here that might help in that term is to define a
tcpdump-like BPF filter that only allows to let a particular flow pass the
kernel filter.

Cheers,

Daniel
Reply all
Reply to author
Forward
0 new messages