Re: [netsniff-ng] netsniff-ng output file name by date
On 02/19/2016 10:10 AM, Vadim Kochan wrote: Simply because netsniff-ng does not support custom date-time format for pcap file name. But as I said we can extend it in the similar way like tcpdump does. Agreed, that might be useful. Thanks, Daniel -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng output file name by date
Simply because netsniff-ng does not support custom date-time format for pcap file name. But as I said we can extend it in the similar way like tcpdump does. On Fri, Feb 19, 2016 at 8:56 AM, and <andri...@gmail.com> wrote: > Sorry, I am beginner, so i am not sure about how to use "strftime". > One strange thing, i can't understand: for tcpdump works comand I early > wrote and it gives results that i expect: > > tcpdump -i ethx -w /destination/tcpd_'%Y%m%d_%H%M'.pcap -n -G 3600 > > (enough to use quotes) But for netsniff-ng that doesn't work and I can't get > why? > > 2016 m. vasaris 19 d., penktadienis 01:36:41 UTC+2, Vadim Kochan rašė: >> >> Hm, well we can do similary like tcpdump does - try to strftime output >> pcap file name if -F is specified. >> >> Lets see what Tobias or Daniel may suggest. >> >> Regards, >> Vadim Kochan >> >> On Thu, Feb 18, 2016 at 10:51 PM, and <andr...@gmail.com> wrote: >> > Yes, sort of that: i need that every pcap file get name, which should >> > consist from date and time, when that file created. >> > For example, with comand: >> > netsniff-ng -i ethx -o /destination/"$(date +'%Y%m%d_%H%M')".pcap -s -F >> > 1hrs >> > >> > I expect to get (hourly) multiple files like: >> > >> > /destination/20160218_2015.pcap >> > /destination/20160218_2115.pcap >> > /destination/20160218_2215.pcap >> > ... >> > >> > But i don't :( >> > >> > 2016 m. vasaris 18 d., ketvirtadienis 16:49:04 UTC+2, Vadim Kochan rašė: >> >> >> >> On Thu, Feb 18, 2016 at 2:13 PM, Andrius X <andr...@gmail.com> wrote: >> >> > Thank you for fast respond. >> >> > Sorry, I experimented a lot, but posted just part of information. >> >> > >> >> > Explanations: >> >> > My goal is capture "endless" traffic and save it to pcaps. As it is >> >> > endless >> >> > traffic, I want to have multiple pcaps (for example, minutely or >> >> > hourly >> >> > saved). >> >> > >> >> > Yes you right "$(date +'%Y%m%d_%H%M')" works, however netsniff with >> >> > it >> >> > don't >> >> > create multiple files with -F: >> >> > >> >> > sudo netsniff-ng -i ethx -o /destination/"$(date >> >> > +'%Y%m%d_%H%M')".pcap >> >> > -s -F >> >> > 10s >> >> > >> >> > just one file, or multiple files (with prefix option) but without >> >> > changing time variable: >> >> > >> >> > sudo netsniff-ng -i ethx -o /destination/ -P "$(date >> >> > +'%Y%m%d_%H%M')"_ >> >> > -s -F >> >> > 10s >> >> > >> >> > >> >> > >> >> > >> >> > For tcpdump works: >> >> > tcpdump -i ethx -w /destination/tcpd_'%Y%m%d_%H%M'.pcap -n -G 3600 >> >> > >> >> > >> >> > >> >> > 2016 m. vasaris 18 d., ketvirtadienis 12:58:10 UTC+2, Vadim Kochan >> >> > rašė: >> >> >> >> >> >> Hi, >> >> >> >> >> >> On Wed, Feb 17, 2016 at 9:55 AM, <andr...@gmail.com> wrote: >> >> >> > Hi everyone, >> >> >> > >> >> >> > I have a questions about netsniff-ng and maybe you could help me: >> >> >> > is there any possibility to format output file name by date & >> >> >> > time? >> >> >> > >> >> >> > I tried, but didn't work: >> >> >> > >> >> >> > netsniff-ng -i ethx -o /destination/"$(date +'%Y%m%d_%H%M')".pcap >> >> >> > >> >> >> > (I use netsniff-ng 0.5.7) >> >> >> > >> >> >> > PS. for tcpdump it works. >> >> >> > >> >> >> > Thanks. >> >> >> > >> >> >> > Best regards, >> >> >> > and >> >> >> > >> >> >> > -- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups "netsniff-ng" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >&g
Re: [netsniff-ng] netsniff-ng output file name by date
Sorry, I am beginner, so i am not sure about how to use "strftime". One strange thing, i can't understand: for tcpdump works comand I early wrote and it gives results that i expect: tcpdump -i ethx -w /destination/tcpd_*'*%Y%m%d_%H%M'.pcap -n -G 3600 (enough to use quotes) But for netsniff-ng that doesn't work and I can't get why? 2016 m. vasaris 19 d., penktadienis 01:36:41 UTC+2, Vadim Kochan rašė: > > Hm, well we can do similary like tcpdump does - try to strftime output > pcap file name if -F is specified. > > Lets see what Tobias or Daniel may suggest. > > Regards, > Vadim Kochan > > On Thu, Feb 18, 2016 at 10:51 PM, and <andr...@gmail.com > > wrote: > > Yes, sort of that: i need that every pcap file get name, which should > > consist from date and time, when that file created. > > For example, with comand: > > netsniff-ng -i ethx -o /destination/"$(date +'%Y%m%d_%H%M')".pcap -s -F > 1hrs > > > > I expect to get (hourly) multiple files like: > > > > /destination/20160218_2015.pcap > > /destination/20160218_2115.pcap > > /destination/20160218_2215.pcap > > ... > > > > But i don't :( > > > > 2016 m. vasaris 18 d., ketvirtadienis 16:49:04 UTC+2, Vadim Kochan rašė: > >> > >> On Thu, Feb 18, 2016 at 2:13 PM, Andrius X <andr...@gmail.com> wrote: > >> > Thank you for fast respond. > >> > Sorry, I experimented a lot, but posted just part of information. > >> > > >> > Explanations: > >> > My goal is capture "endless" traffic and save it to pcaps. As it is > >> > endless > >> > traffic, I want to have multiple pcaps (for example, minutely or > hourly > >> > saved). > >> > > >> > Yes you right "$(date +'%Y%m%d_%H%M')" works, however netsniff with > it > >> > don't > >> > create multiple files with -F: > >> > > >> > sudo netsniff-ng -i ethx -o /destination/"$(date > +'%Y%m%d_%H%M')".pcap > >> > -s -F > >> > 10s > >> > > >> > just one file, or multiple files (with prefix option) but without > >> > changing time variable: > >> > > >> > sudo netsniff-ng -i ethx -o /destination/ -P "$(date > +'%Y%m%d_%H%M')"_ > >> > -s -F > >> > 10s > >> > > >> > > >> > > >> > > >> > For tcpdump works: > >> > tcpdump -i ethx -w /destination/tcpd_'%Y%m%d_%H%M'.pcap -n -G 3600 > >> > > >> > > >> > > >> > 2016 m. vasaris 18 d., ketvirtadienis 12:58:10 UTC+2, Vadim Kochan > rašė: > >> >> > >> >> Hi, > >> >> > >> >> On Wed, Feb 17, 2016 at 9:55 AM, <andr...@gmail.com> wrote: > >> >> > Hi everyone, > >> >> > > >> >> > I have a questions about netsniff-ng and maybe you could help me: > >> >> > is there any possibility to format output file name by date & > time? > >> >> > > >> >> > I tried, but didn't work: > >> >> > > >> >> > netsniff-ng -i ethx -o /destination/"$(date +'%Y%m%d_%H%M')".pcap > >> >> > > >> >> > (I use netsniff-ng 0.5.7) > >> >> > > >> >> > PS. for tcpdump it works. > >> >> > > >> >> > Thanks. > >> >> > > >> >> > Best regards, > >> >> > and > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups "netsniff-ng" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an email to netsniff-ng...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> I just tried it on Debian (in VBox) : > >> >> > >> >> sudo netsniff-ng/netsniff-ng -i enp0s3 -o /tmp/"$(date > >> >> +'%Y%m%d_%H%M')".pcap -n 100 > >> >> > >> >> And I got the pcap file under /tmp: > >> >> > >> >> /tmp/20160218_1251.pcap > >> >> > >> >> May be I did not understand your problem ? > >> >> > >> >> Regards, > >> >> Vadim Kochan > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "netsniff-ng" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to netsniff-ng...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> As I understand the problem - you can't specify custom date format via > >> command line ? > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "netsniff-ng" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to netsniff-ng...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: pcap to json
Hi, What do you think if it is a good idea to convert pcap to json by netsniff-ng ? I mean to add such feature ... Regards, -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
On 08/07/2015 12:01 AM, Stefano Pirrello wrote: I took another look at my server and saw the process is hung up again. See below on how many captures were successful but eventually they stopped generating. ~/captures$ ls -ltr total 3297540 -rwxr--r-- 1 n3tus3r n3tus3r 6225 Aug 3 23:06 acloudshark-upload.py -rw-r--r-- 1 rootroot151763085 Aug 6 11:59 NOR-1438829948.pcap -rw--- 1 n3tus3r n3tus3r 170 Aug 6 12:00 nohup.out -rw-r--r-- 1 rootroot614790736 Aug 6 12:15 NOR-1438876806.pcap -rw-r--r-- 1 rootroot531106907 Aug 6 12:30 NOR-1438877706.pcap -rw-r--r-- 1 rootroot469131877 Aug 6 12:45 NOR-1438878606.pcap -rw-r--r-- 1 rootroot447301234 Aug 6 13:00 NOR-1438879506.pcap -rw-r--r-- 1 rootroot536482188 Aug 6 13:15 NOR-1438880406.pcap -rw-r--r-- 1 rootroot502705750 Aug 6 13:30 NOR-1438881306.pcap -rw-r--r-- 1 rootroot123361242 Aug 6 13:33 NOR-1438882206.pcap You can also see how the process is still running: $ sudo ps -ef | grep netsniff [sudo] password for n3tus3r: root 885 618 0 12:00 pts/000:00:00 sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 root 886 885 22 12:00 pts/001:22:08 netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 n3tus3r 1326 1297 0 18:00 pts/100:00:00 grep --color=auto netsniff Hmm, is there any additional debugging information where it could be hung? Would strace give any details? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
I'll run additional tests today with strace and will share the output. On Fri, Aug 7, 2015 at 5:12 AM Daniel Borkmann borkm...@iogearbox.net wrote: On 08/07/2015 12:01 AM, Stefano Pirrello wrote: I took another look at my server and saw the process is hung up again. See below on how many captures were successful but eventually they stopped generating. ~/captures$ ls -ltr total 3297540 -rwxr--r-- 1 n3tus3r n3tus3r 6225 Aug 3 23:06 acloudshark-upload.py -rw-r--r-- 1 rootroot151763085 Aug 6 11:59 NOR-1438829948.pcap -rw--- 1 n3tus3r n3tus3r 170 Aug 6 12:00 nohup.out -rw-r--r-- 1 rootroot614790736 Aug 6 12:15 NOR-1438876806.pcap -rw-r--r-- 1 rootroot531106907 Aug 6 12:30 NOR-1438877706.pcap -rw-r--r-- 1 rootroot469131877 Aug 6 12:45 NOR-1438878606.pcap -rw-r--r-- 1 rootroot447301234 Aug 6 13:00 NOR-1438879506.pcap -rw-r--r-- 1 rootroot536482188 Aug 6 13:15 NOR-1438880406.pcap -rw-r--r-- 1 rootroot502705750 Aug 6 13:30 NOR-1438881306.pcap -rw-r--r-- 1 rootroot123361242 Aug 6 13:33 NOR-1438882206.pcap You can also see how the process is still running: $ sudo ps -ef | grep netsniff [sudo] password for n3tus3r: root 885 618 0 12:00 pts/000:00:00 sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 root 886 885 22 12:00 pts/001:22:08 netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 n3tus3r 1326 1297 0 18:00 pts/100:00:00 grep --color=auto netsniff Hmm, is there any additional debugging information where it could be hung? Would strace give any details? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
I took another look at my server and saw the process is hung up again. See below on how many captures were successful but eventually they stopped generating. ~/captures$ ls -ltr total 3297540 -rwxr--r-- 1 n3tus3r n3tus3r 6225 Aug 3 23:06 acloudshark-upload.py -rw-r--r-- 1 rootroot151763085 Aug 6 11:59 NOR-1438829948.pcap -rw--- 1 n3tus3r n3tus3r 170 Aug 6 12:00 nohup.out -rw-r--r-- 1 rootroot614790736 Aug 6 12:15 NOR-1438876806.pcap -rw-r--r-- 1 rootroot531106907 Aug 6 12:30 NOR-1438877706.pcap -rw-r--r-- 1 rootroot469131877 Aug 6 12:45 NOR-1438878606.pcap -rw-r--r-- 1 rootroot447301234 Aug 6 13:00 NOR-1438879506.pcap -rw-r--r-- 1 rootroot536482188 Aug 6 13:15 NOR-1438880406.pcap -rw-r--r-- 1 rootroot502705750 Aug 6 13:30 NOR-1438881306.pcap -rw-r--r-- 1 rootroot123361242 Aug 6 13:33 NOR-1438882206.pcap You can also see how the process is still running: $ sudo ps -ef | grep netsniff [sudo] password for n3tus3r: root 885 618 0 12:00 pts/000:00:00 sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 root 886 885 22 12:00 pts/001:22:08 netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 n3tus3r 1326 1297 0 18:00 pts/100:00:00 grep --color=auto netsniff On Thu, Aug 6, 2015 at 11:41 AM, Stefano Pirrello spirre...@gmail.com wrote: Hi Vadim, Thanks for responding so quickly. The problem appears about after an hour of running. It will work a few times but the process seems to hang up. Here are the logs from nohup.out. cat nohup.out Can't set nice val to -20! Running! Hang up with ^C! Running! Hang up with ^C! Running! Hang up with ^C! Running! Hang up with ^C! On Thu, Aug 6, 2015 at 11:21 AM, Vadim Kochan vadi...@gmail.com wrote: On Thu, Aug 06, 2015 at 08:52:09AM -0400, Stefano Pirrello wrote: Hi, I'm trying to use netsniff-ng to run packet captures and save the pcaps with either a timed interval or with a file size for long term packet analysis. Either way I try the process appears to be hanging or freezing up as the captures won't continue to roll over into a new file. It works for a duration but will then fail. Any ideas on how to achieve this? Here's the way I launch netsniff-ng: sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.17.192.0/18 System info: Ubuntu 14.04.2 LTS $sudo netsniff-ng -v netsniff-ng 0.5.9+ (Cilonen), Git id: v0.5.9-1-g75162e7 the packet sniffing beast http://www.netsniff-ng.org -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, I tried to test if at least 2 pcaps will be appeared in 1m-2m intervals, and they appeared and I watched them by: $ ls -hl and I checked that their sizes are changing and new files appeared. Would you please provide some logs from nohup ? It should generate some output from netsniff-ng to nohup.out file. If I understood correctly you said that netsniff-ng hanged after 1st 15 min ? Would you try it on different netsniff-ng versions ? Doesit work if do not use nohup and only in foreground mode ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
On Thu, Aug 06, 2015 at 06:01:36PM -0400, Stefano Pirrello wrote: I took another look at my server and saw the process is hung up again. See below on how many captures were successful but eventually they stopped generating. ~/captures$ ls -ltr total 3297540 -rwxr--r-- 1 n3tus3r n3tus3r 6225 Aug 3 23:06 acloudshark-upload.py -rw-r--r-- 1 rootroot151763085 Aug 6 11:59 NOR-1438829948.pcap -rw--- 1 n3tus3r n3tus3r 170 Aug 6 12:00 nohup.out -rw-r--r-- 1 rootroot614790736 Aug 6 12:15 NOR-1438876806.pcap -rw-r--r-- 1 rootroot531106907 Aug 6 12:30 NOR-1438877706.pcap -rw-r--r-- 1 rootroot469131877 Aug 6 12:45 NOR-1438878606.pcap -rw-r--r-- 1 rootroot447301234 Aug 6 13:00 NOR-1438879506.pcap -rw-r--r-- 1 rootroot536482188 Aug 6 13:15 NOR-1438880406.pcap -rw-r--r-- 1 rootroot502705750 Aug 6 13:30 NOR-1438881306.pcap -rw-r--r-- 1 rootroot123361242 Aug 6 13:33 NOR-1438882206.pcap You can also see how the process is still running: $ sudo ps -ef | grep netsniff [sudo] password for n3tus3r: root 885 618 0 12:00 pts/000:00:00 sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 root 886 885 22 12:00 pts/001:22:08 netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.10.192.0/18 n3tus3r 1326 1297 0 18:00 pts/100:00:00 grep --color=auto netsniff On Thu, Aug 6, 2015 at 11:41 AM, Stefano Pirrello spirre...@gmail.com wrote: Hi Vadim, Thanks for responding so quickly. The problem appears about after an hour of running. It will work a few times but the process seems to hang up. Here are the logs from nohup.out. cat nohup.out Can't set nice val to -20! Running! Hang up with ^C! Running! Hang up with ^C! Running! Hang up with ^C! Running! Hang up with ^C! On Thu, Aug 6, 2015 at 11:21 AM, Vadim Kochan vadi...@gmail.com wrote: On Thu, Aug 06, 2015 at 08:52:09AM -0400, Stefano Pirrello wrote: Hi, I'm trying to use netsniff-ng to run packet captures and save the pcaps with either a timed interval or with a file size for long term packet analysis. Either way I try the process appears to be hanging or freezing up as the captures won't continue to roll over into a new file. It works for a duration but will then fail. Any ideas on how to achieve this? Here's the way I launch netsniff-ng: sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.17.192.0/18 System info: Ubuntu 14.04.2 LTS $sudo netsniff-ng -v netsniff-ng 0.5.9+ (Cilonen), Git id: v0.5.9-1-g75162e7 the packet sniffing beast http://www.netsniff-ng.org -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, I tried to test if at least 2 pcaps will be appeared in 1m-2m intervals, and they appeared and I watched them by: $ ls -hl and I checked that their sizes are changing and new files appeared. Would you please provide some logs from nohup ? It should generate some output from netsniff-ng to nohup.out file. If I understood correctly you said that netsniff-ng hanged after 1st 15 min ? Would you try it on different netsniff-ng versions ? Doesit work if do not use nohup and only in foreground mode ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. May be it can help if to print: $ cat /proc/pid_of_netsniff-ng/wchan ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
On Thu, Aug 06, 2015 at 08:52:09AM -0400, Stefano Pirrello wrote: Hi, I'm trying to use netsniff-ng to run packet captures and save the pcaps with either a timed interval or with a file size for long term packet analysis. Either way I try the process appears to be hanging or freezing up as the captures won't continue to roll over into a new file. It works for a duration but will then fail. Any ideas on how to achieve this? Here's the way I launch netsniff-ng: sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.17.192.0/18 System info: Ubuntu 14.04.2 LTS $sudo netsniff-ng -v netsniff-ng 0.5.9+ (Cilonen), Git id: v0.5.9-1-g75162e7 the packet sniffing beast http://www.netsniff-ng.org -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, I tried to test if at least 2 pcaps will be appeared in 1m-2m intervals, and they appeared and I watched them by: $ ls -hl and I checked that their sizes are changing and new files appeared. Would you please provide some logs from nohup ? It should generate some output from netsniff-ng to nohup.out file. If I understood correctly you said that netsniff-ng hanged after 1st 15 min ? Would you try it on different netsniff-ng versions ? Doesit work if do not use nohup and only in foreground mode ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Netsniff-ng Packet Capture with Intervals
On Thu, Aug 06, 2015 at 08:52:09AM -0400, Stefano Pirrello wrote: Hi, I'm trying to use netsniff-ng to run packet captures and save the pcaps with either a timed interval or with a file size for long term packet analysis. Either way I try the process appears to be hanging or freezing up as the captures won't continue to roll over into a new file. It works for a duration but will then fail. Any ideas on how to achieve this? Here's the way I launch netsniff-ng: sudo nohup netsniff-ng --in bond0 --out . --prefix NOR- --interval 15min -s -H -f net 10.17.192.0/18 System info: Ubuntu 14.04.2 LTS $sudo netsniff-ng -v netsniff-ng 0.5.9+ (Cilonen), Git id: v0.5.9-1-g75162e7 the packet sniffing beast http://www.netsniff-ng.org -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, I tried to test if at least 2 pcaps will be appeared in 1m-2m intervals, and they appeared and I watched them by: $ ls -hl and I checked that their sizes are changing and new files appeared. Would you please provide some logs from nohup ? It should generate some output from netsniff-ng to nohup.out file. If I understood correctly you said that netsniff-ng hanged after 1st 15 min ? Would you try it on different netsniff-ng versions ? Doesit work if do not use nohup and only in foreground mode ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng 100%CPU usgae
On Wed, Jul 22, 2015 at 09:11:56AM +, Unnikannan Nair, Jishnu wrote: Hi I'm trying to use netsniff-ng to sniff on 3 different UDP streams. As for testing I started with one instance of netsniff-ng bind to CPU 2 with tcpreplay sending packets at 100Mbps (max limit on our network) Netsniff-ng command : sudo netsniff-ng -i eth1 -out=/share/job1/ --prefix=job1_ --interval 2MiB -ring-size 10GiB -s -prio-high -f dst net 224.10.10 -b 2 The sniffer is running on ESXi with 26GB of RAM alloted for this VM and 8 cores of CPU. TCP replay command : tcpreplay -i eth1 -M 100Mbps -loop 100 -preload-pcap -sleep-accel=1 /home/caps/*.pcap Sniffer starts normally but after creating around 268 files (each of 2MiB ) the process just takes 100% of CPU and locks. Why is this happening? Attached capture you can see the htop output I also have a question about using fanout, as I intend to have 3 instances of the application, but coming from different subnet (different filters will be used), which would be the best possible way to start those instances, should I use fanout option ? regards Jishnu -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, Do you use Host - VM connection or you have 2 physical connections ? Actually, may be I will try to follow your instructions but I have only one i7 ThinkPad, so I can only simulate your case on the same host ... will try at the end of day ... So if you have some specific setup/notes, you can provide them. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng 100%CPU usgae
Hi The attached file shows the basic network connection of the virtual machines. The ESXi host has 32GB of RAM runs two VM both Ubuntu 14.04 LTS 64 bit OS Server. Sniffer OS : 26GB of RAM allocated, 4 virtual sockets with 2 cores : 8 cores in total , In the end, need to run 3 sniffer application instances on eth1, eth2 and eth 3 simultaneously with filter as follows : 1) Job 1 , sniffing on eth1, filter : dst net 224.10 .10 or dst net 224.11.11 2)Job 2, sniffing on eth2, filter : portrange 3 to 38 3) Job 3 , sniffing on eth 1, filter : :dst net not 224.10.10 and dst net not 224.11.11 and portrange not 3-38000 Max data rate on network is 100Mbps Tcpreplay has 8Gb of RAM allocated , pushes already available pcap files @100Mbps on loop I hope this has all the information you require. regards Jishnu -Original Message- From: Vadim Kochan [mailto:vadi...@gmail.com] Sent: 22. juli 2015 11:45 AM To: Unnikannan Nair, Jishnu Cc: 'netsniff-ng@googlegroups.com' Subject: Re: [netsniff-ng] netsniff-ng 100%CPU usgae On Wed, Jul 22, 2015 at 09:11:56AM +, Unnikannan Nair, Jishnu wrote: Hi I'm trying to use netsniff-ng to sniff on 3 different UDP streams. As for testing I started with one instance of netsniff-ng bind to CPU 2 with tcpreplay sending packets at 100Mbps (max limit on our network) Netsniff-ng command : sudo netsniff-ng -i eth1 -out=/share/job1/ --prefix=job1_ --interval 2MiB -ring-size 10GiB -s -prio-high -f dst net 224.10.10 -b 2 The sniffer is running on ESXi with 26GB of RAM alloted for this VM and 8 cores of CPU. TCP replay command : tcpreplay -i eth1 -M 100Mbps -loop 100 -preload-pcap -sleep-accel=1 /home/caps/*.pcap Sniffer starts normally but after creating around 268 files (each of 2MiB ) the process just takes 100% of CPU and locks. Why is this happening? Attached capture you can see the htop output I also have a question about using fanout, as I intend to have 3 instances of the application, but coming from different subnet (different filters will be used), which would be the best possible way to start those instances, should I use fanout option ? regards Jishnu -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, Do you use Host - VM connection or you have 2 physical connections ? Actually, may be I will try to follow your instructions but I have only one i7 ThinkPad, so I can only simulate your case on the same host ... will try at the end of day ... So if you have some specific setup/notes, you can provide them. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
Hi When I removed -u 1000 -g 1000 , Cannot set NIC flags is not displayed anymore,but no statistics are shown when the sniffer is stopped. I have run the application as root using sudo su - but it still doesn't show the statistics. About using iffps I think it shows how many packets are received by the kernel, I wanted to know how many packets are properly dumped by the sniffer into the pcap file (hoping that that's the inforamtion netsniff-ng gives). Regards Jishnu -Original Message- From: Vadim Kochan [mailto:vadi...@gmail.com] Sent: 21. juli 2015 11:17 AM To: Unnikannan Nair, Jishnu Cc: 'Daniel Borkmann'; netsniff-ng@googlegroups.com; vadi...@gmail.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On Tue, Jul 21, 2015 at 07:56:45AM +, Unnikannan Nair, Jishnu wrote: Hi I have re-complied the source form the GIT REPO and installed netsniff again. I got the same message when I close the application Cannot set NIC flags (operation not permitted). So I ran strace on a running instance of netsniff-ng and I have attached it. Hope you can find the reason for the error. Regards Jishnu Hi, I assume you do not have enough permissions probably because of -u 1000 -g 1000 ? Did you try use only super user ? Also as I understand in silent mode you should get stats after you terminate sniffing by Ctr-C, so would you provide these values check if there is some drop rate ? Also may be you can try sniff w/o pcap filter and check interface stats via ifpps or some other tool which you like ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On Mon, Jul 20, 2015 at 02:58:21PM +, Unnikannan Nair, Jishnu wrote: Hi I have double checked, it seems if I run with -s option with the application saving files on to a folder --out /share/capture/job/ will not give any statistics up on stopping it using ^C. And it is giving a Cannot set NIC Flags message at the end. So I'm not able to check if the sniffer has captured all the packets. Could you please help me with this. Daniel, I might be wrong but I looked into the code and see this condition in the netsniff-ng.c: 1097 if (!(ctx-dump_dir ctx-print_mode == PRINT_NONE)) { 1098 sock_rx_net_stats(sock, frame_count); which seems that really netsniff-ng will do not print stats in silent mode and if dump to the folder ? Regards, Vadim -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On Tue, Jul 21, 2015 at 11:00:10AM +, Unnikannan Nair, Jishnu wrote: Hi When I removed -u 1000 -g 1000 , Cannot set NIC flags is not displayed anymore,but no statistics are shown when the sniffer is stopped. I have run the application as root using sudo su - but it still doesn't show the statistics. About using iffps I think it shows how many packets are received by the kernel, I wanted to know how many packets are properly dumped by the sniffer into the pcap file (hoping that that's the inforamtion netsniff-ng gives). Regards Jishnu At least you can try to dump each pcap file and netsniff-ng should print the amount of packets from pcap file ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On Tue, Jul 21, 2015 at 07:56:45AM +, Unnikannan Nair, Jishnu wrote: Hi I have re-complied the source form the GIT REPO and installed netsniff again. I got the same message when I close the application Cannot set NIC flags (operation not permitted). So I ran strace on a running instance of netsniff-ng and I have attached it. Hope you can find the reason for the error. Regards Jishnu Hi, I assume you do not have enough permissions probably because of -u 1000 -g 1000 ? Did you try use only super user ? Also as I understand in silent mode you should get stats after you terminate sniffing by Ctr-C, so would you provide these values check if there is some drop rate ? Also may be you can try sniff w/o pcap filter and check interface stats via ifpps or some other tool which you like ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
Hi I didn't get what you meant, could you please explain a bit. Regards Jishnu -Original Message- From: Vadim Kochan [mailto:vadi...@gmail.com] Sent: 21. juli 2015 01:21 PM To: Unnikannan Nair, Jishnu Cc: 'Vadim Kochan'; 'Daniel Borkmann'; netsniff-ng@googlegroups.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On Tue, Jul 21, 2015 at 11:00:10AM +, Unnikannan Nair, Jishnu wrote: Hi When I removed -u 1000 -g 1000 , Cannot set NIC flags is not displayed anymore,but no statistics are shown when the sniffer is stopped. I have run the application as root using sudo su - but it still doesn't show the statistics. About using iffps I think it shows how many packets are received by the kernel, I wanted to know how many packets are properly dumped by the sniffer into the pcap file (hoping that that's the inforamtion netsniff-ng gives). Regards Jishnu At least you can try to dump each pcap file and netsniff-ng should print the amount of packets from pcap file ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On 07/20/2015 02:06 PM, Unnikannan Nair, Jishnu wrote: Hi I'm running the latest version 0.5.9, and im not running it in silent mode as of now just to see the dropped packets information when the capture is complete. I intend to run it as silent when all issues are solved :) Well, dumping everything through the dissector code and expecting it to serve the packet as fast as possible and clear up the ring slot again certainly seems a false expectation. Besides, even if you terminate in silent mode, it's giving you stats: netsniff-ng -i any -s Running! Hang up with ^C! 35 packets incoming (0 unread on exit) 35 packets passed filter 0 packets failed filter (out of space) 0.% packet droprate 6 sec, 178111 usec in total ... Cheers, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On 07/20/2015 01:45 PM, Unnikannan Nair, Jishnu wrote: Hi I'm trying to build a network sniffer for UDP multicast streams using netsniff-ng. I have deployed two linux systems (Ubuntu server 14.04 LTS) on an ESXi one has the sniffer and other has tcpreplay sending packets at needed Mbps. The configuration is: Sniffer: * Intel i7 3770 3.4GHz * 2 cores added to the sniffer VM * 16GB RAM The sniffer job is as follows : Sudo netsniff-ng -I eth1 -out=/share/job1/ --prefix=job1_ --interval 2MiB -ring-size 3GiB -prio-high -f dst net 224.10.10 -user 1000 -group 1000 -b 1 Hmm, what version do you use? Have you tried a more recent version? Also, I fail to see that you're invoking it in 'silent' mode (-s). The tcp replay job is as follows tcpreplay -i eth1 -M 80Mbps -loop 100 -preload-pcap -sleep-accel=1 /home/caps/*.pcap Tcpreplay sends 10 pcap files , 100 times i.e. total packets send is 10487400 @ 80.77Mbps but netsniff-ng received only 504813 TCPREPLAY: Actual: 10487400 packets (5229757800 bytes) sent in 481.67 seconds. Rated: 10857554.0 bps, 82.84 Mbps, 21773.00 pps Statistics for network device: eth1 Attempted packets: 10487400 Successful packets:10487400 Failed packets:0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 NETSNIFF_NG: 504813 packets incoming (9982587 unread on exit) 5929469 packets passed filter 4557931 packets failed filter (out of space) 43.4610% packet droprate 559 sec, 715362 usec in total Cannot set NIC flags! I have increased the kernel RX Cache to 1GB in /etc/sysctl.conf, but it did not have any effect. Could someone give me some information as to how to fix this?? Also the last line Cannot set NIC Flag what does that mean?? Is that an error?? My target is to run two instance of netsniff on eth1 and eth2 with different filters and bind them on CPU 1 and CPU 2 later on. Regards Jishnu Jishnu Unnikannan Nair | Systems Engineer NOV Rig Systems Systems Controls | Drilling data Center Lagerveien 8| 4033 Stavanger, Norway T +475.181.8181 M +473.819.4208 E jishnu.unnikannanna...@nov.com nov.comhttp://www.nov.com/ Connect with us on Facebookhttps://www.facebook.com/NationalOilwellVarco | LinkedInhttp://www.linkedin.com/company/national-oilwell-varco?trk=tyahtrkInfo=tarId%3A1405455811306%2Ctas%3Anational+oilwell%2Cidx%3A2-1-4 | Twitterhttps://twitter.com/NOVGlobal The information contained in this transmission is for the personal and confidential use of the individual or entity to which it is addressed. If the reader is not the intended recipient, you are hereby notified that any review, dissemination, or copying of this communication is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
Hi I'm running the latest version 0.5.9, and im not running it in silent mode as of now just to see the dropped packets information when the capture is complete. I intend to run it as silent when all issues are solved :) Jishnu Unnikannan Nair | Systems Engineer -Original Message- From: Daniel Borkmann [mailto:borkm...@iogearbox.net] Sent: 20. juli 2015 02:03 PM To: Unnikannan Nair, Jishnu Cc: netsniff-ng@googlegroups.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On 07/20/2015 01:45 PM, Unnikannan Nair, Jishnu wrote: Hi I'm trying to build a network sniffer for UDP multicast streams using netsniff-ng. I have deployed two linux systems (Ubuntu server 14.04 LTS) on an ESXi one has the sniffer and other has tcpreplay sending packets at needed Mbps. The configuration is: Sniffer: * Intel i7 3770 3.4GHz * 2 cores added to the sniffer VM * 16GB RAM The sniffer job is as follows : Sudo netsniff-ng -I eth1 -out=/share/job1/ --prefix=job1_ --interval 2MiB -ring-size 3GiB -prio-high -f dst net 224.10.10 -user 1000 -group 1000 -b 1 Hmm, what version do you use? Have you tried a more recent version? Also, I fail to see that you're invoking it in 'silent' mode (-s). The tcp replay job is as follows tcpreplay -i eth1 -M 80Mbps -loop 100 -preload-pcap -sleep-accel=1 /home/caps/*.pcap Tcpreplay sends 10 pcap files , 100 times i.e. total packets send is 10487400 @ 80.77Mbps but netsniff-ng received only 504813 TCPREPLAY: Actual: 10487400 packets (5229757800 bytes) sent in 481.67 seconds. Rated: 10857554.0 bps, 82.84 Mbps, 21773.00 pps Statistics for network device: eth1 Attempted packets: 10487400 Successful packets:10487400 Failed packets:0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 NETSNIFF_NG: 504813 packets incoming (9982587 unread on exit) 5929469 packets passed filter 4557931 packets failed filter (out of space) 43.4610% packet droprate 559 sec, 715362 usec in total Cannot set NIC flags! I have increased the kernel RX Cache to 1GB in /etc/sysctl.conf, but it did not have any effect. Could someone give me some information as to how to fix this?? Also the last line Cannot set NIC Flag what does that mean?? Is that an error?? My target is to run two instance of netsniff on eth1 and eth2 with different filters and bind them on CPU 1 and CPU 2 later on. Regards Jishnu Jishnu Unnikannan Nair | Systems Engineer NOV Rig Systems Systems Controls | Drilling data Center Lagerveien 8| 4033 Stavanger, Norway T +475.181.8181 M +473.819.4208 E jishnu.unnikannanna...@nov.com nov.comhttp://www.nov.com/ Connect with us on Facebookhttps://www.facebook.com/NationalOilwellVarco | LinkedInhttp://www.linkedin.com/company/national-oilwell-varco?trk=ty ahtrkInfo=tarId%3A1405455811306%2Ctas%3Anational+oilwell%2Cidx%3A2-1- 4 | Twitterhttps://twitter.com/NOVGlobal The information contained in this transmission is for the personal and confidential use of the individual or entity to which it is addressed. If the reader is not the intended recipient, you are hereby notified that any review, dissemination, or copying of this communication is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
Hi Its a bit confusing for me now. With -s option it gives me the following Running! Hang up with ^C! ^C Cannot set NIC flags! It doesn’t give any statistics. Is this something wrong with the NICs? regards Jishnu Unnikannan Nair -Original Message- From: Daniel Borkmann [mailto:borkm...@iogearbox.net] Sent: 20. juli 2015 02:26 PM To: Unnikannan Nair, Jishnu Cc: netsniff-ng@googlegroups.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On 07/20/2015 02:21 PM, Unnikannan Nair, Jishnu wrote: So are you saying that it's impossible to dump pcap files at this rate?? Please, that's not what I wrote in my email. I wrote that you should use -s. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On 07/20/2015 02:21 PM, Unnikannan Nair, Jishnu wrote: So are you saying that it's impossible to dump pcap files at this rate?? Please, that's not what I wrote in my email. I wrote that you should use -s. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
So are you saying that it's impossible to dump pcap files at this rate?? regards Jishnu Unnikannan Nair | Systems Engineer NOV Rig Systems Systems Controls | Drilling data Center Lagerveien 8| 4033 Stavanger, Norway T +475.181.8181 M +473.819.4208 E jishnu.unnikannanna...@nov.com nov.com Connect with us on Facebook | LinkedIn | Twitter The information contained in this transmission is for the personal and confidential use of the individual or entity to which it is addressed. If the reader is not the intended recipient, you are hereby notified that any review, dissemination, or copying of this communication is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. -Original Message- From: Daniel Borkmann [mailto:borkm...@iogearbox.net] Sent: 20. juli 2015 02:13 PM To: Unnikannan Nair, Jishnu Cc: netsniff-ng@googlegroups.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On 07/20/2015 02:06 PM, Unnikannan Nair, Jishnu wrote: Hi I'm running the latest version 0.5.9, and im not running it in silent mode as of now just to see the dropped packets information when the capture is complete. I intend to run it as silent when all issues are solved :) Well, dumping everything through the dissector code and expecting it to serve the packet as fast as possible and clear up the ring slot again certainly seems a false expectation. Besides, even if you terminate in silent mode, it's giving you stats: netsniff-ng -i any -s Running! Hang up with ^C! 35 packets incoming (0 unread on exit) 35 packets passed filter 0 packets failed filter (out of space) 0.% packet droprate 6 sec, 178111 usec in total ... Cheers, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
Hi I have double checked, it seems if I run with -s option with the application saving files on to a folder --out /share/capture/job/ will not give any statistics up on stopping it using ^C. And it is giving a Cannot set NIC Flags message at the end. So I'm not able to check if the sniffer has captured all the packets. Could you please help me with this. -Original Message- From: Daniel Borkmann [mailto:borkm...@iogearbox.net] Sent: 20. juli 2015 02:26 PM To: Unnikannan Nair, Jishnu Cc: netsniff-ng@googlegroups.com Subject: Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps On 07/20/2015 02:21 PM, Unnikannan Nair, Jishnu wrote: So are you saying that it's impossible to dump pcap files at this rate?? Please, that's not what I wrote in my email. I wrote that you should use -s. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng dropping packets at 80Mbps
On 07/20/2015 04:58 PM, Unnikannan Nair, Jishnu wrote: Hi I have double checked, it seems if I run with -s option with the application saving files on to a folder --out /share/capture/job/ will not give any statistics up on stopping it using ^C. And it is giving a Cannot set NIC Flags message at the end. So I'm not able to check if the sniffer has captured all the packets. Could you please help me with this. Could you pull/recompile the latest repo? We don't dump the actual error, which we should do to easier identify issues. If you cannot recompile, the alternative is to strace into it, so we can see what error you get that lets netsniff-ng bail out? Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Incorrect packet count #73: May be closed ?
Hi, Since the possible fix was comitted there was no response from #jonship may be it can be closed ? https://github.com/netsniff-ng/netsniff-ng/issues/73 Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: Incorrect packet count #73: May be closed ?
[ Cc'ing Jon ] On 06/29/2015 11:32 AM, Vadim Kochan wrote: Hi, Since the possible fix was comitted there was no response from #jonship may be it can be closed ? https://github.com/netsniff-ng/netsniff-ng/issues/73 Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Is it needed to handle SIGSEGV when using sudo ?
HI, I was faced with case when netsniff-ng silently was killed by SIGSEGV but w/o message, I investigated that it was caused by 'sudo' which seems for me somehow aborts this signal, but registering the SIGSEGV handler (which printed the expected Segmentation fault message) in netsniff-ng fixed it. So the question is: should netsniff-ng handle SIGSEGV signal in that case, prints message and die or this is not secured behaviour to let know about Segmentation fault for the user who might have some limitations by sudo ? Actually may be this is only my special case when I'd like to see Segmentation fault message to identify the problem in the code when using sudo. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: wireshark does not understand pcap file with Netlink frames
On Tue, May 05, 2015 at 01:13:04PM +0200, Daniel Borkmann wrote: On 05/05/2015 12:59 PM, Vadim Kochan wrote: Wireshark does not understand netsniff-ng's pcap file with Netlink frames, I assume thats because W-shark expects that each Netlink frame should have additional header on-top described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html it shows this is a Netlink type link but can't dissect Netlink frames. Meanwhile I do not have a fix for this yet. Don't know if it is important for this release. Well, tcpdump has that type (nlmon) registered so far, that's more important. ;) Cheers, Daniel At least it is possible to identify Netlink family from pcap file by netsniff-ng if to save pcap file in netsniff-ng's pcap format type (magic: 0xa1e2cb12) which stores protocol number ... -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Regular user can't read pcap which was created by root
Hi, If for example captured file was created by sudo then the regular user can't open the file with netsniff-ng w/o sudo, it causes by using O_NOATIME flag when opening a file, I understand that it will increase speed of opening the file, but is it really needed in comparing to do not allow to open the file w/o admin permissions ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: wireshark does not understand pcap file with Netlink frames
On 05/05/2015 12:59 PM, Vadim Kochan wrote: Wireshark does not understand netsniff-ng's pcap file with Netlink frames, I assume thats because W-shark expects that each Netlink frame should have additional header on-top described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html it shows this is a Netlink type link but can't dissect Netlink frames. Meanwhile I do not have a fix for this yet. Don't know if it is important for this release. Well, tcpdump has that type (nlmon) registered so far, that's more important. ;) Cheers, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: mac80211: Better print layout for HT Capabilities element ?
On Thu, Apr 23, 2015 at 12:05:55AM +0200, Daniel Borkmann wrote: On 04/22/2015 11:50 PM, Vadim Kochan wrote: ... I think that HT Capabilities element info should be showed in more structured view so it will be more readable what do you think ? Does someone have a better option ? Yes, I'm fine with that. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. OK, I have some working output example: [ Radiotap Version (0), Length (26), Flags (0x482f) ] [ 802.11 Frame Control (0x0040)] [ Proto Version (0), Type (0, Management), Duration (0), Destination (ff:ff:ff:ff:ff:ff) Source (9c:4e:36:a5:38:98) = (Intel Corporate:a5:38:98) BSSID (ff:ff:ff:ff:ff:ff) Fragmentnr. (0), Seqnr. (1980). Subtype (4, Probe Request) ] [ Subtype Probe Request: Info Elements: SSID (0, Len (8)): blizzard Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18 Ext Support Rates (50, Len(4)): 24 36 48 54 HT Capabilities (45, Len(26)): Info: LDCP Cod Cap (0) Supp Ch Width Set (0) SM Pwr Save(0) HT-Greenfield (1) Short GI for 20/40 MHz (1/0) Tx/Rx STBC (0/1) HT-Delayed Block Ack (0) Max A-MSDU Len (1) DSSS/CCK Mode in 40 MHz (0) Res (0x0) Forty MHz Intol (0) L-SIG TXOP Protection Supp (0) A-MPDU Params: Max Len Exp (0) Min Start Spacing (2) Res (0x7) Supp MCS Set: Rx MCS Bitmask (0x) Res (0x0) Rx High Supp Data Rate (0) Res (0x0) Tx MCS Set Def (0) Tx Rx MCS Set Not Eq (0) Tx Max Number Spat Str Supp (0) Tx Uneq Mod Supp (0) Res (0x0) Ext Cap: PCO (0) PCO Trans Time (0) Res (0x0) MCS Feedb (0) +HTC Supp (0) RD Resp (0) Res (0x0) Transm Beamf: Impl Transm Beamf Rec Cap (0) Rec/Transm Stagg Sound Cap (0/0) Rec/Trans NDP Cap (0/0) Impl Transm Beamf Cap (0) Cal (0) Expl CSI Transm Beamf Cap (0) Expl Noncmpr/Compr Steering Cap (0/0) Expl Trans Beamf CSI Feedb (0) Expl Noncmpr/Cmpr Feedb Cap (0/0) Min Grpg (0) CSI Num Beamf Ant Supp (0) Noncmpr/Cmpr Steering Nr Beamf Ant Supp (0/0) CSI Max Nr Rows Beamf Supp (0) Ch Estim Cap (0) Res (0x0) ASEL: Ant Select Cap (0) Expl CSI Feedb Based Transm ASEL Cap (0) Ant Indic Feedb Based Transm ASEL Cap (0) Expl CSI Feedb Cap (0) Ant Indic Feedb Cap (0) Rec ASEL Cap (0) Transm Sound PPDUs Cap (0) Res (0x0) Reserved (21, Len (110)): Failed to dissect Subtype ] May be it would be good to add '(' and ')' around information elements to visually separate them ? [ Subtype Probe Request: Info Elements: (SSID (0, Len (8)): blizzard), (Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18), (Ext Support Rates (50, Len(4)): 24 36 48 54), (HT Capabilities (45, Len(26)): Info: LDCP Cod Cap (0)
Re: [netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
On Wed, Apr 22, 2015 at 05:02:52PM +0200, Daniel Borkmann wrote: On 04/22/2015 05:00 PM, Vadim Kochan wrote: Hi, It is not possible to just read pcap by netsniff-ng if user permissions does not allow to set processes IO prio, so it is really needed to do it just for print pcap file ? Thanks for the report Vadim! No, it's not a requirement. Do you mind sending a patch? Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Sure, I will try to fix it, really I dont have a fix yet. The issue goes from pcap ops in init one function, where IO prio is set, the first think which came up in my mind is to have separate pcap ops for read only where set IO prio will be not called ... but I am not sure if it is correct. Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
On 04/22/2015 05:09 PM, Vadim Kochan wrote: ... Sure, I will try to fix it, really I dont have a fix yet. The issue goes from pcap ops in init one function, where IO prio is set, the first think which came up in my mind is to have separate pcap ops for read only where set IO prio will be not called ... but I am not sure if it is correct. I think we have two options: 1) Don't panic on error, but perhaps just throw a warning to the user instead in case of insufficient permissions. 2) Change init_once_pcap() into void (*init_once_pcap)(bool enforce_prio); and push down the enforcement into the various functions, and inside read_pcap(), you'd set __pcap_io-init_once_pcap(false). And in case the enforcement is not set, we just move on silently. Perhaps 2nd option is cleaner? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
Hi, It is not possible to just read pcap by netsniff-ng if user permissions does not allow to set processes IO prio, so it is really needed to do it just for print pcap file ? Thanks, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
On Wed, Apr 22, 2015 at 05:37:42PM +0200, Daniel Borkmann wrote: On 04/22/2015 05:09 PM, Vadim Kochan wrote: ... Sure, I will try to fix it, really I dont have a fix yet. The issue goes from pcap ops in init one function, where IO prio is set, the first think which came up in my mind is to have separate pcap ops for read only where set IO prio will be not called ... but I am not sure if it is correct. I think we have two options: 1) Don't panic on error, but perhaps just throw a warning to the user instead in case of insufficient permissions. 2) Change init_once_pcap() into void (*init_once_pcap)(bool enforce_prio); and push down the enforcement into the various functions, and inside read_pcap(), you'd set __pcap_io-init_once_pcap(false). And in case the enforcement is not set, we just move on silently. Perhaps 2nd option is cleaner? OK, I 've send a fix but it needs also to be applied the patch with a title: [PATCH] netsniff-ng: Seems typo in getting current group id https://groups.google.com/forum/?hl=en#!topic/netsniff-ng/7vKdK3FesSU Because of initializing wrong ctx-gid the user could not change the group because of the permissions when reading pcap file. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: mac80211: Better print layout for HT Capabilities element ?
Hi, I think that HT Capabilities element info should be showed in more structured view so it will be more readable what do you think ? Does someone have a better option ? Current --- [ Radiotap Version (0), Length (26), Flags (0x482f) ] [ 802.11 Frame Control (0x0040)] [ Proto Version (0), Type (0, Management), Duration (0), Destination (ff:ff:ff:ff:ff:ff) Source (9c:4e:36:a5:38:98) = (Intel Corporate:a5:38:98) BSSID (ff:ff:ff:ff:ff:ff) Fragmentnr. (0), Seqnr. (1980). Subtype (4, Probe Request) ] [ Subtype Probe Request: Parameters: SSID (0, Len (8)): blizzard Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18 Ext Support Rates (50, Len(4)): 24 36 48 54 HT Capabilities (45, Len(26)): Info (LDCP Cod Cap (0), Supp Ch Width Set (0), SM Pwr Save(0), HT-Greenfield (1), Short GI for 20/40 MHz (1/0), Tx/Rx STBC (0/1), HT-Delayed Block Ack (0), Max A-MSDU Len (1), DSSS/CCK Mode in 40 MHz (0), Res (0x0), Forty MHz Intol (0), L-SIG TXOP Protection Supp (0)), A-MPDU Params (Max L en Exp (0), Min Start Spacing (2), Res (0x7)), Supp MCS Set (Rx MCS Bitmask (0x), Res (0x0), Rx High Supp Data Rate (0), Res (0x0), Tx MCS Set Def ( 0), Tx Rx MCS Set Not Eq (0), Tx Max Number Spat Str Supp (0), Tx Uneq Mod Supp (0), Res (0x0)), Ext Cap (PCO (0), PCO Trans Time (0), Res (0x0), MCS Feedb (0), +HTC Supp (0), RD Resp (0), Res (0x0)), Transm Beamf (Impl Transm Beamf Rec Cap (0), Rec/Transm Stagg Sound Cap (0/0), Rec/Trans NDP Cap (0/0), Impl Transm Beam f Cap (0), Cal (0), Expl CSI Transm Beamf Cap (0), Expl Noncmpr/Compr Steering Cap (0/0), Expl Trans Beamf CSI Feedb (0), Expl Noncmpr/Cmpr Feedb Cap (0/0), Min Grpg (0), CSI Num Beamf Ant Supp (0), Noncmpr/Cmpr Steering Nr Beamf Ant Supp (0/0), CSI Max Nr Rows Beamf Supp (0), Ch Estim Cap (0), Res (0x0)), ASEL (Ant Sel ect Cap (0), Expl CSI Feedb Based Transm ASEL Cap (0), Ant Indic Feedb Based Transm ASEL Cap (0), Expl CSI Feedb Cap (0), Ant Indic Feedb Cap (0), Rec ASEL Cap (0), Transm Sound PPDUs Cap (0), Res (0x0)) Reserved (21, Len (110)): Failed to dissect Subtype ] New --- [ Radiotap Version (0), Length (26), Flags (0x482f) ] [ 802.11 Frame Control (0x0040)] [ Proto Version (0), Type (0, Management), Duration (0), Destination (ff:ff:ff:ff:ff:ff) Source (9c:4e:36:a5:38:98) = (Intel Corporate:a5:38:98) BSSID (ff:ff:ff:ff:ff:ff) Fragmentnr. (0), Seqnr. (1980). Subtype (4, Probe Request) ] [ Subtype Probe Request: Parameters: SSID (0, Len (8)): blizzard Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18 Ext Support Rates (50, Len(4)): 24 36 48 54 HT Capabilities (45, Len(26)): Info LDCP Cod Cap (0), Supp Ch Width Set (0), SM Pwr Save(0), HT-Greenfield (1), Short GI for 20/40 MHz (1/0), Tx/Rx STBC (0/1), HT-Delayed Block Ack (0), Max A-MSDU Len (1), DSSS/CCK Mode in 40 MHz (0), Res (0x0), Forty MHz Intol (0), L-SIG TXOP Protection Supp (0) A-MPDU Params: Max Len Exp (0) Min Start Spacing (2) Res (0x7) Supp MCS Set: Rx MCS Bitmask (0x), Res (0x0), Rx High Supp Data Rate (0), Res (0x0), Tx MCS Set Def (0), Tx Rx MCS Set Not Eq (0), Tx Max Number Spat Str Supp (0), Tx Uneq Mod Supp (0), Res (0x0) Ext Cap: PCO (0), PCO Trans Time (0), Res (0x0), MCS Feedb (0), +HTC Supp (0), RD Resp (0), Res (0x0) Transm Beamf: Impl Transm Beamf Rec Cap (0), Rec/Transm Stagg Sound Cap (0/0), Rec/Trans NDP Cap (0/0), Impl Transm Beamf Cap (0), Cal (0), Expl CSI Transm Beamf Cap (0), Expl Noncmpr/Compr Steering Cap (0/0), Expl Trans Beamf CSI Feedb (0), Expl Noncmpr/Cmpr Feedb Cap (0/0), Min Grpg (0), CSI Num Beamf Ant Supp (0), Noncmpr/Cmpr Steering Nr Beamf Ant Supp (0/0), CSI Max Nr Rows Beamf Supp (0), Ch Estim Cap (0), Res (0x0) ASEL: Ant Select Cap (0), Expl CSI Feedb Based Transm ASEL Cap (0), Ant Indic Feedb Based Transm ASEL Cap (0), Expl CSI Feedb Cap (0), Ant Indic Feedb Cap (0), Rec ASEL Cap (0), Transm Sound PPDUs Cap (0), Res (0x0) Reserved (21, Len (110)):
Re: [netsniff-ng] netsniff-ng: mac80211: Better print layout for HT Capabilities element ?
On 04/22/2015 11:50 PM, Vadim Kochan wrote: ... I think that HT Capabilities element info should be showed in more structured view so it will be more readable what do you think ? Does someone have a better option ? Yes, I'm fine with that. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng 0.5.9-rc2
In the previous release candidate flowtop failed to build due to my netlink dissector changes. Thus here goes a second -rc containing the proper fix for this issue as well as some small cleanups. See the changelog below for the details. Sorry for any inconvenience this might have caused. --- netsniff-ng 0.5.9-rc2 has been released to the public (http://netsniff-ng.org/). It can be fetched via Git: git clone git://github.com/netsniff-ng/netsniff-ng.git git checkout v0.5.9-rc2 Or via HTTP from one of our mirrors: http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.9-rc2.tar.gz http://mirror.distanz.ch/netsniff-ng/netsniff-ng-0.5.9-rc2.tar.gz http://github.com/netsniff-ng/netsniff-ng/archive/v0.5.9-rc2.tar.gz The release can be verified via Git (see README): git tag -v v0.5.9-rc2 Major high-level changes since the last release are: 1) Factor out TCP/UDP port and ethertype lookup from dissector into own module, thus making flowtop no longer depend on the dissector modules. This fixes flowtop build which was broken in v0.5.9-rc1. By Tobias Klauser. Contributions since last release: 8 Tobias Klauser Git changelog since last release: Tobias Klauser (8): flowtop: Include netlink dissector to fix build temporarily build: Mention the download mirrors in the release announcement lookup: Move UDP/TCP port and Ethernet type lookup into own module pkt_buff: Remove unnecessary void cast proto: Remove unnecessary include of hash.h dissector: Get rid of now unnecessary HAVE_DISSECTOR_PROTOS build: Fix formatting of mirror URLs in generated release announcement netsniff-ng 0.5.9-rc2 signature.asc Description: Digital signature
Re: [netsniff-ng] netsniff-ng 0.5.9-rc1
On 2014-06-12 at 16:46:42 +0200, Tobias Klauser tklau...@distanz.ch wrote: In the interest of getting back to more regular and more frequent releases, here goes the first release candidate for the netsniff-ng toolkit. It's nothing too spectacular, mostly bugfixes and cleanups - see the changelog below for details. I jsut noticed that flowtop is no longer building due to some changes related to the netlink dissector. A bugfix is no the way, but the real solution for the future should be to make flowtop no longer link in the entire dissector stuff just for the port lookup feature. signature.asc Description: Digital signature
[netsniff-ng] netsniff-ng 0.5.9-rc1
In the interest of getting back to more regular and more frequent releases, here goes the first release candidate for the netsniff-ng toolkit. It's nothing too spectacular, mostly bugfixes and cleanups - see the changelog below for details. Have fun! --- netsniff-ng 0.5.9-rc1 has been released to the public (http://netsniff-ng.org/). It can be fetched via Git: git clone git://github.com/netsniff-ng/netsniff-ng.git git checkout v0.5.9-rc1 Or via HTTP: wget http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.9-rc1.tar.gz The release can be verified via Git (see README): git tag -v v0.5.9-rc1 Major high-level changes since the last release are: 1) Add a rudimenatry netlink message dissector to netsniff-ng, from Tobias Klauser. 2) Use printf/scanf format specifiers for fixed width types (fixing a crash of ifpps in 32 bit environments), from James McCoy 3) Fix integer overflow related to ring size, thus now actually allowing to use ring sizes larger than 4 GiB. However, ther still exist some problems with larger ring sizes, see issue #128 [1]. By Tobias Klauser, with help from Michał Purzyński and Jon Schipp. [1] https://github.com/netsniff-ng/netsniff-ng/issues/128 4) Fix the build system to install configuration files to /etc instead of /usr/local/etc, by Kartik Mistry. Contributions since last release: 23 Tobias Klauser 2 Kartik Mistry 1 James McCoy Git changelog since last release: Tobias Klauser (23): trafgen: Use strtoul() instead of strtol() for unsigned long netsniff-ng: Fix whitespaces trafgen: Don't expose -k/--kernel-pull anymore and warn if it still used ring: Consistently use size_t to specify ring size netsniff-ng: Use while() instead of empty for netsniff-ng/ring: Make verbose flag bool netsniff-ng: Remove unnecessary initialization of struct ctx members netsniff-ng: Remove unnecessary memset of struct pollfd trafgen: Remove unnecessary initialization of ct.reserve_size netsniff-ng: Move function scope variables ring: Merge common ring_{rx,tx} initialization into own function bpf: Zero out socket filter in bpf_parse_rules() netsniff-nf: proto_ipv6: Remove unused #include csum.h flowtop: Constify function parameter in walk_process() geoip: Pass struct sockaddr_in{,6} as pointer instead of by value build: Remove unused CONFIG_LIBGEOIP build: Allow to build astraceroute and flowtop without GeoIP support netsniff-ng: Add netlink dissector netsniff-ng: Print process name of the netlink message origin mausezahn: Don't use ternary operator to decide which function to call dissector: Restore paket type if capturing from nlmon device netsniff-ng: proto_nlmsg: Add notice about nlmsg pid field netsniff-ng 0.5.9-rc1 Kartik Mistry (2): build: Do not add PREFIX to ETCDIR doc: Fix typos in mausezahn and trafgen manpages James McCoy (1): all: Use macros for printf/scanf format specifiers signature.asc Description: Digital signature
[netsniff-ng] netsniff-ng
Hi Hello, I am rukanth. I am very happy to say i like your netsniff-ng toolkit and it is very useful to me. I have to ask question that is what are the compatible hardware for netsniff-ng. Thank you very much. Rukanth -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng
On 03/17/2014 06:21 AM, rukanth sameera wrote: Hi Hello, I am rukanth. I am very happy to say i like your netsniff-ng toolkit and it is very useful to me. I have to ask question that is what are the compatible hardware for netsniff-ng. Generally, you need a Linux box and the more recent your kernel, the better. So, the only requirement is that your hardware must be supported by Linux. In terms of what hardware is good, I can recommend you to go through the excellent article at [1][2] as an example, which applies to most capturing applications. [1] http://www.ntop.org/pf_ring/not-all-servers-are-alike-with-dna/ [2] http://www.ntop.org/pf_ring/not-all-servers-are-alike-with-dna-part-2/ Thank you very much. Rukanth -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng vs tshark
Hi guys thanks a lot for this splendid toolkit. I got a strange (for me) behavior that I would like to share with you. Platform Ubuntu 12.10 I have a WiFi interface named wlan5 and IP@ 192.168.1.5 that I ping from another machine. MAC@ of this interface is 60:67:20:b0:b5:48 I setup a monitor virtual interface mon5 (iw dev wlan5 interface mon5 mode monitor) Then, I do not have the same results with netsniff-ng (0.5.8-rc5) and tshark 1.8.2 : # netsniff-ng --in wlan5 -f ether dst 60:67:20:b0:b5:48 Running! Hang up with ^C! wlan5 98 1392136256s.25182523ns [ Eth MAC (b8:a3:86:96:a5:0d = 60:67:20:b0:b5:48), Proto (0x0800, IPv [snip] but : # netsniff-ng --in mon5 -f ether dst 60:67:20:b0:b5:48 Running! Hang up with ^C! (... nothing...) while : # tshark -i mon5 -f ether dst 60:67:20:b0:b5:48 Capturing on mon5 0.00 192.168.1.1 - 192.168.1.5 ICMP 134 Echo (ping) request id=0x0b7c, seq=838/17923, ttl=64 Is there a reason why netsniff-ng does not capture packet on monitor virtual interface ? Best regards -- Olivier Marcé Alcatel-Lucent Bell Labs France -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng vs tshark
Hi Olivier, On 02/11/2014 05:33 PM, Olivier Marce wrote: Hi guys thanks a lot for this splendid toolkit. I got a strange (for me) behavior that I would like to share with you. Platform Ubuntu 12.10 I have a WiFi interface named wlan5 and IP@ 192.168.1.5 that I ping from another machine. MAC@ of this interface is 60:67:20:b0:b5:48 I setup a monitor virtual interface mon5 (iw dev wlan5 interface mon5 mode monitor) Then, I do not have the same results with netsniff-ng (0.5.8-rc5) and tshark 1.8.2 : # netsniff-ng --in wlan5 -f ether dst 60:67:20:b0:b5:48 Would it work for you to use something like ... # netsniff-ng --in wlan5 --rfraw -f ether dst 60:67:20:b0:b5:48 ? Usually --rfraw would be the option to enable monitor mode. Running! Hang up with ^C! wlan5 98 1392136256s.25182523ns [ Eth MAC (b8:a3:86:96:a5:0d = 60:67:20:b0:b5:48), Proto (0x0800, IPv [snip] but : # netsniff-ng --in mon5 -f ether dst 60:67:20:b0:b5:48 Running! Hang up with ^C! (... nothing...) while : # tshark -i mon5 -f ether dst 60:67:20:b0:b5:48 Capturing on mon5 0.00 192.168.1.1 - 192.168.1.5 ICMP 134 Echo (ping) request id=0x0b7c, seq=838/17923, ttl=64 Is there a reason why netsniff-ng does not capture packet on monitor virtual interface ? Best regards Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng
Hi all, As we know, netsniff-ng is one high performance packet capturing tool, but how is its performance? My case is: I need full-content packet capture for 2,3 network links with several GBs each. My issue is Can netsniff-ng handle my case? And have any doc, reference about performance, benchmark or hardware configuration for netsniff-ng? Any suggestion, comment will be highly appreciated! Thanks! Regards, John -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng takes a long time to start up?
Hi, I'm trying to figure out why netsniff-ng takes a long time to start up on one of my machines. I'm running the latest git checkout on Debian unstable (running the Debian 3.11.6 kernel), and when I run: netsniff-ng --silent -i eth1 -o /dev/null I see a delay of about 15 seconds before the Running! Hang up with ^C! message is printed. Looking at netsniff-ng with strace, I see the following: [...] 1387508695.193460 setsockopt(3, SOL_PACKET, 0x11 /* PACKET_??? */, [64], 4) = 0 1387508695.193526 setsockopt(3, SOL_PACKET, PACKET_VERSION, [2], 4) = 0 1387508695.193587 getsockopt(3, SOL_PACKET, PACKET_VERSION, [2], [4]) = 0 1387508695.193650 setsockopt(3, SOL_PACKET, PACKET_RX_RING, \0\0\1\0\346\16\0\0\0\0\1\0\346\16\0\0d\0\0\0\0\0\0\0\0\0\0\0, 28) = 0 1387508709.738025 mmap(NULL, 249954304, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE|MAP_LOCKED, 3, 0) = 0x7f13cba7e000 1387508709.747174 getsockopt(3, SOL_PACKET, PACKET_VERSION, [2], [4]) = 0 1387508709.747347 bind(3, {sa_family=AF_PACKET, proto=0x03, if3, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0 [...] Note that the PACKET_RX_RING setsockopt() call takes about 15 seconds to complete. During this time I see the netsniff-ng process consuming about 90% of a CPU, and according to a perf record / perf report run most of the time appears to be spent in these functions in the kernel: 31.29% netsniff-ng [kernel.kallsyms] [k] get_pageblock_flags_group 26.69% netsniff-ng [kernel.kallsyms] [k] isolate_freepages_block 24.22% netsniff-ng [kernel.kallsyms] [k] isolate_migratepages_range 2.41% netsniff-ng [kernel.kallsyms] [k] compaction_alloc 0.99% netsniff-ng [kernel.kallsyms] [k] __wake_up_bit 0.95% netsniff-ng [kernel.kallsyms] [k] __reset_isolation_suitable 0.85% netsniff-ng [kernel.kallsyms] [k] free_pcppages_bulk 0.80% netsniff-ng [kernel.kallsyms] [k] release_pages 0.76% netsniff-ng [kernel.kallsyms] [k] __pagevec_lru_add_fn 0.62% netsniff-ng [kernel.kallsyms] [k] page_waitqueue 0.61% netsniff-ng [kernel.kallsyms] [k] migrate_pages 0.58% netsniff-ng [kernel.kallsyms] [k] move_to_new_page 0.54% netsniff-ng [kernel.kallsyms] [k] mutex_lock Help? It seems to be related to the size of the RX ring buffer -- if I specify -S 1MiB to netsniff-ng it starts up quickly. But I also have another machine where netsniff-ng starts up quickly with the default ring buffer size. I can send the full strace output and perf.data files if needed. -- Robert Edmonds -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng takes a long time to start up?
On 12/20/2013 04:21 AM, Robert Edmonds wrote: Hi, I'm trying to figure out why netsniff-ng takes a long time to start up on one of my machines. I'm running the latest git checkout on Debian unstable (running the Debian 3.11.6 kernel), and when I run: netsniff-ng --silent -i eth1 -o /dev/null I see a delay of about 15 seconds before the Running! Hang up with ^C! message is printed. Looking at netsniff-ng with strace, I see the following: [...] 1387508695.193460 setsockopt(3, SOL_PACKET, 0x11 /* PACKET_??? */, [64], 4) = 0 1387508695.193526 setsockopt(3, SOL_PACKET, PACKET_VERSION, [2], 4) = 0 1387508695.193587 getsockopt(3, SOL_PACKET, PACKET_VERSION, [2], [4]) = 0 1387508695.193650 setsockopt(3, SOL_PACKET, PACKET_RX_RING, \0\0\1\0\346\16\0\0\0\0\1\0\346\16\0\0d\0\0\0\0\0\0\0\0\0\0\0, 28) = 0 1387508709.738025 mmap(NULL, 249954304, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE|MAP_LOCKED, 3, 0) = 0x7f13cba7e000 1387508709.747174 getsockopt(3, SOL_PACKET, PACKET_VERSION, [2], [4]) = 0 1387508709.747347 bind(3, {sa_family=AF_PACKET, proto=0x03, if3, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0 [...] Note that the PACKET_RX_RING setsockopt() call takes about 15 seconds to complete. During this time I see the netsniff-ng process consuming about 90% of a CPU, and according to a perf record / perf report run most of the time appears to be spent in these functions in the kernel: 31.29% netsniff-ng [kernel.kallsyms] [k] get_pageblock_flags_group 26.69% netsniff-ng [kernel.kallsyms] [k] isolate_freepages_block 24.22% netsniff-ng [kernel.kallsyms] [k] isolate_migratepages_range 2.41% netsniff-ng [kernel.kallsyms] [k] compaction_alloc 0.99% netsniff-ng [kernel.kallsyms] [k] __wake_up_bit 0.95% netsniff-ng [kernel.kallsyms] [k] __reset_isolation_suitable 0.85% netsniff-ng [kernel.kallsyms] [k] free_pcppages_bulk 0.80% netsniff-ng [kernel.kallsyms] [k] release_pages 0.76% netsniff-ng [kernel.kallsyms] [k] __pagevec_lru_add_fn 0.62% netsniff-ng [kernel.kallsyms] [k] page_waitqueue 0.61% netsniff-ng [kernel.kallsyms] [k] migrate_pages 0.58% netsniff-ng [kernel.kallsyms] [k] move_to_new_page 0.54% netsniff-ng [kernel.kallsyms] [k] mutex_lock Help? It seems to be related to the size of the RX ring buffer -- if I specify -S 1MiB to netsniff-ng it starts up quickly. But I also have another machine where netsniff-ng starts up quickly with the default ring buffer size. Thanks for the report. On what kind of hardware are you trying to do that? I think we need to adjust default buffer allocation anyway, probably you're perfectly fine with a ring buffer of around 2MB already. I can send the full strace output and perf.data files if needed. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng takes a long time to start up?
Daniel Borkmann wrote: Thanks for the report. On what kind of hardware are you trying to do that? Kernel: Linux chase 3.11-1-amd64 #1 SMP Debian 3.11.6-1 (2013-10-27) x86_64 GNU/Linux OS: Debian sid CPU: Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz Memory: 32 GB Ethernet: Intel Corporation I210 Gigabit Network Connection (rev 03) Motherboard: Supermicro X10SAE I think we need to adjust default buffer allocation anyway, probably you're perfectly fine with a ring buffer of around 2MB already. The funny thing is, I have a similar machine where netsniff-ng starts up instantly. It seems like a kernel issue, so I will try updating the problematic machine's kernel. I can also replicate the issue on the problematic machine with tcpdump by passing a large -B parameter to tcpdump. This is the strace output from the good machine: 1387556106.537430 setsockopt(3, SOL_PACKET, PACKET_RX_RING, \0\0\1\0\346\16\0\0\0\0\1\0\346\16\0\0d\0\0\0\0\0\0\0\0\0\0\0, 28) = 0 1387556106.594919 mmap(NULL, 249954304, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE|MAP_LOCKED, 3, 0) = 0x7f5f3bae3000 Kernel: Linux bst 3.11-2-amd64 #1 SMP Debian 3.11.8-1 (2013-11-13) x86_64 GNU/Linux OS: Debian wheezy CPU: Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz Memory: 16 GB Ethernet: Intel Corporation I210 Gigabit Network Connection (rev 03) Motherboard: Supermicro X10SLL-F -- Robert Edmonds -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng takes a long time to start up?
On 12/20/2013 07:08 PM, Robert Edmonds wrote: Robert Edmonds wrote: The funny thing is, I have a similar machine where netsniff-ng starts up instantly. It seems like a kernel issue, so I will try updating the problematic machine's kernel. I can also replicate the issue on the problematic machine with tcpdump by passing a large -B parameter to tcpdump. Very interesting. I've updated my machine to this kernel: Linux chase 3.11-2-amd64 #1 SMP Debian 3.11.10-1 (2013-12-04) x86_64 GNU/Linux And the problem has disappeared. Seems like a bug in kernel's VM layer that probably didn't get into stable or so. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] Netsniff-NG in Applied NSM Book
FYI: The Applied NSM book was released today [1]. From the table of contents there's a section on netsniff-ng for full content packet capture .[2] [1] http://www.appliednsm.com/applied-nsm-released/ [2] http://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083/ Thanks -- Jon Schipp, jonschipp.com, sickbits.net -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng and ERSPAN
On 10/22/2013 11:36 AM, Doug Burks wrote: Hi Daniel, I'm referring to running netsniff-ng, having it accept ERSPAN data, and write the decapsulated data to a pcap file. So far there are no such plans, as we do not treat what we get from the kernel differently. We can certainly open a ticket to not forget about this idea. Thanks, Doug On Tue, Oct 22, 2013 at 4:23 AM, Daniel Borkmann dbork...@redhat.com wrote: On 10/21/2013 05:00 PM, Doug Burks wrote: Hello all, Have you considered implementing support for decoding ERSPAN? Looks like gulp and snort currently support this: Are you referring to the packet dissector or to store the decapsulated data to a pcap file? http://staff.washington.edu/corey/gulp/ http://blog.snort.org/2013/07/snort-295-is-now-available.html Thanks for your consideration! -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng and ERSPAN
On 10/21/2013 05:00 PM, Doug Burks wrote: Hello all, Have you considered implementing support for decoding ERSPAN? Looks like gulp and snort currently support this: Are you referring to the packet dissector or to store the decapsulated data to a pcap file? http://staff.washington.edu/corey/gulp/ http://blog.snort.org/2013/07/snort-295-is-now-available.html Thanks for your consideration! -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng and ERSPAN
Hi Daniel, I'm referring to running netsniff-ng, having it accept ERSPAN data, and write the decapsulated data to a pcap file. Thanks, Doug On Tue, Oct 22, 2013 at 4:23 AM, Daniel Borkmann dbork...@redhat.com wrote: On 10/21/2013 05:00 PM, Doug Burks wrote: Hello all, Have you considered implementing support for decoding ERSPAN? Looks like gulp and snort currently support this: Are you referring to the packet dissector or to store the decapsulated data to a pcap file? http://staff.washington.edu/corey/gulp/ http://blog.snort.org/2013/07/snort-295-is-now-available.html Thanks for your consideration! -- Doug Burks http://securityonion.blogspot.com -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng and ERSPAN
Hello all, Have you considered implementing support for decoding ERSPAN? Looks like gulp and snort currently support this: http://staff.washington.edu/corey/gulp/ http://blog.snort.org/2013/07/snort-295-is-now-available.html Thanks for your consideration! -- Doug Burks http://securityonion.blogspot.com -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng 0.5.8-rc2
About 2 weeks have passed and we have pushed out yet another snapshot -rc tag. This time mostly some fixes and cleanups all over the place. One thing that still needs to be done is a complete curvetun rework. So expect one or two more follow-up -rc tags before a final stable snapshot. Other than that, please go ahead and run it! Thanks ! --- netsniff-ng 0.5.8-rc2 has been released to the public (http://netsniff-ng.org/). It can be fetched via Git: git clone git://github.com/borkmann/netsniff-ng.git git checkout 0.5.8-rc2 Or via HTTP: wget http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.8-rc2.tar.gz The release can be verified via Git (see README): git tag -v 0.5.8-rc2 Major high-level changes since the last release are: 1) Build system fixes and cleanups all over the place. From Tobias Klauser and Daniel Borkmann. 2) Mausezahn man-pages improvements from Jon Schipp. 3) Support replaying/reading pcap capture files from/to tunnel devices from Daniel Borkmann. 4) Fix various compiler warnings from Tobias Klauser. Contributions since last release: 13 Daniel Borkmann 7 Tobias Klauser 2 Jon Schipp Git changelog since last release: Daniel Borkmann (13): configure: silent complaint if not built on git repository built_in: fix build if ARPHRD_IEEE802154_MONITOR is undefined pcap_io: tun: support captures from wireshark/tcpdump via tun devices build: move trafgen_stddef.h to stddef.h build: split build system into smaller manageable pieces build: add + version appendix automatically during build build: minor: align 'bold' cmd to the same column as 'normal' build: use VERSION_SHORT instead of VERSION_STRING build: tag: add 'v' prefix for tag name build: fix up GIT_PEOPLE and GIT_LOG macros build: fix up announce message in announce target build: reduce Extra contents to bare minimum netsniff-ng 0.5.8-rc2 Tobias Klauser (7): build: Use NACL_{INC,LIB}_DIR set by configure flowtop: Fix compiler warnings man: Align synopsis with other sections build: Don't uninstall configuration files build: Use -n option to head command dev: Constify `ifname' parameter to device_up_and_running() ioops: Constify `name' parameter to tun_open_or_die() Jon Schipp (2): man: mausezahn: change cisco-like short commands to long form mausezahn: man: note use of short hand commands -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] Netsniff-NG Book Mention: Practice Of Network Security Monitoring
On 07/23/2013 12:32 AM, Jon Schipp wrote: FYI: New book, Practice Of Network Security Monitoring, PDF is available upon purchase. I believe physical book ships next week if you've pre-ordered. Mentions Netsniff-NG in context of SecurityOnion. Found netsniff-ng on 23 pages. That's awesome! Thanks for reporting this Jon! I will be reading very soon. [1] http://nostarch.com/nsm -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] Netsniff-NG Book Mention: Practice Of Network Security Monitoring
FYI: New book, Practice Of Network Security Monitoring, PDF is available upon purchase. I believe physical book ships next week if you've pre-ordered. Mentions Netsniff-NG in context of SecurityOnion. Found netsniff-ng on 23 pages. I will be reading very soon. [1] http://nostarch.com/nsm -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng 0.5.8-rc1
It has been almost a year now since our last release, we realize this is quite some time, but it has paid off. As most development on netsniff-ng happened during spare time, we really haven't been lazy. ;-) Furthermore, Tobias Klauser has joined as a new maintainer for netsniff-ng. It is now maintained by Tobias Klauser and Daniel Borkmann together. So here's a rc1 release that we throw at you with more than 1,000 changes. During that time, netsniff-ng has matured quite a lot. Expect a few smaller follow-up rc releases in the near future before the final 0.5.8 will be released. There's still some work on curvetun that we need to do. In case you don't need curvetun, feel free to use this one already. We hope we haven't forgotten some of the highlights to mention. In any case, just go ahead and try it out. Thanks ! -- netsniff-ng 0.5.8-rc1 has been released to the public (http://netsniff-ng.org/). It can be fetched via Git: git clone git://github.com/borkmann/netsniff-ng.git git checkout v0.5.8-rc1 Or via HTTP: wget http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.8-rc1.tar.gz The release can be verified via Git (see README): git tag -v v0.5.8-rc1 Major high-level changes since the last release are: 1) Introduction of a new build system based on classical make and a customized configure file, which eventually removes the previous cmake system once and for all and avoids using autotools. Support for cross-compilation and various other options such as debug, distribution or hardening builds. From Tobias Klauser and Daniel Borkmann. 2) Inclusion of the mausezahn high-level traffic generator. This one is unmaintained, so we decided to take up maintainer-ship and continue development on it. It's currently in our staging area as the code is not yet in a quality that we accept, but that will change over the next releases. From Tobias Klauser and Daniel Borkmann. 3) Complete rewrite of all man-pages and removal of Documentation section. All important things that need to be said can now be found in our man-pages. Written by Daniel Borkmann, many many improvements by Tobias Klauser, Jon Schipp, Kartik Mistry and Stephen Wadeley. 4) Initial zsh autocompletion support for all tools. From Hideo Hattori. 5) PF_PACKET TPACKET_V3 conversion of netsniff-ng pcap capturing handler. This results in a better capturing throughout as zero-copy data is stored linear instead of slot-wise, which will result in fewer page cache misses. From Daniel Borkmann. 6) ifpps now can handle an arbitrary number of CPUs and no longer fails on systems with more than 32 CPUs. By default now only the data for the 5 most-used CPUs is displayed, as well as the least-used CPU and average values (median can optionally be displayed). From Tobias Klauser and Daniel Borkmann. 7) Support for different pcap types (tcpdump-capable, tcpdump-capable with ns resolution, Alexey Kuznetzov's pcap format, netsniff-ng's pcap format), introduction of a netsniff-ng internal pcap format with the following features: timeval in nanoseconds, the original packet length, the captured packet length, the timestamp hw/sw source, the interface index (sll_ifindex), the packet's protocol (sll_protocol), the packet type (sll_pkttype) and the hardware type (sll_hatype) and support for multiple link-types, from Daniel Borkmann. 8) Add support for raw 802.11 in netsniff-ng and in trafgen, which also allows injection, from Daniel Borkmann. Next to that we have added a packet dissector for raw 802.11 frames. It is currently in an initial stage and will be further developed, from Markus Amend. 9) Add a new dissector for the Link Layer Discovery protocol, from Tobias Klauser. 10) Make astraceroute independant of active geoip lookups to Team CYMRU and rather use geoip library in order to not leak any traffic, from Daniel Borkmann. 11) Geoip database update mechanism for astraceroute, flowtop and netsniff-ng, from Daniel Borkmann. 12) Let netsniff-ng's dissector use geoip libary, from Daniel Borkmann. 13) Added several Linux extensions for bpfc and the possibility to use cpp as a preprocessor like in trafgen. Moreover, added support for different output formats (e.g. for usage with xt_bpf). From Daniel Borkmann. 14) Minimal stand-alone BPF JIT image disassembler, from Daniel Borkmann. 15) Support for tcpdump-like high-level filter expressions next to bpfc filters in netsniff-ng, from Daniel Borkmann. 16) trafgen got a new, powerful configuration language, it's configs can be passed through cpp, and it is now multithreaded. Moreover, trafgen also got a built-in protocol fuzzer. From Daniel Borkmann. 17) Last but not least, numerous code cleanups and code simplifications all over the place as well as smaller features not mentioned here, from Tobias Klauser and Daniel Borkmann, and smaller fixes by Stefan Seering
[netsniff-ng] netsniff-ng drops packets
Hi All, I have strange situation and I'm looking for help. I have two systems one with RHEL 6.3 2.6.32-279.9.1.el6.x86_64 #1 SMP Fri Aug 31 09:04:24 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux with netsniff from centos/epel repositories netsniff-ng 0.5.5.0, netsniff-ng-0.5.5.0-2.el6.src.rpm second one is the: Grml Live Linux , version grml32-full_2013.02.iso Linux 3.7-1-grml-486 #1 Debian 3.7.9-1+grml.1 i686 GNU/Linux netsniff-ng 0.5.7 On the grml linux server everything is working fine, no drops. but on the RHEL I got drops. /usr/sbin/netsniff\-ng -d eth0 -p .pcap -s netsniff-ng 0.5.5.0 -- pid (20971) nice (0), scheduler (0 prio 0) 8 of 8 CPUs online, affinity bitstring (1000) No filter applied. Switching to `all traffic`. 100.00 MB allocated for receive ring [ 6400 blocks, 51200 frames ] [ 8 frames per block ] [ framesize: 2048 bytes, blocksize: 16384 bytes ] --- Listening --- Receive ring dumping ... |^Ccaught SIGINT! Got SIGINT here! 67134 frames incoming 51201 frames passed filter 15933 frames failed filter (due to out of space) capture file gets size 52910017 May 27 11:23 .pcap each try this sizes differ but still stays about 60M. I connect with gdb to netsniff-ng process to see on what is hangs and I see: #1 0x004063a0 in fetch_packets (sd=0x7fff845f44a0, sock=4, rb=0x1259050) at rx_ring.c:300 300 while ((ret = poll(pfd, 1, sd-blocking_mode)) = 0) { (gdb) s Single stepping until exit from function poll, which has no line number information. The traffic I sniff in this test is ftp session ( ~ 90Mbits). Maybe you can help me with finding the root of this issue ? Is any system tuning needed to avoid such issue? Thanks and Regards. Irek -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng drops packets
Hi Irek, On 05/27/2013 01:17 PM, Irek Wlizlo wrote: I have strange situation and I'm looking for help. I have two systems one with RHEL 6.3 2.6.32-279.9.1.el6.x86_64 #1 SMP Fri Aug 31 09:04:24 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux with netsniff from centos/epel repositories netsniff-ng 0.5.5.0, netsniff-ng-0.5.5.0-2.el6.src.rpm second one is the: Grml Live Linux , version grml32-full_2013.02.iso Linux 3.7-1-grml-486 #1 Debian 3.7.9-1+grml.1 i686 GNU/Linux netsniff-ng 0.5.7 On the grml linux server everything is working fine, no drops. but on the RHEL I got drops. Can you try getting the latest version via git clone git://github.com/borkmann/netsniff-ng.git and see if it can be reproduced? Also, the upstream netsniff-ng has *a lot* more features than what you currently use. A lot has happened since then and a new release will appear in less than a month. Let me know. Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng problem
Hi , I downloaded and installed the following netsniff-ng, then used it to capture packets. But I found the packet size was very small(like 8 or 9M), and many packets failed filter(due to out of space), while other tools(such as tcpdump, wireshark) had no such problem. So I wonder why this problem occurred, could you please help me out? Thanks. BR, Li Tianmei -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng problem
On 05/22/2013 04:46 AM, Li Tianmei-BPF364 wrote: Hi , I downloaded and installed the following netsniff-ng, then used it to capture packets. But I found the packet size was very small(like 8 or 9M), and many packets failed filter(due to out of space), while other tools(such as tcpdump, wireshark) had no such problem. Could you elaborate on that? I assume instead of packet size you rather mean pcap file size, right? What command did you use to capture packets? What kind of packets do you expect to capture? All or only packets of particular type? Cheers, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng output file for TCP session / UDP flow with maxsize defined by user
Hi, I've some question about netsniff-ng functionality: 1. is netsniff-ng multi-thread and if yes, is multi-thread development improve the performance of the sniffer ? 2. is netsniff-ng capable to dump traffic in multiple files creating files with a max size X defined by user ? 3. is netsniff-ng capable to track tcp session and udp flow to allow dump of pcap files whithout split a session/flow between multiple files ? 4. if question 3 is true, is netsniff-ng capable to handle corner side situation like tcp session without FIN or closed by RST pkt ? 5. if question 3 is true, is netsniff-ng capable to track UDP flow using a time based approach to follow UDP flow ? What I need is to continuously sniff network traffic, dump TCP session and UDP flow in PCAP files that have a MAX size defined by user without breaking session or flow between multiple PCAP files . Best Regards, R. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng output file for TCP session / UDP flow with maxsize defined by user
On 05/14/2013 12:25 PM, Roberto Martelloni wrote: I've some question about netsniff-ng functionality: 1. is netsniff-ng multi-thread and if yes, is multi-thread development improve the performance of the sniffer ? Currently not, except you start multiple instances of it, bound to different CPUs. Then yes, but this only makes sense if your hard drive will not become a bottleneck and can keep up with the pace (otherwise use a ramfs or the like). 2. is netsniff-ng capable to dump traffic in multiple files creating files with a max size X defined by user ? Yes. Please see the man-page or --help of the current Git tree version [1]. [1] https://github.com/borkmann/netsniff-ng 3. is netsniff-ng capable to track tcp session and udp flow to allow dump of pcap files whithout split a session/flow between multiple files ? No, for performance reasons, we do not track tcp/udp sessions, but I'm almost sure there are tools that can perform this offline on pcap files. The only thing you can do here that might help in that term is to define a tcpdump-like BPF filter that only allows to let a particular flow pass the kernel filter. Cheers, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng 0.5.8
It's about time for me to build a new netsniff-ng package (mostly so that we can begin using the new --user and --group options). Is there an ETA for the official release of 0.5.8 or is the current git master considered stable enough that I should go ahead and package it? Thanks, -- Doug Burks http://securityonion.blogspot.com -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng packet lost
Hi all, Currently I'm testing the packet lost of netsniff-ng under the background of 10Mbps to 100Mbps. As the statistics showed by netsniff-ng as follows(just an example): 7 packets incoming 7 packets passed filter 0 packets failed filter (out of space) 0.% packet droprate 5 sec, 278139 usec in total There has no packets being dropped(0.% packet droprate). However, I believed that the amount of packets I sent and which netsniff-ng sniffered is more than the packets that netsniff-ng received (7 packets incoming). So my question is that is there any possibilities that netsniff-ng lost the packets but not showed by the statistics? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] Netsniff-ng packet lost
Hi all, I'm testing the packet lost performance of netsniff-ng under the background of 1Mbps ~ 100Mbps. The statistics showed by netsniff-ng is as follows (just an example, not the real case) 7 packets incoming 7 packets passed filter 0 packets failed filter (out of space) 0.% packet droprate 5 sec, 278139 usec in total My situation is that the statistics show that no packet is being dropped (0.% packet droprate ), however the amount of packets I sent and which netsniff-ng sniffer is more that the packet netsniff-ng received (7 packet incoming). So is there any possibilities that netsniff-ng loss the packet but not showed by the statistics? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] Netsniff-ng packet lost
On 03/12/2013 02:54 AM, teddy lin wrote: I'm testing the packet lost performance of netsniff-ng under the background of 1Mbps ~ 100Mbps. So, can I assume netsniff-ng runs on an embedded system? The statistics showed by netsniff-ng is as follows (just an example, not the real case) 7 packets incoming 7 packets passed filter 0 packets failed filter (out of space) 0.% packet droprate 5 sec, 278139 usec in total My situation is that the statistics show that no packet is being dropped (0.% packet droprate ), however the amount of packets I sent and which netsniff-ng sniffer is more that the packet netsniff-ng received (7 packet incoming). So is there any possibilities that netsniff-ng loss the packet but not showed by the statistics? From the socket point of view, nothing got lost. But e.g. assuming you're using an embedded system and it couldn't cope with such a load then, it could also be the case that packets got dropped earlier, at the driver layer. Are drop counts increasing for your networking device in /proc/net/dev ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng howto
If someone is looking for a tutorial in Japanese language: http://www.ainoniwa.net/ssp/?p=950 ;-) -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] netsniff-ng covered in AppliedNSM book
On Sat, Feb 16, 2013 at 5:18 PM, Daniel Borkmann borkm...@iogearbox.net wrote: Good news: http://www.appliednsm.com/about-the-book/ \0/ -- Kartik Mistry | IRC: kart_ {0x1f1f, kartikm}.wordpress.com -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] netsniff-ng compilation - error mac80211.c.o
$ wget http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.7.tar.gz $ uname -a Linux nms 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux ... ... [ 37%] Building C object netsniff-ng/CMakeFiles/netsniff-ng.dir/__/mac80211.c.o /root/netsniff-ng-0.5.7/src/mac80211.c:40:33: error: conflicting types for ‘nl_socket_alloc’ /usr/include/netlink/socket.h:22:25: note: previous declaration of ‘nl_socket_alloc’ was here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl_socket_alloc’: /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: error: implicit declaration of function ‘nl_handle_alloc’ [-Werror=implicit-function-declaration] /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: warning: nested extern declaration of ‘nl_handle_alloc’ [-Wnested-externs] /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: warning: return makes pointer from integer without a cast [enabled by default] /root/netsniff-ng-0.5.7/src/mac80211.c: At top level: /root/netsniff-ng-0.5.7/src/mac80211.c:45:20: error: conflicting types for ‘nl_socket_free’ /usr/include/netlink/socket.h:24:14: note: previous declaration of ‘nl_socket_free’ was here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl_socket_free’: /root/netsniff-ng-0.5.7/src/mac80211.c:47:2: error: implicit declaration of function ‘nl_handle_destroy’ [-Werror=implicit-function-declaration] /root/netsniff-ng-0.5.7/src/mac80211.c:47:2: warning: nested extern declaration of ‘nl_handle_destroy’ [-Wnested-externs] /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘__genl_ctrl_alloc_cache’: /root/netsniff-ng-0.5.7/src/mac80211.c:55:9: warning: passing argument 1 of ‘genl_ctrl_alloc_cache’ from incompatible pointer type [enabled by default] /usr/include/netlink/genl/ctrl.h:25:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:55:9: error: too few arguments to function ‘genl_ctrl_alloc_cache’ /usr/include/netlink/genl/ctrl.h:25:14: note: declared here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_init’: /root/netsniff-ng-0.5.7/src/mac80211.c:115:2: warning: passing argument 1 of ‘genl_connect’ from incompatible pointer type [enabled by default] /usr/include/netlink/genl/genl.h:23:13: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_add_mon_if’: /root/netsniff-ng-0.5.7/src/mac80211.c:154:2: warning: passing argument 1 of ‘nl_send_auto_complete’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:57:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:164:2: warning: passing argument 1 of ‘nl_wait_for_ack’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:71:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_del_mon_if’: /root/netsniff-ng-0.5.7/src/mac80211.c:197:2: warning: passing argument 1 of ‘nl_send_auto_complete’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:57:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:201:2: warning: passing argument 1 of ‘nl_wait_for_ack’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:71:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ cc1: some warnings being treated as errors make[2]: *** [netsniff-ng/CMakeFiles/netsniff-ng.dir/__/mac80211.c.o] Error 1 make[1]: *** [netsniff-ng/CMakeFiles/netsniff-ng.dir/all] Error 2 make: *** [all] Error 2 Same thing with $ git clone https://github.com/gnumaniacs/netsniff-ng.git Any ideas on what could be wrong? Thanks Jon --
Re: [netsniff-ng] netsniff-ng compilation - error mac80211.c.o
On Mon, Sep 17, 2012 at 8:33 PM, Jon Schipp jonsch...@gmail.com wrote: $ wget http://pub.netsniff-ng.org/netsniff-ng/netsniff-ng-0.5.7.tar.gz $ uname -a Linux nms 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux ... ... [ 37%] Building C object netsniff-ng/CMakeFiles/netsniff-ng.dir/__/mac80211.c.o /root/netsniff-ng-0.5.7/src/mac80211.c:40:33: error: conflicting types for ‘nl_socket_alloc’ /usr/include/netlink/socket.h:22:25: note: previous declaration of ‘nl_socket_alloc’ was here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl_socket_alloc’: /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: error: implicit declaration of function ‘nl_handle_alloc’ [-Werror=implicit-function-declaration] /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: warning: nested extern declaration of ‘nl_handle_alloc’ [-Wnested-externs] /root/netsniff-ng-0.5.7/src/mac80211.c:42:2: warning: return makes pointer from integer without a cast [enabled by default] /root/netsniff-ng-0.5.7/src/mac80211.c: At top level: /root/netsniff-ng-0.5.7/src/mac80211.c:45:20: error: conflicting types for ‘nl_socket_free’ /usr/include/netlink/socket.h:24:14: note: previous declaration of ‘nl_socket_free’ was here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl_socket_free’: /root/netsniff-ng-0.5.7/src/mac80211.c:47:2: error: implicit declaration of function ‘nl_handle_destroy’ [-Werror=implicit-function-declaration] /root/netsniff-ng-0.5.7/src/mac80211.c:47:2: warning: nested extern declaration of ‘nl_handle_destroy’ [-Wnested-externs] /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘__genl_ctrl_alloc_cache’: /root/netsniff-ng-0.5.7/src/mac80211.c:55:9: warning: passing argument 1 of ‘genl_ctrl_alloc_cache’ from incompatible pointer type [enabled by default] /usr/include/netlink/genl/ctrl.h:25:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:55:9: error: too few arguments to function ‘genl_ctrl_alloc_cache’ /usr/include/netlink/genl/ctrl.h:25:14: note: declared here /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_init’: /root/netsniff-ng-0.5.7/src/mac80211.c:115:2: warning: passing argument 1 of ‘genl_connect’ from incompatible pointer type [enabled by default] /usr/include/netlink/genl/genl.h:23:13: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_add_mon_if’: /root/netsniff-ng-0.5.7/src/mac80211.c:154:2: warning: passing argument 1 of ‘nl_send_auto_complete’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:57:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:164:2: warning: passing argument 1 of ‘nl_wait_for_ack’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:71:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c: In function ‘nl80211_del_mon_if’: /root/netsniff-ng-0.5.7/src/mac80211.c:197:2: warning: passing argument 1 of ‘nl_send_auto_complete’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:57:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ /root/netsniff-ng-0.5.7/src/mac80211.c:201:2: warning: passing argument 1 of ‘nl_wait_for_ack’ from incompatible pointer type [enabled by default] /usr/include/netlink/netlink.h:71:14: note: expected ‘struct nl_sock *’ but argument is of type ‘struct nl_handle *’ cc1: some warnings being treated as errors make[2]: *** [netsniff-ng/CMakeFiles/netsniff-ng.dir/__/mac80211.c.o] Error 1 make[1]: *** [netsniff-ng/CMakeFiles/netsniff-ng.dir/all] Error 2 make: *** [all] Error 2 Same thing with $ git clone https://github.com/gnumaniacs/netsniff-ng.git Any ideas on what could be wrong? What is your libnl version? = 1.1? --