NetSniff

Introduction

NetSniff is a multi-network-layered real-time traffic capture and analysis tool developed as part of the ICE3 project being run out of the Centre for Advanced Internet Architectures (CAIA). NetSniff uses the PCAP library to capture network traffic on a network interface or from a tcpdump formatted file. NetSniff then parses the captured traffic at multiple network layers and produces a detailed set of statistics.

NetSniff also offers data anonymisation facilities as well as the capability for continuous running using rolling logs. This is the mode in which NetSniff is used for the ICE3 project. From this site you can download and use the NetSniff project, subject to the licensing terms listed below.

Features

NetSniff is a multi-layered network traffic capture and analysis tool that provides the following features:
  • Decoding of multiple layers of the Protocol Stack.
  • Real-time parsing and decoding.
  • Anonymisation support for maintaining privacy.
  • Correlation across related network applications, even when anonymising collected data.
  • TCP Stream reconstruction.
  • Collection of TCP Stream properties (RTT, Jitter, Packet Loss Rate, Hop Count).
  • Running RTT and Jitter estimations for the duration of a TCP Stream - sampled at configurable time intervals.
  • Simple text output files for each decoded protocol.
  • Easily configured for continuous logging operation, a running process can be signalled to roll its logs over.
  • All un-parsed traffic dumped to a separate log file in tcpdump format.
  • IP Address anonymisation also applied to unparsed traffic in tcpdump format.
  • Modular C++ Object Oriented design allows for easy extensibility to support new protocols at any layer.

Protocols Decoded

NetSniff has been developed using an Object Oriented Approach and C++. This means that new protocols can be decoded through the addition of new classes to the source code. Another advantage is that existing decoders can be used to parse and analyse protocols that are encapsulated within an existing protocol. An example of this is the TCP Protocol, at present the TCP Protocol is only decoded when it is discovered within an IP packet. The existing TCP and application layered parsers can be reused to decode TCP streams and contained applications by new code developed to support for example the IPv6 Protocol.

The current protocols decoded and analysed by NetSniff are:

  • Ethernet - An Ethernet frame.
  • PPPoE - PPP over Ethernet Session Packets contained within an an Ethernet Frame.
  • ARP - ARP Packets contained within an Ethernet Frame.
  • IP - IPv4 Packets contained within either an Ethernet Frame or an PPPoE Session Packet.
  • ICMP - ICMP Packets contained within an IP Packet.
  • UDP - UDP Packets contained within an IP Packet.
  • DNS - DNS Packets contained within a UDP Packet.
  • TCP - TCP Streams delivered using IP Packets. The TCP Streams are reconstructed and the payload bitstream is parsed by different application parsers.
  • HTTP - HTTP web transactions contained within a TCP Stream.
  • FTP - FTP transactions contained within a TCP Stream.
  • SMTP - SMTP mail transactions contained within a TCP Stream.
  • POP3 - POP3 mail transactions contained within a TCP Stream.
  • IMAP - IMAP mail transactions contained within a TCP Stream.
  • TLS - Secure TLS transactions contained within a TCP Stream.

Licensing and Terms of Use

The netsniff source code is made publically available under the terms and conditions of the GNU General Public License. It can be downloaded here.
Last Updated: Tuesday 26-Jun-2007 13:44:59 EST | Maintained by: Jason But (jbut@swin.edu.au) | Authorised by: Grenville Armitage ( garmitage@swin.edu.au)