NetSniff is a multi-network-layered real-time traffic capture and analysis
tool developed as part of the ICE3
project being run out of the Centre
for Advanced Internet Architectures (CAIA). NetSniff uses the
PCAP library to capture network traffic
on a network interface or from a tcpdump
formatted file. NetSniff then parses the captured traffic at multiple
network layers and produces a detailed set of statistics.
NetSniff also offers data anonymisation
facilities as well as the capability for continuous running using rolling
logs. This is the mode in which NetSniff is used for the
From this site you can download and use the NetSniff project, subject to
the licensing terms listed below.
NetSniff is a multi-layered network traffic capture and analysis tool that
provides the following features:
- Decoding of multiple layers of the Protocol Stack.
- Real-time parsing and decoding.
- Anonymisation support for maintaining privacy.
- Correlation across related network applications, even when anonymising
- TCP Stream reconstruction.
- Collection of TCP Stream properties (RTT, Jitter, Packet Loss Rate,
- Running RTT and Jitter estimations for the duration of a TCP Stream -
sampled at configurable time intervals.
- Simple text output files for each decoded protocol.
- Easily configured for continuous logging operation, a running process
can be signalled to roll its logs over.
- All un-parsed traffic dumped to a separate log file in
- IP Address anonymisation also applied to unparsed traffic in
- Modular C++ Object Oriented design allows
for easy extensibility to support new protocols at any layer.
NetSniff has been developed using an Object Oriented Approach and C++.
This means that new protocols can be decoded through the addition of
new classes to the source code. Another advantage is that existing
decoders can be used to parse and analyse protocols that are encapsulated
within an existing protocol. An example of this is the TCP Protocol, at
present the TCP Protocol is only decoded when it is discovered within an
IP packet. The existing TCP and application layered parsers can be reused
to decode TCP streams and contained applications by new code developed to
support for example the IPv6 Protocol.
The current protocols decoded and analysed by NetSniff are:
- Ethernet - An Ethernet frame.
- PPPoE - PPP over Ethernet Session Packets contained within an
an Ethernet Frame.
- ARP - ARP Packets contained within an Ethernet Frame.
- IP - IPv4 Packets contained within either an Ethernet Frame or
an PPPoE Session Packet.
- ICMP - ICMP Packets contained within an IP Packet.
- UDP - UDP Packets contained within an IP Packet.
- DNS - DNS Packets contained within a UDP Packet.
- TCP - TCP Streams delivered using IP Packets. The TCP Streams
are reconstructed and the payload bitstream is parsed by different
- HTTP - HTTP web transactions contained within a TCP Stream.
- FTP - FTP transactions contained within a TCP Stream.
- SMTP - SMTP mail transactions contained within a TCP Stream.
- POP3 - POP3 mail transactions contained within a TCP Stream.
- IMAP - IMAP mail transactions contained within a TCP Stream.
- TLS - Secure TLS transactions contained within a TCP Stream.
The netsniff source code is made publically available under the terms and
conditions of the GNU
General Public License. It can be downloaded