NetSniff

NetSniff Usage

Netsniff is executed from the command line with the following options:

./netsniff [-agv] [-i device] [-r file] [-p pid_file] [-d out_dir] [-m type] [-k keyfile] [-s rate] [filter]

Command Line Parameters

[-v] - CVS version

Output the current CVS dated version of the NetSniff executable.

[-a] - Anonymise Data

Anonymise all captured data. IP addresses will be anonymised using the algorithm described here. User identifiable strings will be hashed to hide their contents.

[-m type] - IP Address Anonymisation Type

Specifies the type of IP address anonymisation to use, valid values for type include:

  • cryptopan - Use the cryptopan algorithm to make IP address mappings consistent across multiple execution runs. Use the -k option to specify a key to use as a hash. More information is available on the anonymisation subpage.
  • nullip - All IP Addresses are replaced with 0.0.0.0
  • tcpdriv - This is the default value, IP addresses are anonymised using this algorithm which is similar to the -A50 option used by tcpdrpiv

[-k keyfile] - Anonymisation Keyfile

Specifies the file from which the keys used to initialise the anonymisation algorithms are taken. Effects the string anonymisation and IP Address anonymisation if the cryptopan mode is specified.

[-g] - Capture device is a gateway

This option decrements all Hop Count estimates by one to remove the extra network hop introduced the presence of the Gateway device. It is intended to be used when the Gateway/Capturing device is an addition to an existing network.

[-i device] - Packet Source Device

Specify which network interface to use to capture and analyse network traffic in real time. This option CANNOT be used with the -r option.

[-r file] - Packet Trace File

Process and analyse captured data from a tcpdump formatted dump file instead of directly from the network interface. This option CANNOT be used with the -i option.

[-p pid_file] - NetSniff Process ID Output

Store the process ID of the running NetSniff process in the specified file. This is particularly useful in a continuous analysing environment. The PID information can be used to kill or send signals to the running NetSniff process.

[-d out_dir] - Output Directory

All generated output data files will be created in the specified directoty instead of the current running directory.

[-s rate] - RTT and Jitter Estimation Generation Rate

RTT and Jitter estimation for TCP Streams is calculated using this estimation algorithm (details) - the algorithm generates an RTT and Jitter sample for every packet seen in the TCP Stream. The value of rate indicates the sample rate in milliseconds of how often these estimates will be averaged and logged for each TCP Stream. A value of 0 indicates that every estimate will be logged. The default value for this parameter causes an RTT and Jitter estimate to be generated every 10 milliseconds.

[filter] - Packet Capture Filter

The libpcap filter to apply to all captured packets. Only packets passed through the filter will be analysed by NetSniff. The format of this filter is the same as the format for a tcpdump filter.

Output Files

NetSniff will generate all output files in the specified output directory. Excepting the notparsed.dump file, all output files are in text format. The generated output files are:

  • arp.log - Contains information on all captured ARP Packets.
  • icmp.log - All captured ICMP Packets.
  • dns.log - All DNS over UDP packets are logged here.
  • http.log - All HTTP transactions are logged in this file.
  • ftp.log - All FTP transfers are logged in this file.
  • smtp.log - All SMTP email transfers are logged here.
  • pop3.log - All POP3 email downloads are logged here.
  • imap.log - All IMAP email downloads are logged here.
  • tlstreams.log - .
  • tlssessions.log - .
  • tcpstreams.log - TCP Stream information for all TCP Streams that do not fall into any of the network application categories listed above.
  • notparsed.dump - A packet capture dump file in tcpdump format. This dump file:
    • Contains only packets that are not logged as one of the supported networked applications listed above.
    • If NetSniff was run with anonymisation enabled (-a), then all IP addresses in the logged packets will be anonymised.
    • Only the first 68 bytes of each captured packet are stored.
Note that anonymisation is consistent across all protocols and logged data. This means (for example) that anonymised IP addresses in a DNS Query/Response can be matched to anonymised IP address in a subsequent HTTP or FTP transaction.
C Swinburne | CRICOS number 00111D | Contact Us | Copyright and disclaimer | Privacy; | Feedback | Accessibility Information | - Smaller Font | + Larger Font
Last Updated: Tuesday 26-Jun-2007 16:04:08 EST | Maintained by: Jason But (jbut@swin.edu.au) | Authorised by: Grenville Armitage ( garmitage@swin.edu.au)