-
Notifications
You must be signed in to change notification settings - Fork 50
/
related.html
1288 lines (1186 loc) · 75.9 KB
/
related.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="en">
<!-- HEAD -->
<head>
<meta charset="utf-8">
<title>See also | TCPDUMP & LIBPCAP</title>
<meta name="description" content="Web site of Tcpdump and Libpcap">
<link href="style.css" rel="stylesheet" type="text/css" media="screen">
<link href="images/T-32x32.png" rel="shortcut icon" type="image/png">
</head>
<!-- END OF HTML HEAD -->
<!-- BODY -->
<body>
<!-- TOP MENU -->
<div id="menu">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="security.html">Security</a></li>
<li><a href="faq.html">FAQ</a></li>
<li><a href="manpages/">Man Pages</a></li>
<li><a href="ci.html">CI</a></li>
<li><a href="linktypes.html">Link-Layer Header Types</a></li>
<li><a href="bpfexam/">BPF Exam</a></li>
<li class="current_page_item"><a href="related.html">See Also</a></li>
<li><a href="old_releases.html">Old Releases</a></li>
</ul>
</div>
<!-- END OF TOP MENU -->
<!-- PAGE HEADER -->
<div id="splash">
<br><img src="images/logo.png" alt="">
</div>
<div id="logo">
<hr>
</div>
<!-- END OF PAGE HEADER -->
<!-- PAGE CONTENTS -->
<div id="page">
<!-- Start of RELATED DOCUMENTS section -->
<div class="post">
<h2 class="title">
Related Documents and Resources
</h2>
<div class="entry">
<dl>
<dt>
<a href="papers/sigcomm99bpf+.ps.gz">
BPF+: Exploiting Global Data-flow Optimization in
a Generalized Packet Filter Architecture</a>
[<a href="papers/sigcomm99bpf+.pdf">PDF version</a>]
</dt>
<dd>
By Andrew Begel, Steven McCanne, and Susan Graham.
</dd>
<dt>
<a class=away href="https://pdos.csail.mit.edu/~engler/dpf.html">DPF</a>
</dt>
<dd>
A paper presented at SIGCOMM '96 on an enhanced version of BPF.
</dd>
<dt>
<a href="wpcap.html">Win32 info</a>
</dt>
<dd>
An extract of a message from Guy Harris on state of WinPcap and WinDump.
</dd>
<dt>
<a href="libpcap-module-HOWTO.html">How to write a libpcap module</a>
</dt>
<dd>
A draft HOWTO by Guy Harris.
</dd>
<dt>
<a class=away href="https://caesar0301.github.io/awesome-pcaptools/">Awesome PCAP Tools</a>
</dt>
<dd>
A list of various projects related to network traffic research.
It currently includes the following groups: Linux commands, traffic
capture, traffic analysis/inspection, DNS utilities, file
extraction and related projects.
</dd>
<dt>
<a class=away href="https://www.netresec.com/?page=PcapFiles">Publicly available PCAP files</a>
</dt>
<dd>
This is a list of public packet capture repositories, which
are freely available on the Internet. Most of the sites
listed below share Full Packet Capture (FPC) files, but some
do unfortunately only have truncated frames.
</dd>
</dl>
<p>
Below you can find a few projects that are related to tcpdump or libpcap
in some way. If you think some project should be in this list, please
either open a pull request as explained
<a href="https://github.com/the-tcpdump-group/tcpdump-htdocs/blob/master/README.md">here</a> or
subscribe to the <a href="index.html#mailing-lists">mailing list</a> and
make your input there. The new entry should include the name of the
project, a brief (between 200 and 500 characters) description and a link
to the project page.
</p>
</div>
</div>
<!-- End of RELATED DOCUMENTS section -->
<!-- Start of RELATED SOFTWARE (LIBRARIES) section -->
<div class="post">
<h2 class="title">
Related Software (Libraries)
</h2>
<div class="entry">
<dl>
<dt>
<a class=away href="https://github.com/libnet/libnet">LibNet</a>
</dt>
<dd>
Libnet is a collection of routines to help with the construction and
handling of network packets. It provides a portable framework for
low-level network packet shaping, handling and injection. Libnet
features portable packet creation interfaces at the IP layer and link
layer, as well as a host of supplementary and complementary
functionality. Using libnet, quick and simple packet assembly
applications can be whipped up with little effort.
</dd>
<dt>
<a class=away href="https://scapy.net/">Scapy</A>
</dt>
<dd>
Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets
of a wide number of protocols, send
them on the wire, capture them, match
requests and replies, and much
more. It can easily handle most
classical tasks like scanning,
tracerouting, probing, unit tests,
attacks or network discovery (it can
replace hping, 85% of nmap, arpspoof,
arp-sk, arping, tcpdump, tethereal,
p0f, etc.). It also performs very well
at a lot of other specific tasks that
most other tools can't handle, like
sending invalid frames, injecting your
own 802.11 frames, combining techniques
(VLAN hopping+ARP cache poisoning,
VoIP decoding on WEP encrypted
channel, …), etc.
</dd>
<dt>
<a class=away href="https://code.google.com/archive/p/libcrafter">libcrafter</a>
</dt>
<dd>
Libcrafter is a high level library for
C++ designed to make easier the creation
and decoding of network packets. It is
able to craft or decode packets of most
common network protocols, send them on
the wire, capture them and match requests
and replies.
</dd>
<dt>
<a class=away href="https://pcapplusplus.github.io">PcapPlusPlus</a>
</dt>
<dd>
A multiplatform C++ network sniffing, packet parsing and crafting framework.
It provides a lightweight, easy-to-use and efficient C++ wrapper for
libpcap and WinPcap.
</dd>
<dt>
<a class=away href="https://npcap.com/">Npcap</a>
</dt>
<dd>
Npcap is the Nmap Project's packet capture (and sending) library
for Microsoft Windows. Npcap began in 2013 as some improvements
to the (now discontinued) WinPcap library, but has been largely
rewritten since then with hundreds of releases improving Npcap's
speed, portability, security, and efficiency.
</dd>
<dt>
<a class=away href="https://github.com/dotpcap/sharppcap">SharpPcap</a>
</dt>
<dd>
A fully managed, cross platform (Windows, Mac, Linux) .NET library
for capturing packets from live and file based devices.
</dd>
<dt>
<a class=away href="https://github.com/google/gopacket/">GoPacket</a>
</dt>
<dd>
This library provides packet decoding capabilities for
Go. It contains many sub-packages with additional
functionality, including C bindings to use
libpcap/<code>PF_RING</code>/<code>AF_PACKET</code> to
read packets off the wire. Originally forked from the
gopcap project written by Andreas Krennmair.
</dd>
<dt>
<a class=away href="https://github.com/kisom/pypcapfile">pypcapfile</a>
</dt>
<dd>
pypcapfile is a pure Python library for handling libpcap savefiles.
</dd>
<dt>
<a class=away href="http://libtins.github.io/">libtins</a>
</dt>
<dd>
libtins is a high-level, multiplatform C++ network packet sniffing
and crafting library. Its main purpose is to provide the C++
developer an easy, efficient, platform and endianness-independent
way to create tools which need to send, receive and manipulate
network packets.
</dd>
<dt>
<a class=away href="https://github.com/vitoshalabs/ruby-pcap">ruby-pcap</a>
</dt>
<dd>
ruby-pcap is a ruby extension to libpcap. This library also
includes classes to access TCP/IP header.
</dd>
<dt>
<a class=away href="https://www.pcap4j.org/">Pcap4J</a>
</dt>
<dd>
Pcap4J is a Java library for capturing, crafting and sending packets.
Pcap4J wraps a native packet capture library (libpcap, WinPcap, or
Npcap) via JNA and provides you Java-oriented APIs.
</dd>
<dt>
<a class=away href="https://lib.rs/crates/pcap">rust-pcap</a>
</dt>
<dd>
This is a Rust language crate for accessing the packet sniffing
capabilities of libpcap (or Npcap on Windows). It implements
the following features:
<ul>
<li>list devices</li>
<li>open capture handle on a device or savefiles</li>
<li>get packets from the capture handle</li>
<li>filter packets using BPF programs</li>
<li>list/set/get datalink link types</li>
<li>configure some parameters like promiscuity and buffer length</li>
<li>write packets to savefiles</li>
<li>inject packets into an interface</li>
</ul>
</dd>
<dt>
<a class=away href="https://netdude.sourceforge.net/doco/libpcapnav/">libpcapnav</a>
</dt>
<dd>
libpcapnav is a libpcap wrapper library that allows navigation
to arbitrary locations in a tcpdump trace file between reads.
The API is intentionally much like that of the pcap library. You
can navigate in trace files both in time and space: you can jump
to a packet which is at appr. 2/3 of the trace, or you can jump
as closely as possible to a packet with a given timestamp, and
then read packets from there. In addition, the API provides
convenience functions for manipulating <code>timeval</code>
structures.
</dd>
<dt>
<a class=away href="https://pcap.ardikars.com/">Pcap Project</a>
</dt>
<dd>
Pcap Project provides a packet processing library for rapid
development on top of JVM languages (Java, Kotlin, Scala, Groovy,
Clojure, JRuby and Jython).
</dd>
<dt>
<a class=away href="https://github.com/pcaprub/pcaprub">pcaprub</a>
</dt>
<dd>
This goal of this project is to provide a consistent Ruby
interface to the libpcap packet capture library.
</dd>
<dt>
<a class=away href="https://metacpan.org/dist/Net-Pcap">Net::Pcap</a>
</dt>
<dd>
The Net::Pcap module is a Perl binding to libpcap.
</dd>
<dt>
<a class=away href="https://github.com/helpsystems/pcapy">Pcapy</a>
</dt>
<dd>
Pcapy is a Python extension module that enables software
written in Python to access the routines from the pcap packet
capture library. Pcapy works with Python threads, works both
on Unix-like OSes and Windows, provides a simple object
oriented API.
</dd>
</dl>
</div>
</div>
<!-- End of RELATED SOFTWARE (LIBRARIES) section -->
<!-- Start of RELATED SOFTWARE (FILE PROCESSING) section -->
<div class="post">
<h2 class="title">
Related Software (File Processing)
</h2>
<div class="entry">
<dl>
<dt>
<a href="https://github.com/the-tcpdump-group/tcpslice">TCPslice</a>
</dt>
<dd>
TCPslice is a tool for extracting portions of packet
trace files generated using tcpdump's <code>-w</code> flag. It
can combine multiple trace files, and/or extract
portions of one or more traces based on time.
TCPslice originally comes from LBL and now is
maintained by The Tcpdump Group.
</dd>
<dt>
<a class=away href="https://sourceforge.net/projects/open-tcptrace/">TCPTrace</a>
</dt>
<dd>
TCPTrace analyzes the behavior of captured TCP streams, and accepts
many trace file formats (including pcap). It provides connection
statistics and several types of graphs, including the widely-used
time-sequence graphs.
</dd>
<dt>
<a class=away href="http://netdude.sourceforge.net/">NetDude</a>
</dt>
<dd>
netdude (NETwork DUmp data Displayer and Editor).
From their webpage, "it is a GUI-based tool that
allows you to make detailed changes to packets in
tcpdump tracefiles."
</dd>
<dt>
<a class=away href="http://www.xplot.org/">Xplot</a>
</dt>
<dd>
The program xplot was written in the late 1980s to support the analysis of TCP packet traces.
</dd>
<dt>
<a class=away href="https://www.vanheusden.com/multitail/">Multitail</a>
</dt>
<dd>
MultiTail now has a colorscheme included for monitoring the tcpdump
output. It can also filter, convert timestamps to timestrings and much
more.
</dd>
<dt>
<a class=away href="http://f00l.de/pcapfix/">pcapfix</a>
</dt>
<dd>
pcapfix is a repair tool for corrupted pcap and pcapng files. It checks
for an intact pcap global header and packet block and repairs it if there
are any corrupted bytes. If a header is not present, one is created and
added to the beginning of the file. It then tries to find pcap packet
headers or packet blocks, and checks and repairs them.
</dd>
<dt>
<a class=away href="https://www.radare.org/">Radare2</a>
</dt>
<dd>
A free/libre toolchain for easing several low level
tasks like forensics, software reverse engineering,
exploiting, debugging… Radare2 can process
compiled BPF bytecode.
</dd>
<dt>
<a class=away href="https://www.read.seas.harvard.edu/~kohler/ipsumdump/">ipsumdump</a>
</dt>
<dd>
The ipsumdump program summarizes TCP/IP dump files into
a self-describing ASCII format easily readable by
humans and programs. Ipsumdump can read packets from
network interfaces, from .pcap files, and from existing
ipsumdump files. It will transparently uncompress
.pcap or ipsumdump files when necessary. It can
randomly sample traffic, filter traffic based on its
contents, anonymize IP addresses, and sort packets from
multiple dumps by timestamp. Also, it can optionally
create a .pcap file containing actual packet data.
</dd>
<dt>
<a class=away href="https://f00l.de/netmate/">netmate</a>
</dt>
<dd>
Netmate is a GTK+ program that shows network protocols
headers in 32-bit aligned fields, identical as they are
represented in Request for Comments (RFCs). It can be
used to learn and teach about network protocols and to
understand their functionality and collaboration. This
tool supports input files in pcap(ng) format as they
are created by tcpdump, wireshark or other code based
on libpcap.
</dd>
<dt>
<a class=away href="https://github.com/edmonds/pcaputils">pcaputils</a>
</dt>
<dd>
pcaputils includes the following libpcap-based utilities:
<ul>
<li>pcapip: filters an input pcap file based on a file containing IP addresses</li>
<li>pcappick: picks specific frames out of a pcap by number</li>
<li>pcapuc: prints unique src IPs, dst IPs, or {src, dst} IP pairs witnessed</li>
<li>pcapdump: a dedicated packet capture utility similar to dumpcap, but with
additional features</li>
</ul>
</dd>
<dt>
<a class=away href="https://www.netresec.com/?page=TrimPCAP">TrimPCAP</a>
</dt>
<dd>
TrimPCAP is a free open source tool that reduces the
size of capture files in an intelligent way. With
reduced storage needs comes longer retention periods.
TrimPCAP has been shown to reduce most PCAP datasets
by over 90 percent!
</dd>
<dt>
<a class=away href="https://www.icir.org/mallman/software/tcpsplit/">tcpsplit</a>
</dt>
<dd>
The tcpsplit utility breaks a single libpcap packet trace into
some number of sub-traces, breaking the trace along TCP
connection boundaries so that a TCP connection doesn't end up
split across two sub-traces. This is useful for making large
trace files tractable for in-depth analysis and for subsetting
a trace for developing analysis on only part of a trace.
</dd>
<dt>
<a class=away href="https://www.dns-oarc.net/tools/packetq">PacketQ</a>
</dt>
<dd>
packetq is a command line tool to run SQL queries directly on
PCAP files, the results can be outputted as JSON (default),
formatted/compact CSV and XML. It also contains a very
simplistic web-server in order to inspect PCAP files remotely.
</dd>
<dt>
<a class=away href="https://github.com/Cisco-Talos/file2pcap">file2pcap</a>
</dt>
<dd>
file2pcap creates a pcap file from any input file, simulating
this file in transit, using various protocols and encodings.
The resulting pcap file can then be used to create or test Snort
rules. Supported protocols: HTTP, HTTP/2, HTTP POST,
SMTP/POP3/IMAP, FTP, IPv6.
</dd>
</dl>
</div>
</div>
<!-- End of RELATED SOFTWARE (FILE PROCESSING) section -->
<!-- Start of RELATED SOFTWARE (INTRUSION DETECTION) section -->
<div class="post">
<h2 class="title">
Related Software (Intrusion Detection)
</h2>
<div class="entry">
<dl>
<dt>
<a class=away href="https://code.google.com/archive/p/socket-sentry">Socket Sentry</a>
</dt>
<dd>
Socket Sentry is a real-time network traffic
monitor for KDE Plasma in the same spirit as
tools like iftop and netstat.
</dd>
<dt>
<a class=away href="https://www.snort.org/">snort</a>
</dt>
<dd>
Snort is an open source network intrusion prevention
and detection system (IDS/IPS) developed by Sourcefire.
Combining the benefits of signature, protocol and
anomaly-based inspection, Snort is the most widely
deployed IDS/IPS technology worldwide. With millions
of downloads and approximately 300,000 registered
users, Snort has become the de facto standard for
IPS.
</dd>
<dt>
<a class=away href="https://zeek.org/">Zeek</a>
</dt>
<dd>
Zeek (formerly Bro) is an open-source, Unix-based Network Intrusion
Detection System (NIDS) that passively monitors
network traffic and looks for suspicious activity.
Zeek detects intrusions by first parsing network
traffic to extract its application-level semantics
and then executing event-oriented analyzers that
compare the activity with patterns deemed
troublesome. Its analysis includes detection of
specific attacks (including those defined by
signatures, but also those defined in terms of
events) and unusual activities (e.g., certain
hosts connecting to certain services, or patterns
of failed connection attempts).
</dd>
<dt>
<a class=away href="https://suricata.io/">Suricata</a>
</dt>
<dd>
Suricata is a high performance Network IDS, IPS and Network
Security Monitoring engine.
</dd>
<dt>
<a class=away href="https://arpon.sourceforge.io/">ArpON</a>
</dt>
<dd>
ArpON (ARP handler inspection) is a host-based solution that makes
the ARP standardized protocol secure in order to avoid
man-in-the-middle (MITM) attacks through ARP spoofing, ARP cache
poisoning or ARP poison routing.
</dd>
</dl>
</div>
</div>
<!-- End of RELATED SOFTWARE (INTRUSION DETECTION) section -->
<!-- Start of RELATED SOFTWARE (PACKET CAPTURE AND ANALYSIS) section -->
<div class="post">
<h2 class="title">
Related Software (Packet Capture and Analysis)
</h2>
<div class="entry">
<dl>
<dt>
<a class=away href="https://etherape.sourceforge.io/">EtherApe</a>
</dt>
<dd>
EtherApe is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays
network activity graphically. Hosts and links change in size
with traffic. Color coded protocols display. It supports
Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can
filter traffic to be shown, and can read traffic from a file as
well as live from the network.
</dd>
<dt>
<a class=away href="https://github.com/simsong/tcpflow">tcpflow</a>
</dt>
<dd>
tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores the data in a way that is convenient for
protocol analysis or debugging. A program like 'tcpdump' shows a
summary of packets seen on the wire, but usually doesn't store the data
that's actually being transmitted. In contrast, tcpflow reconstructs
the actual data streams and stores each flow in a separate file for
later analysis.
</dd>
<dt>
<a class=away href="https://www.ntop.org/">Network Top</a>
</dt>
<dd>
ntop is a network traffic probe that shows the
network usage, similar to what the popular top
Unix command does. ntop is based on libpcap and
it has been written in a portable way in order
to virtually run on every Unix platform and on
Win32 as well.
</dd>
<dt>
<a class=away href="https://www.wireshark.org">Wireshark</a>
</dt>
<dd>
A free network protocol analyzer for Unix and Windows. It allows
you to examine data from a live network or from a capture file on
disk. You can interactively browse the capture data, viewing summary
and detail information for each packet. Wireshark has several powerful
features, including a rich display filter language and the ability
to view the reconstructed stream of a TCP session.
</dd>
<dt>
<a class=away href="https://www.caida.org/tools/measurement/coralreef/">CoralReef</a>
</dt>
<dd>
CoralReef is a software suite developed by
<a class=away href="https://www.caida.org/">CAIDA</a> to analyze data collected
by passive Internet traffic monitors. It provides a programming
library libcoral, similar to libpcap with extensions for ATM and
other network types, which is available from both C and Perl. The
software presently supports dedicated PC boxes using OC3mon and
OC12mon cards that collect traffic data in real time, as well as
reading from pcap tracefiles. CoralReef
supports listening via BPF-enabled devices. CoralReef includes
drivers, analysis, web report generation, examples, and capture
software. This package is maintained by CAIDA developers with the
support and collaboration of the Internet measurement community.
</dd>
<dt>
<a class=away href="https://frenchfries.net/paul/tcpstat/">TCPstat</a>
</dt>
<dd>
tcpstat reports certain network interface statistics much like vmstat
does for system statistics. tcpstat gets its information by either
monitoring a specific interface, or by reading previously saved tcpdump
data from a file.
</dd>
<dt>
<a class=away href="https://github.com/six-ddc/httpflow">httpflow</a>
</dt>
<dd>
Packet capture and analysis utility similar to tcpdump for HTTP.
</dd>
<dt>
<a class=away href="https://github.com/adulau/ssldump">ssldump</a>
</dt>
<dd>
ssldump is an SSLv3/TLS network protocol analyzer. It
identifies TCP connections on the chosen network
interface and attempts to interpret them as SSLv3/TLS
traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form
to stdout. If provided with the appropriate keying
material, it will also decrypt the connections and
display the application data traffic. It also includes
a JSON output option, supports JA3 and IPv6.
</dd>
<dt>
<a class=away href="https://www.ex-parrot.com/pdw/iftop/">iftop</a>
</dt>
<dd>
iftop does for network usage what <b>top</b>(1) does for CPU usage. It
listens to network traffic on a named interface and displays a table
of current bandwidth usage by pairs of hosts. Handy for answering
the question "why is our ADSL link so slow?".
</dd>
<dt>
<a class=away href="https://biot.com/capstats/">capstats by Bert Vermeulen</a>
</dt>
<dd>
Capstats generates byte and packet counters based on a Berkeley
Packet Filter (BPF) expression. The basic model is that you run
capstats as a daemon (as root), and it will then take commands from
a client. Using a client, you can create new capture sessions,
modify them, pull up stats on running sessions, and so on.
</dd>
<dt>
<a class=away href="https://github.com/zeek/capstats">capstats by Zeek Project</a>
</dt>
<dd>
capstats is a small tool to collect statistics on the current load
of a network interface, using either libpcap or the native interface
for Endace hardware. It reports statistics per time interval and/or
for the tool's total run-time.
</dd>
<dt>
<a class=away href="http://www.pmacct.net/">pmacct</a>
</dt>
<dd>
pmacct is a small set of multi-purpose passive network monitoring tools.
It can account, classify, aggregate, replicate and export forwarding-plane
data, i.e. IPv4 and IPv6 traffic; collect and correlate control-plane data
via BGP and BMP; collect and correlate RPKI data; collect infrastructure
data via Streaming Telemetry. Each component works both as a standalone
daemon and as a thread of execution for correlation purposes (i.e. enrich
NetFlow with BGP data).
</dd>
<dt>
<a class=away href="https://github.com/jpr5/ngrep">ngrep</a>
</dt>
<dd>
ngrep is like GNU grep applied to the network layer.
It's a PCAP-based tool that allows you to specify an
extended regular or hexadecimal expression to match
against data payloads of packets. It understands many
kinds of protocols, including IPv4/6, TCP, UDP,
ICMPv4/6, IGMP and Raw, across a wide variety of
interface types, and understands BPF filter logic in
the same fashion as more common packet sniffing tools,
such as tcpdump and snoop.
</dd>
<dt>
<a class=away href="https://www.voipmonitor.org/">VoIPmonitor</a>
</dt>
<dd>
VoIPmonitor is an open source network packet sniffer
with commercial frontend for SIP, RTP, RTCP, SKINNY
(SCCP), MGCP and WebRTC VoIP protocols running on
Linux. VoIPmonitor is designed to analyze quality of
VoIP calls based on network parameters—delay
variation and packet loss according to ITU-T G.107
E-model, which predicts quality on MOS scale. Calls
with all relevant statistics are saved to a MySQL
database. Optionally each call can be saved to a .pcap
file with either only SIP protocol or
SIP/RTP/RTCP/T.38/udptl protocols.
</dd>
<dt>
<a class=away href="https://github.com/eldadru/ksniff">ksniff</a>
</dt>
<dd>
A kubectl plugin that utilizes tcpdump and Wireshark to start a
remote capture on any pod in your Kubernetes cluster. You get the
full power of Wireshark with minimal impact on your running pods.
</dd>
<dt>
<a class=away href="https://pcapsipdump.sourceforge.net/">pcapsipdump</a>
</dt>
<dd>
An open-source libpcap-based SIP sniffer. Listens on a network
interface and saves SIP/RTP sessions to files. Each session goes
in a separate, fancy-named .pcap file. Those could be opened with
tcpdump, wireshark and friends.
</dd>
<dt>
<a class=away href="https://arkime.com/">Arkime</a>
</dt>
<dd>
Arkime augments your current security infrastructure to store and
index network traffic in standard PCAP format, providing fast,
indexed access. An intuitive and simple web interface is provided
for PCAP browsing, searching, and exporting. Arkime exposes APIs
which allow for PCAP data and JSON formatted session data to be
downloaded and consumed directly.
</dd>
<dt>
<a class=away href="https://github.com/mainini/vlandump">vlandump</a>
</dt>
<dd>
vlandump is a small utility for capturing network traffic and
aggregating found VLAN-tags (if any). Found tags can then be
sorted and displayed.
</dd>
<dt>
<a class=away href="http://dns.measurement-factory.com/tools/dnstop/">dnstop</a>
</dt>
<dd>
dnstop is a libpcap application (like tcpdump) that displays various
tables of DNS traffic on your network. dnstop supports both IPv4
and IPv6 addresses. To help find especially undesirable DNS
queries, dnstop provides a number of filters. dnstop can either read
packets from the live capture device, or from a pcap savefile.
</dd>
<dt>
<a class=away href="https://github.com/irino/softflowd">softflowd</a>
</dt>
<dd>
softflowd is a flow-based network monitor. It listens promiscuously
on a network interface and semi-statefully tracks network flows.
These flows can be reported using NetFlow version 1, 5 or 9 datagrams.
softflowd is fully IPv6 capable: it can track IPv6 flows and export
to IPv6 hosts.
</dd>
<dt>
<a class=away href="https://ee.lbl.gov/downloads/arpwatch/">arpwatch</a>
</dt>
<dd>
arpwatch is a computer software tool for monitoring Address
Resolution Protocol traffic on a computer network. It generates
a log of observed pairing of IP addresses with MAC addresses
along with a timestamp when the pairing appeared on the network.
It also has the option of sending an e-mail to an administrator
when a pairing changes or is added.
</dd>
<dt>
<a class=away href="https://github.com/fln/addrwatch">addrwatch</a>
</dt>
<dd>
Addrwatch is a tool similar to arpwatch. It main purpose is to
monitor network and log discovered Ethernet/IP address pairings.
Addrwatch is extremely useful in networks with IPv6
autoconfiguration (RFC 4862) enabled. It allows to track IPv6
addresses of hosts using IPv6 privacy extensions (RFC 4941).
The main difference between arpwatch and addrwatch is the format
of output files.
</dd>
<dt>
<a class=away href="https://github.com/mwarning/device-observatory/">Device Observatory</a>
</dt>
<dd>
Device Observatory shows the activities of WiFi devices on
a network on a local website. It is meant to raise the
awareness for private data leaking from devices such as
smartphones. Features:
<ul>
<li>Devices accessing the info page only see own data
(except for the local host).</li>
<li>Shows MAC address, DHCP device host name, device
manufacturer.</li>
<li>Shows accessed domains, IP addresses and ports.</li>
<li>Shows first/last time a website was accessed.</li>
<li>Show SSIDs from active scanning.</li>
<li>Show traffic by destination.</li>
</ul>
</dd>
<dt>
<a class=away href="https://github.com/lemoer/bpfcountd">bpfcountd</a>
</dt>
<dd>
This daemon was created to obtain packet statistics in larger
networks without stressing the CPU resources. bpfcountd will
count the amount of packets and bytes over time (for each
defined rule). The rules are defined using the libpcap filter
syntax (BPF). The collected data is provided on Unix socket
in plaintext.
</dd>
<dt>
<a class=away href="https://bitbucket.org/caia-swin/spp/">SPP</a>
</dt>
<dd>
This software is a flexible, standalone packet processor that
implements the SPP algorithm. RTT calculations can be generated
from saved PCAP format files or local or remote interfaces in
real time.
</dd>
<dt>
<a class=away href="https://www.dns-oarc.net/tools/dnscap">dnscap</a>
</dt>
<dd>
dnscap is a network capture utility designed specifically for DNS
traffic. It produces binary data in pcap format. This utility
is similar to tcpdump, but has a number of features tailored to
DNS transactions and protocol options. Some of its features
include:
<ul>
<li>Understands both IPv4 and IPv6.</li>
<li>Captures UDP, TCP, and IP fragments.</li>
<li>Collects only queries, responses, or both.</li>
<li>Collects for only certain source/destination addresses.</li>
<li>Periodically creates new pcap files.</li>
<li>Spawns an upload script after closing a pcap file.</li>
<li>Will start and stop collecting at specific times.</li>
</ul>
</dd>
<dt>
<a class=away href="https://github.com/resurrecting-open-source-projects/sniffit">sniffit</a>
</dt>
<dd>
sniffit is a packet sniffer for TCP/UDP/ICMP packets over IPv4.
It is able to give you a very detailed technical info on these
packets, as SEQ, ACK, TTL, Window, etc. The packet contents also
can be viewed, in different formats (hex or plain text, etc.).
</dd>
<dt>
<a class=away href="https://cybermaggedon.github.io/cyberprobe-docs/">Cyberprobe</a>
</dt>
<dd>
Cyberprobe is a network [deep] packet inspection toolkit for
real-time monitoring of networks. This has applications in
network monitoring, intrusion detection, forensic analysis, and as
a defensive platform. Cyberprobe packet inspection works on
physical networks, and also in cloud VPCs. There are features
that allow cloud-scale deployments. This is not a single,
monolithic intrusion detection toolkit which does everything you
want straight out of the box. Instead, Cyberprobe is a set of
flexible components which can be combined in many ways to manage a
wide variety of packet inspection tasks.
</dd>
<dt>
<a class=away href="https://github.com/raboof/nethogs">NetHogs</a>
</dt>
<dd>
NetHogs is a small "net top" tool. Instead of breaking the traffic
down per protocol or per subnet, like most tools do, it groups
bandwidth by process. NetHogs does not rely on a special kernel
module to be loaded. If there's suddenly a lot of network traffic,
you can fire up NetHogs and immediately see which PID is causing
this. This makes it easy to identify programs that have gone wild
and are suddenly taking up your bandwidth. Since NetHogs heavily
relies on <code>/proc</code>, most features are only available on
Linux. NetHogs can be built on Mac OS X and FreeBSD, but it will
only show connections, not processes.
</dd>
<dt>
<a class=away href="https://github.com/kpcyrd/sniffglue">sniffglue</a>
</dt>
<dd>
sniffglue is a network sniffer written in Rust. Network packets
are parsed concurrently using a thread pool to utilize all CPU
cores. Project goals are that you can run sniffglue securely on
untrusted networks and that it must not crash when processing
packets. The output should be as useful as possible by default.
</dd>
<dt>
radsniff (part of <a class=away href="https://www.freeradius.org/">FreeRADIUS</a>)
</dt>
<dd>
radsniff is a simple wrapper around libpcap. It can also print
out the contents of RADIUS packets using the FreeRADIUS
dictionaries.
</dd>
</dl>
</div>
</div>
<!-- End of RELATED SOFTWARE (PACKET CAPTURE AND ANALYSIS) section -->
<!-- Start of RELATED SOFTWARE (VARIOUS) section -->
<div class="post">
<h2 class="title">
Related Software (Various)
</h2>
<div class="entry">
<dl>
<dt>
<a class=away href="https://bittwist.sourceforge.io/">Bit-Twist</a>
</dt>
<dd>
Bit-Twist is a powerful libpcap-based Ethernet packet generator
and editor, written in POSIX-compliant C, designed to complement
tcpdump by replaying captured traffic from pcap files onto live
networks. It supports Windows (using Npcap), Linux, BSD, and macOS,
allowing the editing of key fields in Ethernet, ARP, IPv4, IPv6,
ICMP, and TCP/UDP headers. It can also generate pcap files from
its built-in templates, enabling packet creation without existing
capture files, along with payload generation from uniformly
distributed random bytes or fixed bytes, such as hex streams from
Wireshark. Ideal for testing firewalls, IDS, IPS, routers,
switches, load balancers, and other network equipment, it delivers
performance that matches the line rate of your NIC, up to 10Gbps.
</dd>
<dt>
<a class=away href="https://tcpreplay.appneta.com/">tcpreplay</a>
</dt>
<dd>
Tcpreplay is a suite of free Open Source utilities for editing
and replaying previously captured network traffic. Originally
designed to replay malicious traffic patterns to Intrusion
Detection/Prevention Systems, it has seen many evolutions including
capabilities to replay to web servers. Tcpreplay includes
tcpcapinfo, a tool for decoding the structure of a pcap file with
a focus on finding broken pcap files and determining how two
related pcap files might differ.
</dd>
<dt>
<a class=away href="http://netsniff-ng.org/">netsniff-ng</a>