-
Notifications
You must be signed in to change notification settings - Fork 521
netsniff ng
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/netsniff-ng.
From http://netsniff-ng.org:
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
Security Onion uses netsniff-ng to collect full packet capture in the form of pcap files.
netsniff-ng writes full packet capture in the form of pcap files to:
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/YYYY-MM-DD/
where:
- HOSTNAME is your actual hostname
- INTERFACE is your actual sniffing interface
- YYYY-MM-DD is the year, month, and date the pcap was recorded
Besides accessing the pcaps in the directory shown above, you can also pivot to full packet capture from Sguil and CapMe.
Check the netsniff-ng.log file in:
/var/log/nsm/HOSTNAME-INTERFACE/netsniff-ng.log
(where HOSTNAME is your actual hostname and INTERFACE is your actual sniffing interface)
If sostat report packet loss in netsniff-ng, you may want to consider one or more of the following options in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf:
- increase PCAP_RING_SIZE
- set PCAP_OPTIONS to "--mmap" to enable memory-mapped IO
Please note that both of these options will cause netsniff-ng to consume more RAM.
For more information about netsniff-ng, please see:
http://netsniff-ng.org/
Full packet capture obviously requires lots of disk space. Trimming your pcaps can allow you to store pcap for longer periods of time. For example, please see: https://www.netresec.com/?page=Blog&month=2017-12&post=Don%27t-Delete-PCAP-Files---Trim-Them
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs