sniffer

A modern alternative network traffic sniffer inspired by bandwhich(Rust) and nethogs(C++).

Introduction

中文介绍

sniffer is designed for network troubleshooting. It can be started at any time to analyze the processes or connections causing increases in network traffic without loading any kernel modules. In addition, the GUI of it is responsive that can fit with terminals of all sizes automatically.

sniffer manipulates gopacket to sniff the interfaces and record packets' info. gopacket wraps the Golang port of libpacp library, and provides some additional features. One of the projects that inspired the sniffer is bandwhich, which has a sophisticated interface and multiple ways to display data, but it does not support BPF filters. Another one is nethlogs, which supports BPF filters, but can only view data by process, without connections or remote address perspective. sniffer combines the advantages of those two projects also adhering a new Plot mode.

Connections and Process Matching

On Linux, sniffer refers to the ways in which the ss tool used, obtaining the connections of the ESTABLISHED state by netlink socket. Since that approach is more efficient than reading the /proc/net/* files directly. But both need to aggregate and calculate the network traffic of the process by matching the inode information under /proc/${pid}/fd.

On macOS, the lsof command is invoked, which relies on capturing the command output for analyzing process connections information. And sniffer manipulates the API provided by gopsutil directly on Windows.

Installation

sniffer relies on the libpcap library to capture user-level packets hence you need to have it installed first.

Debian/Ubuntu

sudo apt-get install libpcap-dev

CentOS/Fedora

sudo yum install libpcap libpcap-devel

MacOS

brew install libpcap

Windows

Windows need to have npcap installed for capturing packets.

after that, install sniffer

go get github.com/chenjiandongx/sniffer

Usages

❯ sniffer -h
# A modern alternative network traffic sniffer.

Usage:
  sniffer [flags]

Examples:
  # processes mode for pid 1024,2048 in MB unit
  $ sniffer -p 1024 -p 2048 -m 2 -u MB

  # only capture the TCP protocol packets with lo,eth prefixed devices
  $ sniffer -b tcp -d lo -d eth

Flags:
  -b, --bpf string                   specify string pcap filter with the BPF syntax (default "tcp or udp")
  -d, --devices-prefix stringArray   prefixed devices to monitor (default [en,lo,eth,em,bond])
  -h, --help                         help for sniffer
  -i, --interval int                 interval for refresh rate in seconds (default 1)
  -l, --list                         list all devices name
  -m, --mode int                     view mode of sniffer (0: bytes 1: packets 2: processes)
  -n, --no-dns-resolve               disable the DNS resolution
  -p, --pids ints                    pids to watch in processes mode (default all processes)
  -u, --unit string                  unit of traffic stats in processes mode, optional: B, KB, MB, GB (default "KB")
  -v, --version                      version for sniffer

View Mode

Bytes Mode: display traffic stats in bytes by the Table widget.

Packets Mode: display traffic stats in packets by the Table widget.

Processes Mode: display traffic stats groups by process using Plot widget.

License

MIT ©chenjiandongx