Application to analyze and filter your network traffic.
Multithreaded, cross-platform, reliable.
The application binary can be installed with cargo install sniffnet
The application can then be run using sniffnet [OPTIONS]
In order to build and run Sniffnet on Windows systems you need to:
Install Npcap.
Download the Npcap SDK.
Add the SDK's /Lib or /Lib/x64 folder to your LIB environment variable.
In order to build and run Sniffnet on Linux systems, install the libraries and header files for the libpcap library. For example:
On Debian based Linux: install libpcap-dev.
On Fedora Linux: install libpcap-devel.
Note that if you are not running as root, you need to set capabilities like so: sudo setcap cap_net_raw,cap_net_admin=eip path/to/bin.
MacOS natively has all the dependencies you need to build and run Sniffnet!
-a, --adapter: specifies the name of the network adapter to be inspected; if omitted the default adapter is chosen.
--app: filters packets on the basis of the provided application layer protocol.
-d, --device-list: prints list of the available network interfaces. Immediately terminates the program.
-h, --highest-port: specifies the maximum port value to be considered; if omitted there is no ports higher bound.
-i, --interval: sets the interval of time between report updates (value in seconds).
-l, --lowest-port: specifies the minimum port value to be considered; if omitted there is no ports lower bound.
-o, --output-folder:
specifies the name of the output folder to contain textual and graphical reports; if omitted the folder name is sniffnet_report
The graphical report consists of a svg file, constantly updated while Sniffnet is running. It is suggested to open this file with a web browser, in order to be able to comfortably refresh it.
It reports the amount of sent (outgoing) and received (incoming) bits and packets per second.
Note that the number of bits and packets in the graph refers to one single second even if the update frequency is different.
The default update frequency is set to 5 seconds, but you can change it launching the application with the -i option.
Note that the default interval of 5 seconds is more suitable if the network traffic is constant and steady (e.g., large file download);
in case of intermittent traffic, you can consider using a lower time interval.
This file contains details and statistics about the sniffing process.
First, it specifies the name of the network adapter analyzed.
Then there is a detail about the initial timestamp of the sniffing process and the last timestamp in which the report was updated.
It also describes the status of the possible filters applicable by the user through the command line: IP address version, transport layer protocol, port minimum and maximum number, and application layer protocol.
Finally, it reports some statistics about the observed traffic: the number of [address:port] pairs considered, the total number of sniffed packets, the number (and percentage) of packets selected according to the active filters and a list of the observed application layer protocols with the respective packets count.
This file contains a detailed analysis of the packets stream for each [address:port] pair.
This analysis results in a table in which each row represents an [address:port] pair with the relative statistics.
For each [address:port] pair it is reported the amount of exchanged data measured in number of packets and in number of bytes between the source and the destination.
For each [address:port] pair are reported the first and the last timestamp in which a packet was transmitted between that [address:port] pair.
Level 4 and level 7 carried protocols are also described (respectively transport layer and application layer protocols); please note that application level protocols are just inferred from the transport port numbers.
-d option to print on the standard output a list of the available devices.
sniffnet -d prints a list of all the available network adapters names and addresses, as in the example that follows. 
Invalid application layer protocol filter:
if an invalid string is provided the application raises an error and terminates.
The list of the supported application layer protocols is available in this section.
Note that not including the --app option is equal to provide --app "no filter".
Invalid highest port number:
if the provided highest port number is not an integer in the range 0..=65535 the program raises an error and terminates.
If also the lowest port number is specified and highest_port < lowest_port == true the program raises an error and terminates.
Invalid interval value:
if the provided interval value is not an integer in the range 1..=u64::MAX the program raises an error and terminates.
Invalid lowest port number:
if the provided lowest port number is not an integer in the range 0..=65535 the program raises an error and terminates.
If also the highest port number is specified and highest_port < lowest_port == true the program raises an error and terminates.
Invalid network layer protocol filter:
if a string different from "IPv4", "IPv6" or "no filter" is provided (not case-sensitive), the application raises an error and terminates.
Note that not including the -n option is equal to provide -n "no filter".
Already existing output folder: there is no particular limitation on the output folder name. However, if the provided name corresponds to an already existing directory of your PC, keep in mind that the directory will be deleted and overwritten.
Invalid transport layer protocol filter:
if a string different from "TCP", "UDP" or "no filter" is provided (not case-sensitive), the application raises an error and terminates.
Note that not including the -t option is equal to provide -t "no filter".
You may incur in this error if you have not the privilege to open a network adapter. Full error is reported below.
To solve this error you can execute the following command:
sudo chown username /dev/bp*
Where username can be retrieved with the command whoami
Alternatively, you can run the application as root: sudo sniffnet [OPTIONS]
In both cases you will be requested to insert your system password.
If the textual output is not reporting packets statistics, make sure you are sniffing the correct network adapter (use the -d
option to see the full list of your network adapters' names and addresses).
To inspect a network adapter of your choice, remember to specify the -a option followed by the name of the adapter to be analyzed.
If you don't include such option a default adapter is chosen by the application, but it may not be the one you expected to sniff.
Note that to see report updates while Sniffnet is running you may have to close and re-open the report file.
If you are still not able to see any packet statistic, then it probably means that you are just not receiving packets from the network: surf the web to receive some packets.
Do you want to improve Sniffnet? Check here