These tools are interesting to play with but I'd prefer to leverage netflows, which are designed for this purpose.
Netflow gives you protocol types, src/dst ip & port, packet & byte counts, qos/tos, and more - much more cheaply than pcapping an interface. All SME and up gear support them, even Unifi USG's will eject NetFlows.
I'm a bit jaded about some of the free tooling these days though. Weirdly it feels like we've taken a step back the past several years - but for anything beyond 'I wonder who this one computer is talking to' they're a much better approach.
Sure, just gotta spin up an elastic stack and find the right netflow parser! I know you know. Netflow to me is like snmp, supposedly easy but really not. Maybe I'm just lazy now.
I played with Elastiflow extensively some years ago - it was excellent, if a little hungry on memory, but I suspect most of that was the logstash & elasticsearch overhead.
Rob did a big rewrite about 4 years ago, I think, licensing the new codebase in a way that led us to look elsewhere.
There's some alternatives that aren't elastic under the hood, of course. The hard-to-type Akvorado looks very promising, especially given its heritage:
Because we're moving to opentel / prometheus, this project (seems quite active) is especially interesting, with the promise of integrating OS & app metrics, tracing, and netflow insights:
Besides the obvious advantages (you don't need to control the network & have the feature support in hw & have the energy to configure netflow stuff) - host local viewpoint has a lot of advantages vs monitoring from a on-path network element. You can associate stuff to local processes, you don't have the post-NAT warped view of traffic, you can see traffic that doesn't cross routers, you can see the actual traffic contents instead of just metadata, etc.
But the high bit is of course that it's a self-contained normal app and just works.
(And it actually exists unlike the hypothetical netflow version.)
Some good points, and I appreciate there are two semi-disparate domains here. Local interface monitoring addresses a different problem than network monitoring.
I'd argue your advantages perhaps - you do need local root, or at least net_admin / net_raw (I haven't looked to see if TFA drops all but these - perhaps you have?) which raises some security questions. In Linux you may also hit some challenges with promiscuous mode, or capturing on wireless interfaces.
The 'energy' to configure netflow is probably comparable to that required to install and configure this tool. If you don't have the feature on your network hardware, then, yeah, sure, it's moot.
I accept that this, and other existing tools, that let you correlate local processes with local network interface activity can be useful. In my experience it's rare to have to dive into that level, but definitely handy.
In a previous life I would frequently be flipping between Wireshark and Riverbed's Packet Analyzer (nee Pilot) which gives a higher level view than Wireshark. It feels like Sniffnet is aiming to be more in this category, so it's great to have a free software alternative.
For traffic that doesn't traverse routers, you may not know that switches can send netflow. Also, your favourite GNU/Linux distro can send flows.
> (And it actually exists unlike the hypothetical netflow version.)
I don't get this bit.
Are you asserting that netflow monitoring tools don't exist?
Nowadays? The protocols haven't changed, but you may mean that pipes are getting bigger while compute/storage aren't keeping up, so network admins are more likely to opt for sampling over raw/full.
If you want to see every connection you certainly can use netflow, just means you need to spec out your solution properly - and if you've got a lot of chatty traffic it may get expensive.
Obviously much less expensive than interface capture approaches like TFA - plus netflows will typically come from your routing infrastructure.
EDIT: Apologies, I had not really processed the implications of 'if you want to see every packet'. Yes, you're right, but netflow was never about seeing every packet, but tracking every flow (which IIRC is usually defined as src/dst addr+port + protocol) - which will include a running total of bytes/packets over time, so it's counting every packet, but certainly not inspecting every packet, at least not in a DPI sense.
Netflow will inspect every connection as it's established, and then track it until it's torn down. This is one of the reasons netflow, and especially sampled netflow, can report really skewed results against long-lived connections - think Citrix, f.e.
SFlow is the packet sampled version, Netflix/Ipfix will give you details on every flow. There was a period high speed devices (>10G) started dropping full sampling but it seems to have come back for even 100G devices. Limits around the total number of tracked flows still exist of course, you can't just flood a trillion tcp syns and on a 100G port and expect the switch to report on all of them. Theoretically you could do that with a pcap based solution but realistically it's the same problem the switch runs into.
Now if you actually care about per packet statistics rather than per flow statistics you'd want pcap. The more the world becomes encrypted the less interesting the actual packets become.
Hey, you greybeard. I couldn't find a manual either on first glance but, hey, we know about Github stars and see many colorful emoji and symbols on the frontpage.
No, irony left aside. I also miss the clean, boring but highly useful landing pages of old-school utility programs. A short description and a well written man page was all we needed, plus some screenshots for TUI/GUI programs.
My feeling is that especially Rust enthusiasts like emoji, colors and banners a lot. But maybe I am also just getting old...
Any time I see an emoji, I just want to turn away. I don’t know why I’m so resistant to them. Possibly because I feel I can’t take anyone seriously who would bother to pull up an on-screen keyboard just to add a little rocket ship to a line for almost no reason.
A couple years ago I had them always at the ready, right there on my Touch Bar! I mean, what's the point of having a Touch Bar if you can't even type a :Rocket: on it?
That's your personal preference, of course, but expressing emotion in text has been around since the dawn of the internet. Emojis are just a more expressive form of emoticons, and I <3 them, but I agree that they can be annoying if overused. :-)
That and they attempt to communicate complex ideas with a series of faces that one might make when encountering the subject. Like should we interpret a persons vomit emoji as a distaste for a particular concept, or just for big words in general? Who knows?
I have a hotkey that launches a bash script that pipes all emojis & their descriptors into fzf (terminal fuzzy search utility), which pipes out the selection into the clipboard :)
Have you tried finding a way to get your OS to supply you with the total list of emojis? That's the only thing I'd try to improve after I took a quick look.
personally, I'm on Mojave, so my OS doesn't even have the latest Unicode table. however, the full tables are available from various sources. including Unicode's official site: https://unicode.org/emoji/charts/emoji-list.html
Not affiliated with the project, but just took a look at their readme. It literally lists how to install it on every single platform, how to launch it, what features it has, keyboard shotcuts and troubleshooting steps.
I thought it was a great readme. It is weird how you guys dismissed the whole thing just because the readme has emojis.
I learned Perl as a first programming language, and to this day I maintain that their documentation is better than that of any other language I've tried. Putting a synopsis with example syntax at the very beginning is, IMO, the ideal.
Example at [1]. I can take this and run with it, after reading for less than 15 seconds I know enough to start working.
Oh, dear dinosaur friend, user manuals are so last millennium! Who needs them when you have the power of exploration and experimentation at your fingertips? Embrace the digital age and dive right in. You’ll figure it out in no time!
They say that on Windows you need to install Npcap first as a dependency [0].
However Npcap's free edition is limited to 5 installations, with unlimited installations only allowed when used with Nmap, Wireshark, and/or Microsoft Defender for Identity [1]. Anything beyond that requires a license.
I'm not sure if that's problematic. Sniffnet don't distribute Npcap themselves so they're ok, I guess, but they do require their users to install it on Windows . So I guess this means that for private use someone can install Sniffnet + Npcap on up to 5 computers, but organizations with Windows systems cannot use Sniffnet + Npcap unless they buy Npcap's license.
I don't see any way to open an individual packet and inspect the payload. Maybe I'm missing something. If Sniffnet doesn't do that, perhaps it's a bit inappropriate to say it's "like Wireshark."
Not to take anything away from Sniffnet, but if people are interested in real-time network monitoring for their personal computer with a nice GUI, and if someone can suggest a nice GUI portable and useable ultimately from C, I would consider adding a GUI to an old free software tool that's been developed years ago for the telco industry and that has many more features.
The screenshot shows traffic volume per destination. I don't see a feature that would require traffic decryption nor any mention of how to install a cert, so I assume no. What would you want traffic decryption for?
The title is misleading, this seems like a toy and not at all like Wireshark since it doesn't do dissection.
ntopng (https://www.ntop.org/products/traffic-analysis/ntop/) is much more featureful than sniffnet, works also with netflow and has seen multiple production deployments, monitoring 100Gbps flows at full rate.
Despite the title there is really not much relation beyond both tools monitor traffic. In general though, I'd say Wireshark is geared towards inspecting specific things while this is geared towards being a dashboard and filter of your overall network's internet traffic.
In the past i was looking for a network sniffer software to detect DDoS attacks that works on Windows. To manually monitor a game server i was running, Sniffnet worked well even durring DDoS attacks.
Netflow gives you protocol types, src/dst ip & port, packet & byte counts, qos/tos, and more - much more cheaply than pcapping an interface. All SME and up gear support them, even Unifi USG's will eject NetFlows.
I'm a bit jaded about some of the free tooling these days though. Weirdly it feels like we've taken a step back the past several years - but for anything beyond 'I wonder who this one computer is talking to' they're a much better approach.