[go: up one dir, main page]

Related Documents and Resources

BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture [PDF version]
By Andrew Begel, Steven McCanne, and Susan Graham.
DPF
A paper presented at SIGCOMM '96 on an enhanced version of BPF.
Win32 info
An extract of a message from Guy Harris on state of WinPcap and WinDump.
How to write a libpcap module
A draft HOWTO by Guy Harris.
Awesome PCAP Tools
A list of various projects related to network traffic research. It currently includes the following groups: Linux commands, traffic capture, traffic analysis/inspection, DNS utilities, file extraction and related projects.
Publicly available PCAP files
This is a list of public packet capture repositories, which are freely available on the Internet. Most of the sites listed below share Full Packet Capture (FPC) files, but some do unfortunately only have truncated frames.

Below you can find a few projects that are related to tcpdump or libpcap in some way. If you think some project should be in this list, please either open a pull request as explained here or subscribe to the mailing list and make your input there. The new entry should include the name of the project, a brief (between 200 and 500 characters) description and a link to the project page.

Related Software (Libraries)

LibNet
Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort.
Scapy
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VoIP decoding on WEP encrypted channel, …), etc.
libcrafter
Libcrafter is a high level library for C++ designed to make easier the creation and decoding of network packets. It is able to craft or decode packets of most common network protocols, send them on the wire, capture them and match requests and replies.
PcapPlusPlus
A multiplatform C++ network sniffing, packet parsing and crafting framework. It provides a lightweight, easy-to-use and efficient C++ wrapper for libpcap and WinPcap.
Npcap
Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows. Npcap began in 2013 as some improvements to the (now discontinued) WinPcap library, but has been largely rewritten since then with hundreds of releases improving Npcap's speed, portability, security, and efficiency.
SharpPcap
A fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets from live and file based devices.
GoPacket
This library provides packet decoding capabilities for Go. It contains many sub-packages with additional functionality, including C bindings to use libpcap/PF_RING/AF_PACKET to read packets off the wire. Originally forked from the gopcap project written by Andreas Krennmair.
pypcapfile
pypcapfile is a pure Python library for handling libpcap savefiles.
libtins
libtins is a high-level, multiplatform C++ network packet sniffing and crafting library. Its main purpose is to provide the C++ developer an easy, efficient, platform and endianness-independent way to create tools which need to send, receive and manipulate network packets.
ruby-pcap
ruby-pcap is a ruby extension to libpcap. This library also includes classes to access TCP/IP header.
Pcap4J
Pcap4J is a Java library for capturing, crafting and sending packets. Pcap4J wraps a native packet capture library (libpcap, WinPcap, or Npcap) via JNA and provides you Java-oriented APIs.
rust-pcap
This is a Rust language crate for accessing the packet sniffing capabilities of libpcap (or Npcap on Windows). It implements the following features:
  • list devices
  • open capture handle on a device or savefiles
  • get packets from the capture handle
  • filter packets using BPF programs
  • list/set/get datalink link types
  • configure some parameters like promiscuity and buffer length
  • write packets to savefiles
  • inject packets into an interface
libpcapnav
libpcapnav is a libpcap wrapper library that allows navigation to arbitrary locations in a tcpdump trace file between reads. The API is intentionally much like that of the pcap library. You can navigate in trace files both in time and space: you can jump to a packet which is at appr. 2/3 of the trace, or you can jump as closely as possible to a packet with a given timestamp, and then read packets from there. In addition, the API provides convenience functions for manipulating timeval structures.
Pcap Project
Pcap Project provides a packet processing library for rapid development on top of JVM languages (Java, Kotlin, Scala, Groovy, Clojure, JRuby and Jython).
pcaprub
This goal of this project is to provide a consistent Ruby interface to the libpcap packet capture library.
Net::Pcap
The Net::Pcap module is a Perl binding to libpcap.
Pcapy
Pcapy is a Python extension module that enables software written in Python to access the routines from the pcap packet capture library. Pcapy works with Python threads, works both on Unix-like OSes and Windows, provides a simple object oriented API.
libtrace
libtrace, a userspace library for processing of network traffic capture from live interfaces or from offline traces. libtrace was primarily designed for use with the real-time interface to the Waikato DAG Capture Point software running at The University of Waikato, and has been since extended to a range of other trace and interface formats.
LibDAQ: The Data AcQuisition Library
LibDAQ is a pluggable abstraction layer for interacting with a data source (traditionally a network interface or network data plane). Applications using LibDAQ use the library API defined in daq.h to load, configure, and interact with pluggable DAQ modules.
epcap
epcap is an Erlang port interface to libpcap, it includes a small example program called "sniff".

Related Software (File Processing)

TCPslice
TCPslice is a tool for extracting portions of packet trace files generated using tcpdump's -w flag. It can combine multiple trace files, and/or extract portions of one or more traces based on time. TCPslice originally comes from LBL and now is maintained by The Tcpdump Group.
TCPTrace
TCPTrace analyzes the behavior of captured TCP streams, and accepts many trace file formats (including pcap). It provides connection statistics and several types of graphs, including the widely-used time-sequence graphs.
NetDude
netdude (NETwork DUmp data Displayer and Editor). From their webpage, "it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles."
Xplot
The program xplot was written in the late 1980s to support the analysis of TCP packet traces.
Multitail
MultiTail now has a colorscheme included for monitoring the tcpdump output. It can also filter, convert timestamps to timestrings and much more.
pcapfix
pcapfix is a repair tool for corrupted pcap and pcapng files. It checks for an intact pcap global header and packet block and repairs it if there are any corrupted bytes. If a header is not present, one is created and added to the beginning of the file. It then tries to find pcap packet headers or packet blocks, and checks and repairs them.
Radare2
A free/libre toolchain for easing several low level tasks like forensics, software reverse engineering, exploiting, debugging… Radare2 can process compiled BPF bytecode.
ipsumdump
The ipsumdump program summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs. Ipsumdump can read packets from network interfaces, from .pcap files, and from existing ipsumdump files. It will transparently uncompress .pcap or ipsumdump files when necessary. It can randomly sample traffic, filter traffic based on its contents, anonymize IP addresses, and sort packets from multiple dumps by timestamp. Also, it can optionally create a .pcap file containing actual packet data.
netmate
Netmate is a GTK+ program that shows network protocols headers in 32-bit aligned fields, identical as they are represented in Request for Comments (RFCs). It can be used to learn and teach about network protocols and to understand their functionality and collaboration. This tool supports input files in pcap(ng) format as they are created by tcpdump, wireshark or other code based on libpcap.
pcaputils
pcaputils includes the following libpcap-based utilities:
  • pcapip: filters an input pcap file based on a file containing IP addresses
  • pcappick: picks specific frames out of a pcap by number
  • pcapuc: prints unique src IPs, dst IPs, or {src, dst} IP pairs witnessed
  • pcapdump: a dedicated packet capture utility similar to dumpcap, but with additional features
TrimPCAP
TrimPCAP is a free open source tool that reduces the size of capture files in an intelligent way. With reduced storage needs comes longer retention periods. TrimPCAP has been shown to reduce most PCAP datasets by over 90 percent!
tcpsplit
The tcpsplit utility breaks a single libpcap packet trace into some number of sub-traces, breaking the trace along TCP connection boundaries so that a TCP connection doesn't end up split across two sub-traces. This is useful for making large trace files tractable for in-depth analysis and for subsetting a trace for developing analysis on only part of a trace.
PacketQ
packetq is a command line tool to run SQL queries directly on PCAP files, the results can be outputted as JSON (default), formatted/compact CSV and XML. It also contains a very simplistic web-server in order to inspect PCAP files remotely.
file2pcap
file2pcap creates a pcap file from any input file, simulating this file in transit, using various protocols and encodings. The resulting pcap file can then be used to create or test Snort rules. Supported protocols: HTTP, HTTP/2, HTTP POST, SMTP/POP3/IMAP, FTP, IPv6.
pCraft
pCraft is a PCAP Crafter, which creates a PCAP from an AMI scenario. When generating data for testing, it is rather hard to do for the following reasons:
  • lack of consistency between clients and servers,
  • making sure no personal data leaks,
  • consistency across different services,
  • keeping timing right,
  • etc.
This program helps solving this problem, one simply creates a script in AMI and the program outputs a PCAP.

Related Software (Intrusion Detection)

Socket Sentry
Socket Sentry is a real-time network traffic monitor for KDE Plasma in the same spirit as tools like iftop and netstat.
snort
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 300,000 registered users, Snort has become the de facto standard for IPS.
Zeek
Zeek (formerly Bro) is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Zeek detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).
Suricata
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine.
ArpON
ArpON (ARP handler inspection) is a host-based solution that makes the ARP standardized protocol secure in order to avoid man-in-the-middle (MITM) attacks through ARP spoofing, ARP cache poisoning or ARP poison routing.
scanlogd
scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article. Thus, unlike some of the other port scan detection tools out there, scanlogd is designed to be totally safe to use. scanlogd can be built with support for one of several packet capture interfaces. In addition to the raw socket interface on Linux (which does not require any libraries), scanlogd is now aware of libnids and libpcap.

Related Software (Packet Capture and Analysis)

EtherApe
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
tcpflow
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Network Top
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.
Wireshark
A free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
CoralReef
CoralReef is a software suite developed by CAIDA to analyze data collected by passive Internet traffic monitors. It provides a programming library libcoral, similar to libpcap with extensions for ATM and other network types, which is available from both C and Perl. The software presently supports dedicated PC boxes using OC3mon and OC12mon cards that collect traffic data in real time, as well as reading from pcap tracefiles. CoralReef supports listening via BPF-enabled devices. CoralReef includes drivers, analysis, web report generation, examples, and capture software. This package is maintained by CAIDA developers with the support and collaboration of the Internet measurement community.
TCPstat
tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.
httpflow
Packet capture and analysis utility similar to tcpdump for HTTP.
ssldump
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.
iftop
iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question "why is our ADSL link so slow?".
capstats by Bert Vermeulen
Capstats generates byte and packet counters based on a Berkeley Packet Filter (BPF) expression. The basic model is that you run capstats as a daemon (as root), and it will then take commands from a client. Using a client, you can create new capture sessions, modify them, pull up stats on running sessions, and so on.
capstats by Zeek Project
capstats is a small tool to collect statistics on the current load of a network interface, using either libpcap or the native interface for Endace hardware. It reports statistics per time interval and/or for the tool's total run-time.
pmacct
pmacct is a small set of multi-purpose passive network monitoring tools. It can account, classify, aggregate, replicate and export forwarding-plane data, i.e. IPv4 and IPv6 traffic; collect and correlate control-plane data via BGP and BMP; collect and correlate RPKI data; collect infrastructure data via Streaming Telemetry. Each component works both as a standalone daemon and as a thread of execution for correlation purposes (i.e. enrich NetFlow with BGP data).
ngrep
ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
VoIPmonitor
VoIPmonitor is an open source network packet sniffer with commercial frontend for SIP, RTP, RTCP, SKINNY (SCCP), MGCP and WebRTC VoIP protocols running on Linux. VoIPmonitor is designed to analyze quality of VoIP calls based on network parameters—delay variation and packet loss according to ITU-T G.107 E-model, which predicts quality on MOS scale. Calls with all relevant statistics are saved to a MySQL database. Optionally each call can be saved to a .pcap file with either only SIP protocol or SIP/RTP/RTCP/T.38/udptl protocols.
ksniff
A kubectl plugin that utilizes tcpdump and Wireshark to start a remote capture on any pod in your Kubernetes cluster. You get the full power of Wireshark with minimal impact on your running pods.
pcapsipdump
An open-source libpcap-based SIP sniffer. Listens on a network interface and saves SIP/RTP sessions to files. Each session goes in a separate, fancy-named .pcap file. Those could be opened with tcpdump, wireshark and friends.
Arkime
Arkime augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Arkime exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly.
vlandump
vlandump is a small utility for capturing network traffic and aggregating found VLAN-tags (if any). Found tags can then be sorted and displayed.
dnstop
dnstop is a libpcap application (like tcpdump) that displays various tables of DNS traffic on your network. dnstop supports both IPv4 and IPv6 addresses. To help find especially undesirable DNS queries, dnstop provides a number of filters. dnstop can either read packets from the live capture device, or from a pcap savefile.
softflowd
softflowd is a flow-based network monitor. It listens promiscuously on a network interface and semi-statefully tracks network flows. These flows can be reported using NetFlow version 1, 5 or 9 datagrams. softflowd is fully IPv6 capable: it can track IPv6 flows and export to IPv6 hosts.
arpwatch
arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an e-mail to an administrator when a pairing changes or is added.
addrwatch
Addrwatch is a tool similar to arpwatch. It main purpose is to monitor network and log discovered Ethernet/IP address pairings. Addrwatch is extremely useful in networks with IPv6 autoconfiguration (RFC 4862) enabled. It allows to track IPv6 addresses of hosts using IPv6 privacy extensions (RFC 4941). The main difference between arpwatch and addrwatch is the format of output files.
Device Observatory
Device Observatory shows the activities of WiFi devices on a network on a local website. It is meant to raise the awareness for private data leaking from devices such as smartphones. Features:
  • Devices accessing the info page only see own data (except for the local host).
  • Shows MAC address, DHCP device host name, device manufacturer.
  • Shows accessed domains, IP addresses and ports.
  • Shows first/last time a website was accessed.
  • Show SSIDs from active scanning.
  • Show traffic by destination.
bpfcountd
This daemon was created to obtain packet statistics in larger networks without stressing the CPU resources. bpfcountd will count the amount of packets and bytes over time (for each defined rule). The rules are defined using the libpcap filter syntax (BPF). The collected data is provided on Unix socket in plaintext.
SPP
This software is a flexible, standalone packet processor that implements the SPP algorithm. RTT calculations can be generated from saved PCAP format files or local or remote interfaces in real time.
dnscap
dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap format. This utility is similar to tcpdump, but has a number of features tailored to DNS transactions and protocol options. Some of its features include:
  • Understands both IPv4 and IPv6.
  • Captures UDP, TCP, and IP fragments.
  • Collects only queries, responses, or both.
  • Collects for only certain source/destination addresses.
  • Periodically creates new pcap files.
  • Spawns an upload script after closing a pcap file.
  • Will start and stop collecting at specific times.
sniffit
sniffit is a packet sniffer for TCP/UDP/ICMP packets over IPv4. It is able to give you a very detailed technical info on these packets, as SEQ, ACK, TTL, Window, etc. The packet contents also can be viewed, in different formats (hex or plain text, etc.).
Cyberprobe
Cyberprobe is a network [deep] packet inspection toolkit for real-time monitoring of networks. This has applications in network monitoring, intrusion detection, forensic analysis, and as a defensive platform. Cyberprobe packet inspection works on physical networks, and also in cloud VPCs. There are features that allow cloud-scale deployments. This is not a single, monolithic intrusion detection toolkit which does everything you want straight out of the box. Instead, Cyberprobe is a set of flexible components which can be combined in many ways to manage a wide variety of packet inspection tasks.
NetHogs
NetHogs is a small "net top" tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. NetHogs does not rely on a special kernel module to be loaded. If there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this. This makes it easy to identify programs that have gone wild and are suddenly taking up your bandwidth. Since NetHogs heavily relies on /proc, most features are only available on Linux. NetHogs can be built on Mac OS X and FreeBSD, but it will only show connections, not processes.
sniffglue
sniffglue is a network sniffer written in Rust. Network packets are parsed concurrently using a thread pool to utilize all CPU cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.
radsniff (part of FreeRADIUS)
radsniff is a simple wrapper around libpcap. It can also print out the contents of RADIUS packets using the FreeRADIUS dictionaries.
Sniff Cookies
This program allows to display HTTP cookies passing through the network to which your NIC is connected.
tcpick
tcpick is a textmode sniffer; it tracks TCP streams, shows the status, reassembles and saves the data captured in files or displays them in the terminal in different modes (ASCII, hex…). There is a color-mode. Useful to get files passively.
tcpxtract
tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique. Tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.
SipGrep 2
SipGrep is a powerful pcap-aware command line tool to capture, display and troubleshoot SIP signaling over IP networks. It allows the user to match SIP headers using extended regular expressions.
sngrep
sngrep is a tool for displaying SIP calls message flows from terminal. It supports live capture to display realtime SIP packets and can also be used as .pcap file viewer.

Related Software (Various)

Bit-Twist
Bit-Twist is a powerful libpcap-based Ethernet packet generator and editor, written in POSIX-compliant C, designed to complement tcpdump by replaying captured traffic from pcap files onto live networks. It supports Windows (using Npcap), Linux, BSD, and macOS, allowing the editing of key fields in Ethernet, ARP, IPv4, IPv6, ICMP, and TCP/UDP headers. It can also generate pcap files from its built-in templates, enabling packet creation without existing capture files, along with payload generation from uniformly distributed random bytes or fixed bytes, such as hex streams from Wireshark. Ideal for testing firewalls, IDS, IPS, routers, switches, load balancers, and other network equipment, it delivers performance that matches the line rate of your NIC, up to 10Gbps.
tcpreplay
Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic. Originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems, it has seen many evolutions including capabilities to replay to web servers. Tcpreplay includes tcpcapinfo, a tool for decoding the structure of a pcap file with a focus on finding broken pcap files and determining how two related pcap files might differ.
netsniff-ng
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
Termshark
A terminal UI for tshark, inspired by Wireshark.
SIPp
SIPp is a performance testing tool for the SIP protocol. There is a limited support of media plane (RTP). The "PCAP play" feature makes use of libpcap to replay pre-recorded RTP streams towards a destination. RTP streams can be recorded by tools like Wireshark or tcpdump.
knock: a port-knocking implementation
This is a port-knocking server/client. Port-knocking is a method where a server can sniff one of its interfaces for a special "knock" sequence of port-hits. When detected, it will run a specified event bound to that port knock sequence. These port-hits need not be on open ports, since it uses libpcap to sniff the raw interface traffic.
Ettercap
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
NPF
NPF is a layer 3 packet filter, supporting stateful packet inspection, IPv6, NAT, IP sets, extensions and many more. It uses BPF as its core engine and it was designed with a focus on high performance, scalability, multi-threading and modularity. NPF was written from scratch in 2009. It is written in C99 and distributed under the 2-clause BSD license.
arping
Arping is a util to find out if a specific IP address on the LAN is 'taken' and what MAC address owns it.
Ostinato
Ostinato is a versatile packet crafter, pcap editor/player and traffic generator with an intuitive GUI. Add-ons include high-speed 10/25/40G traffic generation and scripting/automation Python APIs. Works on all platforms: Windows, macOS, Linux and the labbing platforms (CML, EVE-NG and GNS3).
arp-scan
arp-scan is a command-line tool for system discovery and fingerprinting. It constructs and sends ARP requests to the specified IP addresses, and displays any responses that are received. arp-scan allows you to:
  • Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate.
  • Construct the outgoing ARP packet in a flexible way.
  • Decode and display any returned packets.
  • Fingerprint IP hosts using the arp-fingerprint tool.
Nmap
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Caper
Caper is a freely-available, open-source tool for processing packet filters. Filters are used as the first processing stage when capturing, diverting, or dropping network traffic. Caper processes filters by converting them among different representations to clarify their meaning.
SSLsplit
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis and penetration testing. SSLsplit is designed to transparently terminate connections that are redirected to it using a network address translation engine. SSLsplit then terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. Besides NAT based operation, SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination.
dhcp-probe
dhcp-probe is intended to be used by network administrators to locate unknown BootP and DHCP servers on a directly-attached network.
hping3
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface. Since version 3, hping implements scripting capabilities. As a command line utility, hping is useful to test many kind of networking devices like firewalls, routers, and so on. It can be used as a traceroute alike program over all the supported protocols, firewalk usage, OS fingerprinting, port-scanner, TCP/IP stack auditing.
Netdiscover
Netdiscover is a network address discovering tool, developed mainly for those wireless networks without a DHCP server, it also works on hub/switched networks. It is based on ARP packets, it will send ARP requests and sniff for replies.
drool (DNS Replay Tool)
drool can replay DNS traffic from PCAP files and send it to a specified server, with options such as to manipulate the timing between packets, as well as loop packets infinitely or for a set number of iterations. This tool's goal is to be able to produce a high amount of UDP packets per second and TCP sessions per second on common hardware.
dnsjit
dnsjit is a combination of parts taken from dsc, dnscap, drool, and put together around Lua to create a script-based engine for easy capturing, parsing and statistics gathering of DNS messages while also providing facilities for replaying DNS traffic.

One of the core functionality that dnsjit brings is to tie together C and Lua modules through a receiver/receive interface. This allows creation of custom chains of functionality to meet various requirements. Another core functionality is the ability to parse and process DNS messages even if the messages are non-compliant with the DNS standards.
Packit
Packit (PACket toolKIT) is a network auditing tool. It uses libpcap and can make real packets (frames) that are able to travel in a network. Packit also allows one to add personalized payloads. Other good feature is the possibility to read dump files created by tcpdump.

Packit has an ability to customize, inject, monitor and manipulate IP traffic. By allowing you to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options, Packit can be useful for the following scenarios:
  • tests in firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), proxies, port scanning detectors;
  • network traffic simulations;
  • security tests; and
  • general TCP/IP auditing and pentests.
Packit is also an excellent tool for learning TCP/IP. However, this program does not support IPv6.
UCARP
UCARP allows a couple of hosts to share common virtual IP addresses in order to provide automatic failover. It is a portable userland implementation of the secure and patent-free Common Address Redundancy Protocol (CARP, OpenBSD's alternative to the patents-bloated VRRP). Strong points of the CARP protocol are: very low overhead, cryptographically signed messages, interoperability between different operating systems and no need for any dedicated extra network link between redundant hosts.
Ping Tunnel
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is not a feature-rich tool by any means, but it does what it advertises:
  • Tunnel TCP using ICMP echo request and reply packets.
  • Connections are reliable (lost packets are resent as necessary).
  • Handles multiple connections.
  • Acceptable bandwidth (150 kb/s downstream and about 50 kb/s upstream are the currently measured maxima for one tunnel, but with tweaking this can be improved further).
  • Authentication, to prevent just anyone from using your proxy.
SimH
SimH, a simulator for historic computer systems, uses libpcap in its Sim_Ether module, which allows various virtual hardware to use Ethernet interfaces of the host OS.