Network sniffer with application link

Peter Siegrist bc800ff0a7 V1.3.1 1 month ago
400px-Terminal_059.png ffac3ca21d first commit 5 years ago bc800ff0a7 V1.3.1 1 month ago
Terminal_059.png ffac3ca21d first commit 5 years ago
sisniff 9d114df418 v1.3.1: - arguments change (-pHl -> -Hl, -pH -> -H) 1 month ago


Sisniff is a network sniffer like tcpdump, which prints out all the packets on a network interface from and to the local computer.
As a special feature, for each packet the coresponding application sending or receiving this packet is displayed.
With filter options like program name a specific application can be tracked.

It supports TCP, UDP and ICMP packets, both on IPv4 and IPv6
All BPF-Filter on top of IP which can be used by tcpdump are also supported.

For HTTP connections, there is an argument (-H resp. -Hl) to show short or long payload.

Under some cirumstances the program/PID cannot be evaluated. This mavericks would be reported as follow:

 "?/?" = No entry in /proc/net/[TCP/UDP/ICMP]
 "-/-" = Found Inode but no PID
 "./." = The Inode found is '0'

!! sisniff uses scapy's sniff() function, so scapy package is needed:
!! debian: apt-get install scapy
!! pip: pip/pip3 install scapy
!! other systems:

This program needs Python 3.x or Python 2.x.

Homepage (german):

Direct Download: wget

# sisniff -h
usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-p program|not-program] [-4] [-6] [-H] [-Hl] [filter]

sisniff V1.3.1
2017-2022 by sigi 

positional arguments:
  filter                Filter (BPF syntax) on top of IP (in dbl-quotes "...")

optional arguments:
  -h, --help            show this help message and exit
  -i {eth0,lo,wlan0}    Interface (required)
  -n                    Do not resolve IP-Addresses
  -p program|not-program
                        Filter by program name (accepts * for matching) ([not-] negates)
  -4                    Only IPv4
  -6                    Only IPv6
  -H                   Show HTTP Payload
  -Hl                  Show HTTP Payload, long output
  • Interfaces showed in the help are gathered from the running system.
  • program is meant the base name of the program/application, e.g. -p thunderbird-bin
  • program can contain '*' pattern at the beginning and/or the end, e.g. -p thunder*
  • not-program excludes the program from beeing showed, e.g. not-thunderbird-bin. The '*' pattern also is accepted.
  • filter is in same syntax as tcpdump uses. Must be written in double-quotes "..."
Example Commands
# sisniff -i wlan0 "port not ssh"
# sisniff -i wlan0 -p *vpn*
# sisniff -i wlan0 -p not-thunderbird-bin -4 "host not"
# sisniff -i eth0 -p firefox -Hl "port 80"      
Example Output