Network sniffer with application link

root fc9c460d0f v1.3 FIX: exception handling 2 months ago
400px-Terminal_059.png ffac3ca21d first commit 4 years ago 7eaaa08cc2 v1.2 README 2 months ago
Terminal_059.png ffac3ca21d first commit 4 years ago
sisniff fc9c460d0f v1.3 FIX: exception handling 2 months ago


Sisniff is a network sniffer like tcpdump, which prints out all the packets on a network interface from and to the local computer.
As a special feature, for each packet the coresponding application which sends or receives this packet is showing.
With filter options like program name a specific application can be tracked.

It supports TCP, UDP and ICMP packets, both on IPv4 and IPv6
All BPF-Filter on top of IP which can be used by tcpdump are also supported.

For HTTP connections, there is an argument to show part of its payload.

Under some cirumstances the program/PID cannot be evaluated. This mavericks would be reported as follow:

 "?/?" = No entry in /proc/net/[TCP/UDP/ICMP]
 "-/-" = Found Inode but no PID
 "./." = The Inode found is '0'

!! sisniff uses scapy's sniff() function, so scapy package is needed:
!! debian: apt-get install scapy
!! pip: pip/pip3 install scapy
!! other systems:

This program needs Python 3.x or Python 2.x.

Homepage (german):

# sisniff -h
usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-p program|not-program] [-4] [-6] [-pH] [-pHl] [filter]

sisniff V1.2
2017-2022 by sigi 

positional arguments:
  filter                Filter (BPF syntax) on top of IP (in dbl-quotes "...")

optional arguments:
  -h, --help            show this help message and exit
  -i {eth0,lo,tun0,wlan0}
                        Interface (required)
  -n                    Do not resolve IP-Addresses
  -p program|not-program
                        Filter by program name (accepts * for matching) ([not-] negates)
  -4                    Only IPv4
  -6                    Only IPv6
  -pH                   Show HTTP Payload
  -pHl                  Show HTTP Payload, long output
  • Interfaces showed in the help are gathered from the running system.
  • program is meant the base name of the program/application, e.g. -p thunderbird-bin
  • program can contain '*' pattern at the beginning and/or the end, e.g. -p thunder*
  • not-program excludes the program from beeing showed, e.g. not-thunderbird-bin. The '*' pattern also is accepted.
  • filter is in same syntax as tcpdump uses. Must be written in double-quotes "..."
Example Commands
# sisniff -i wlan0 "port not ssh"
# sisniff -i wlan0 -p *vpn*
# sisniff -i wlan0 -p not-thunderbird-bin -4 "host not"
# sisniff -i eth0 -p firefox -pHl       
Example Output