Network sniffer with application link

Peter Siegrist 28ca2d7bd7 v1.00, now IPv6 capable 1 year ago
400px-Terminal_059.png ffac3ca21d first commit 3 years ago 28ca2d7bd7 v1.00, now IPv6 capable 1 year ago
Terminal_059.png ffac3ca21d first commit 3 years ago
sisniff 28ca2d7bd7 v1.00, now IPv6 capable 1 year ago


Like tcpdump, sisniff captures and displays all connections from and to the local machine. Additionally it will show you the applications belonging to each packet.

It supports TCP, UDP and ICMP packets, both IPv4 and IPv6
The Sniffer accepts some filter like tcpdump.

For HTTP connections, there is an argument to show part of its payload.

Under some cirumstances the program/PID cannot be evaluated. This mavericks would be reported as follow:

 "?/?" = No entry in /proc/net/[TCP/UDP/ICMP]
 "-/-" = Found Inode but no PID
 "./." = The Inode found is '0'

!! sisniff uses scapy's sniff() function, so scapy package is needed:
!! debian: apt-get install scapy
!! pip: pip/pip3 install scapy
!! other systems:

This program needs Python 3.x or Python 2.x.

Current Version can be downloaded from Git at:


# sisniff -h
usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-p program|not-program] [-4] [-6] [-pH] [-pHl] [filter]

sisniff V1.00
2017-2019 by sigi 

positional arguments:
  filter                Filter (BPF syntax) on top of IP (in dbl-quotes "...")

optional arguments:
  -h, --help            show this help message and exit
  -i {eth0,lo,wlan0}    Interface (required)
  -n                    Do not resolve IP-Addresses
  -p program|not-program
                        Filter by program name ([not-] negates)
  -4                    Only IPv4
  -6                    Only IPv6
  -pH                   Show HTTP Payload
  -pHl                  Show HTTP Payload, long output
  • Interfaces showed in the help are gathered from the running system.
  • program means the name in the 'Program' column, e.g. thunderbird-bin
  • not-program excludes the program from beeing showed, e.g. not-thunderbird-bin
  • filter is in same syntax as tcpdump uses. Must be written in double-quotes "..."