NetScope is a small Wireshark-lite command-line packet analyzer for Linux. It captures live traffic with libpcap, parses common packet headers, and prints readable summaries for Ethernet, IPv4, TCP, UDP, ICMP, and basic DNS packets.
- Live packet capture from a selected interface
- Automatic default interface selection when
-iis omitted - Safe length checks before reading Ethernet, IPv4, TCP, UDP, ICMP, or DNS headers
- Variable IPv4 header length handling through the IHL field
- Variable TCP header length handling through the data offset field
- TCP flag decoding for SYN, ACK, FIN, RST, PSH, and URG
- DNS header and standard query-name parsing for UDP port 53 traffic
- Optional print filters for TCP, UDP, DNS, and ICMP packets
- Clean Ctrl+C shutdown with summary statistics
sudo apt update
sudo apt install build-essential libpcap-devmakeThis creates the packet-analyzer executable in the project root.
To remove build output:
make cleanCapture on a specific interface:
sudo ./packet-analyzer -i eth0Choose a default interface automatically:
sudo ./packet-analyzerPrint only TCP packets:
sudo ./packet-analyzer -i eth0 --tcpPrint only UDP packets:
sudo ./packet-analyzer -i eth0 --udpPrint only DNS packets:
sudo ./packet-analyzer -i eth0 --dnsPrint only ICMP packets:
sudo ./packet-analyzer -i eth0 --icmpFilters control what NetScope prints. Packets are still captured and counted in the final statistics.
NetScope listening on eth0. Press Ctrl+C to stop.
Packet #7 captured_len=74 wire_len=74
Ethernet: src=52:54:00:12:34:56 dst=08:00:27:aa:bb:cc ethertype=0x0800
IPv4: src=192.168.1.20 dst=93.184.216.34 ttl=64 protocol=6 total_len=60
TCP: src_port=50544 dst_port=443 seq=1180152162 ack=0 flags=SYN header_len=40
Packet #12 captured_len=86 wire_len=86
Ethernet: src=52:54:00:12:34:56 dst=08:00:27:aa:bb:cc ethertype=0x0800
IPv4: src=192.168.1.20 dst=1.1.1.1 ttl=64 protocol=17 total_len=72
UDP: src_port=43321 dst_port=53 length=52
DNS: id=0x9b31 query opcode=0 questions=1 answers=0
DNS question: name=example.com type=1 class=1
^C
Capture interrupted by user.
=== NetScope Capture Summary ===
Total packets: 12
Ethernet packets: 12
IPv4 packets: 10
TCP packets: 6
UDP packets: 3
ICMP packets: 1
DNS packets: 1
Unknown packets: 2
Truncated packets: 0
Packet capture usually requires elevated privileges. The simplest option while testing is sudo.
On Linux, you can also grant capture permissions to the binary instead of running it as root:
sudo setcap cap_net_raw,cap_net_admin=eip ./packet-analyzerYou may need to reinstall capabilities after rebuilding the binary.
- PCAP file export
- BPF filters
- HTTP parsing
- TLS handshake metadata
- Terminal UI