Skip to content

GinaShome/NetScope

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NetScope

NetScope is a small Wireshark-lite command-line packet analyzer for Linux. It captures live traffic with libpcap, parses common packet headers, and prints readable summaries for Ethernet, IPv4, TCP, UDP, ICMP, and basic DNS packets.

Features

  • Live packet capture from a selected interface
  • Automatic default interface selection when -i is omitted
  • Safe length checks before reading Ethernet, IPv4, TCP, UDP, ICMP, or DNS headers
  • Variable IPv4 header length handling through the IHL field
  • Variable TCP header length handling through the data offset field
  • TCP flag decoding for SYN, ACK, FIN, RST, PSH, and URG
  • DNS header and standard query-name parsing for UDP port 53 traffic
  • Optional print filters for TCP, UDP, DNS, and ICMP packets
  • Clean Ctrl+C shutdown with summary statistics

Install libpcap on Ubuntu/Debian

sudo apt update
sudo apt install build-essential libpcap-dev

Build

make

This creates the packet-analyzer executable in the project root.

To remove build output:

make clean

Run

Capture on a specific interface:

sudo ./packet-analyzer -i eth0

Choose a default interface automatically:

sudo ./packet-analyzer

Print only TCP packets:

sudo ./packet-analyzer -i eth0 --tcp

Print only UDP packets:

sudo ./packet-analyzer -i eth0 --udp

Print only DNS packets:

sudo ./packet-analyzer -i eth0 --dns

Print only ICMP packets:

sudo ./packet-analyzer -i eth0 --icmp

Filters control what NetScope prints. Packets are still captured and counted in the final statistics.

Example Output

NetScope listening on eth0. Press Ctrl+C to stop.

Packet #7 captured_len=74 wire_len=74
  Ethernet: src=52:54:00:12:34:56 dst=08:00:27:aa:bb:cc ethertype=0x0800
  IPv4: src=192.168.1.20 dst=93.184.216.34 ttl=64 protocol=6 total_len=60
  TCP: src_port=50544 dst_port=443 seq=1180152162 ack=0 flags=SYN header_len=40

Packet #12 captured_len=86 wire_len=86
  Ethernet: src=52:54:00:12:34:56 dst=08:00:27:aa:bb:cc ethertype=0x0800
  IPv4: src=192.168.1.20 dst=1.1.1.1 ttl=64 protocol=17 total_len=72
  UDP: src_port=43321 dst_port=53 length=52
    DNS: id=0x9b31 query opcode=0 questions=1 answers=0
    DNS question: name=example.com type=1 class=1

^C
Capture interrupted by user.

=== NetScope Capture Summary ===
Total packets:      12
Ethernet packets:   12
IPv4 packets:       10
TCP packets:        6
UDP packets:        3
ICMP packets:       1
DNS packets:        1
Unknown packets:    2
Truncated packets:  0

Capture Permissions

Packet capture usually requires elevated privileges. The simplest option while testing is sudo.

On Linux, you can also grant capture permissions to the binary instead of running it as root:

sudo setcap cap_net_raw,cap_net_admin=eip ./packet-analyzer

You may need to reinstall capabilities after rebuilding the binary.

Future Improvements

  • PCAP file export
  • BPF filters
  • HTTP parsing
  • TLS handshake metadata
  • Terminal UI

About

NetScope is a small Wireshark-lite command-line packet analyzer for Linux. It captures live traffic with libpcap, parses common packet headers, and prints readable summaries for Ethernet, IPv4, TCP, UDP, ICMP, and basic DNS packets.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors