A fast C++17 network sniffer that parses L2/L3/L4 protocols and summarizes traffic statistics and flows. It supports live capture from an interface or reading from a pcap file, with optional BPF filters and a quiet mode to only output aggregated stats.
- L2 identification: IPv4, IPv6, ARP, VLAN, MPLS (multicast/unicast), RoCE
- L4 protocols: TCP, UDP, ICMP, ICMPv6
- Application parsers: DNS/mDNS, HTTP, FTP, ICMP, MPLS
- Flow tracking and basic distributions
- Quiet mode for stats-only output
- macOS (tested) with CMake ≥ 3.20 and a C++17 toolchain
- libpcap (install via Homebrew):
brew install libpcap# From project root
mkdir build && cd build
cmake ..
cmake --build .
# Binary will be at: build/cli/snifferRun --help to see all options:
./cli/sniffer --helpKey options:
-l, --list-interfacesList available network interfaces-i, --interface <name>Capture from an interface (e.g.,en0)-f, --file-pcap <path>Read packets from a pcap file-b, --bpf-filter <expr>BPF filter, e.g.,"tcp port 80"-c, --count <N>Stop after N packets (default-1= unlimited)-s, --statisic <true|false>Enable statistics (defaultfalse)-q, --quietOnly print statistics at the end
Examples:
# List interfaces
./cli/sniffer -l
# Live capture 100 packets from en0 with a filter, stats enabled, quiet mode
./cli/sniffer -i en0 -b "tcp port 80" -c 100 --statisic true -q
# Read from a pcap file (provide your own file)
./cli/sniffer -f /path/to/trace.pcap --statisic true -qTip: To create a pcap quickly:
sudo tcpdump -i en0 -w out.pcap -c 200- L3 distribution shows EtherTypes:
IPv4,IPv6,ARP,VLAN,MPLS Multicast,MPLS Unicast,RoCE. - L4 distribution shows IP protocol numbers:
TCP,UDP,ICMP,ICMPv6. - Flow packet distribution groups flows by total packets seen.
apps/ # App-level protocol parsers (dns, http, ftp, icmp, mdns, mpls)
cli/ # CLI entrypoint
core/ # Sniffer orchestration, common types, utils
filter/ # BPF filter handling
flow/ # Flow tracking
netif/ # Interface capture setup (libpcap)
parser/ # L2/L3/L4 parsing, PacketInfo generation
pcapio/ # pcap file I/O
stats/ # Statistics aggregation and printing
- Privileges: Capturing on some interfaces may require elevated privileges. On macOS,
lo0does not support promiscuous mode; prefer a physical interface (e.g.,en0) or use-fwith a pcap file. - Filters: BPF expressions must be quoted to avoid shell expansion.
- If L3 stats show
Unknown: ensure you rebuilt after recent fixes; L3 now maps EtherTypes, and L4 maps IP protocol numbers. - The project does not ship sample pcaps; use
tcpdumpor public traces.
- Keep changes minimal and focused. Use CMake and follow existing code style.
- Open issues or PRs describing the problem and proposed fix.