Netdude Logo








Mailing Lists







Help us out!
Help us out!

SourceForge Logo

The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.

Latest news:

Mon Mar 15 23:35:00 PDT 2010

Major bugfix releases Netdude 0.5.1 and libnetdude 0.12 are available.

Netdude's architecture consists of three main components:

Netdude: a graphical interface that allows you to perform trace file editing, inspection and analysis to a degree formerly only possible by writing code. Screenshots are here. The application's features include:

  • Inspecting and filtering packets at arbitrary locations in trace files that can be many gigabytes in size. Trace locations can be specified both as timestamps and as fractions relative to the full trace size.
  • Inspecting and editing the values of every field in a protocol's packet header, provided that a protocol plugin to support the protocol is installed.
  • Resizing individual packets.
  • A Hex/ASCII editor for directly modifying packet payload.
  • Defining arbitrary trace areas for subsequent packet modifications.
  • Editing multiple traces at the same time.

  • Copying, moving, and deleting packets in a trace file and between trace files.
  • Highly modular architecture, allowing easy third-party development of additional plugins providing more protocols or features.

libnetdude: the core of the framework and the place where the packet manipulations are performed. It allows you to implement trace file manipulations at a much higher level of abstraction than code written directly on top of the pcap library. It also provides a command-line interface that directly lets you script all packet-mangling capabilities provided by the set of plugins you have installed. Libnetdude's features include:

  • Convenient abstractions for trace files, trace parts & areas, packets, filters, and packet iterators.
  • Ability to edit arbitrarily large traces (subject to the large-file size limit on your OS). Traces are navigated using timestamps and fractional offsets.
  • Ability to insert and delete packets.
  • Flexible plugin architecture: Protocol plugins allow interpretation of arbitrary protocol data. Feature plugins provide helpful building blocks (like anonymizers, statistical analyzers, demultiplexers, etc.) in a reusable fashion.
  • Structured packet data. Raw packet data is interpreted as much as the installed protocol plugins permit it to. No need to write your own protocol analyzer any more.
  • Familiar tcpdump output: libnetdude can associate a tcpdump process with each trace file, providing tcpdump's familiar output for individual packets. The GUI application is making extensive use use of this.

libpcapnav: a libpcap wrapper library that allows navigation to arbitrary packets in a tcpdump trace file between reads, using timestamps or percentage offsets. It was originally based on Vern Paxson's tcpslice tool.

Last update: Sun Jun 24 15:10:05 PDT 2007 — (c) Christian Kreibich 2001 - 2006