User Tools

Site Tools


Table of Contents


catnip is a tiny non-libpcap based network packet capturing tool (currently only for Linux) which when compiled and stripped the binary is smaller than 20kiB. This makes it very suitable for embedded environments where a libpcap based tool, typically 100kiB for just libpcap and 500kiB for tcpdump, would be simply too large. catnip is generally parameter compatible with tcpdump and what makes catnip stand out from other small packet capturing tools is that also supports BPF filtering.

Whilst putting together a buildroot based Linux environment for my Linksys WAG54G I was disappointed to find that a compiled libpcap/tcpdump was just too large for the 4MiB flash I was limited to. Digging around I could not find any other filtering supporting micro-sized libpcap-less capturing tools so set out to write my own, and this is the result of my efforts.

The source code and (hopefully) better documentation for 'catnip' is at


  • generally parameter compatible to tcpdump
  • Linux Socket Filter (a la BPF) support
  • no library dependencies
  • privilege dropping
  • presents the remote interface (with a remote applied BPF filter) locally via TUN/TAP; meaning you just 'tcpdump' on a local interface as if you were on the remote device

Known Bugs

  • sniffing promiscuously on an 802.11 interface gives some interesting output
  • [other] it's a feature I tell you!


  • support mmap'd ring buffer capturing under Linux
  • simple verbosity, Layer 2 (Ethernet), Layer 3 (IPv4 and IPv6) and Layer 4 (TCP and UDP) decoder
  • Mac OS X/*BSD support
  • trigger rules to stop capturing, 'x' packets and/or 'y' seconds
  • add minimum boundary for snaplen to be (L2 header)
catnip.txt · Last modified: 2014/03/08 14:39 by alex