Network utility that summarizes TCP/IP data sorted by host computer and protocol to monitor which hosts are using the most bandwidth.

The sniff tool is a simple packet sniffer tool written in C that uses libpcap to capture traffic on any interface.

Other tools I found showed instantaneous results vs using a sliding window to identify the biggest network users.

It uses a sliding window to retain the size/protocol of every packet within the window and then updates the display with the totals sorted by the biggest user.

The current source code can be downloaded from github.

Network usage sniffer based on pcap libraries which will show the hosts with the biggest data usage using a sliding time window.

The sniff utility quickly aggregates your biggest data users on your network so you can identify hosts that are using an excessive amount of bandwidth. Extremely useful to find all the people streaming video during big sporting events. Also was able to find hosts doing full backups during peak times of day. Helpful utility to identify types of traffic for further shaping that was too hard to pick out with just tcpdump.

After going through several different network tools, none of them aggregated the data the way we needed. This is a pure text based console app for viewing top bandwidth uses.

  • Aggregates data by host name and protocol.
  • It groups data by external vs internal hosts.
  • Hosts are sorted by the biggest to smallest users.
  • A default 10 second sliding window sums all packets.
  • Standard pcap options can be passed through.
  • Asynchronous hostname lookups.
sniff [OPTIONS]... [RULES]...
    -h aggregate totals by host
    -i  device to listen on
    -l exclude local to local packets
    -p aggregate totals by ports
    -s number of lines to show
    -t aggregate totals by protocol
    -v verbose
    -w  size of the sample window
     [RULES]... standard pcap filter rules
In order to build you will need the pcap and anl libraries:

g++ -g -Ofast -Wall -o sniff sniff.cpp -lpcap -lanl

Running this with WAN traffic is much more interesting, but here is a sample running within a server lan: