A graphical network monitor
EtherApe logo Hosted at Sourceforge
Screen Shots


Binary Packages
Source Code


Mailing Lists
Public Forums
Bug Reporting


Project Page
Bug Tracking
Mercurial repo
 Mini Screen Shot


EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic to be shown, and can read packets from a file as well as live from the network.
Node statistics can be exported.

Overview of changes in EtherApe 0.9.13 (Sunday May 05, 2013):

Central node option, useful for displaying routers or proxies.
Translations and documentation updates, plus some fixes.

OpenSUSE build service now provides binary packages for Fedora 17 and 18 and SLES 11 SP2.

Changes summary:

  • Optional central node, based on work of Javier Fernandez-Sanguino Peņa.
  • re-enabled full-screen mode, thanks to nrvale0
  • Updated spanish translation, thanks to Javier Fernandez-Sanguino Peņa.
  • Added German translation, and fixed typos, thanks to Chris Leick.
  • Updated documentation.


Overview of changes in EtherApe 0.9.12 (Tuesday May 31, 2011):

This is a bugfix release.
Shortly after releasing 0.9.11, David Goldfarb discovered a critical bug in EtherApe, triggered by RPC traffic.

This bug can be exploited to crash EtherApe by sending a suitable packet.
No packet data is used beyond the IP addresses, however, making further escalation unlikely.

This bug has been assigned CVE number CVE-2011-3369

Changes summary:

  • fixed bug 3309061, thanks to David Goldfarb.


Overview of changes in EtherApe 0.9.11 (Friday May 27, 2011):

Several users asked for a way to export traffic statistics.
EtherApe now can save a snapshot with all known nodes and relevant informations to an XML file.
With option --final-export, a dump is automatically generated when a capture file is fully replayed.
Additionally, option --signal-export enables SIGUSR1 handling, to dump on signal.

EtherApe used to have two links for connection, one for each traffic direction. With this release, only one link is needed, gaining more complete statistics and better resource usage.

EtherApe config file is now ~/.config/etherape, instead of the older, deprecated, ~/.gnome2/Etherape. Migration is automatic. Filter expression is now saved.

Thanks to OpenSUSE Build Service and a new spec file, development rpms can easily be built for OpenSUSE 11.x/Tumbleweed, SLE11, Centos5/RHEL5, Fedora and Mandriva.
The spec file is somewhat generic, lacking the nicer integrations of official distribution packages, so you are advised to build with EtherApe spec file only as a last resort.

OSX compatibility improved, thanks to Zack Perry.

The old, deprecated, direct resolver was removed. Name resolution is now only done with the full fledged threaded resolver.

Changes summary:

  • XML export of node statistics
  • added --final-export to export statistics at replay end
  • added --signal-export to export statistics on SIGUSR1 (FR 3185920)
  • improved link statistics
  • added a toolbar button to open the nodes window
  • a new button allows skipping lengthy pauses when replaying
  • fixed a long-standing bug affecting expiry timeouts. EtherApe was overestimating traffic averages
  • used stock icons when possible to improve consistency with themes
  • EtherApe now builds natively on CENTOS5/RHEL5
  • rewrote spec file for use with OpenSUSE Build Service
  • updated documentation
  • removed several (harmless) compiler warnings to make packager's life easier
  • imported debian-specific patches and a swedish translation by Daniel Nylander
  • workaround for OSX troubles with gtk_input_add. Thanks to Zack Perry persistence for helping diagnose and fix
  • removed obsolete preference "cycle assigned colors"
  • removed deprecated direct resolver
  • config file now saved to ~/.config/etherape
  • filter expression is now saved with the other preferences
  • italian translation
  • link and node sizes now computed with the same variable types
  • new size variables: active packets, total packets, average packet size


EtherApe 0.9.10 RPM packages now available (Friday Feb 25, 2011):

Thanks to OpenSUSE Build Service, prebuilt RPM packages for major distributions are now ready for download.

On SourceForge download section you'll find i586 and x86_64 RPMs for:

  • OpenSUSE 11.4 (suse1140)
  • OpenSUSE 11.3 (suse1130)
  • SUSE Enterprise 11 (sles11)
  • SUSE Enterprise 11 sp1 (sles11sp1)
  • Red Hat Enterprise 5 (rhel505)
  • CENTOS 5 (centos505)
  • Mandriva 2010.0 (mdv2010.0)
  • Mandriva 2010.1 (mdv2010.1)

plus an RPM source package.

Those packages are somewhat generic, lacking the fancy touches of official distribution packages, like pam integration, automatic root password request, and so on.

Debian, OpenSUSE, Mandriva cooker and others have already official builds of EtherApe 0.9.10. If available, you should use your distribution package.


Overview of changes in EtherApe 0.9.10 (Sunday Feb 06, 2011):

The most notable change is IPV6 support, thanks to David Flamand.

EtherApe now computes average packet size, to better estimate network usage. The new option --min-delay allows slow-motion replay of a capture file.

In 0.9.9 relnotes I forgot to mention a fix from Sotiris Sotiropoulos. Many apologies for the mistake.

Note: the old non-threaded name resolver is deprecated and will be removed on the next release.
If you really need it, speak up *now*.
Works only with IPV4 addresses, anyway.

Important: CVS repository closed
Effective from today, EtherApe CVS is no longer accessible. Please refer to the Mercurial repository.

Changes summary:

  • IPV6 support, thanks to David Flamand.
  • new statistic: average packet size.
  • added option --min-delay, to complement --max-delay when replaying from file. With this option you can replay a capture in slow-motion.
  • tweaked default service file, adding some common ports.
  • added check for invalid proto-color mappings (debian bug 566226).
  • removed bogus double assignement. Thanks to "johndoe123321".


Overview of changes in EtherApe 0.9.9 (Monday Jan 04, 2010):

The most interesting change of this release is *basic* 802.11 WLAN support. WLAN is one of the most complex protocols around ('crazy' sometimes seems a better description) and there's no way to support it completely without a dedicated display mode.

As an example, a single WLAN packet could contain up to four (4) addresses, source and destination, plus AP interchange. Showing the exact packet route could be interesting for someone trying to understand WLANs, but not very useful to monitor application traffic. So EtherApe tries to treat APs like routers, ignoring them if not directly addressed. Thus a packet starting from node X and ending with node Y will be shown as a straight link between the two nodes, even if the real path was X-AP and AP-Y.

The other notable improvement is 802.1Q VLAN tagging support. VLAN tags are decoded but ignored, showing all traffic as being in a normal LAN. Filtering a single vlan could be accomplished with pcap expressions. Note: Due to pcap limitations, to correctly filter VLAN traffic the pcap filter must start with the keyword "vlan" (e.g. vlan and ip) and *all* traffic must be VLAN-tagged.

All data-link level modes (Ethernet, FDDI, etc) are now unified in a single Link Layer mode, with automated detection (thanks to libpcap).

Note to packagers: EtherApe now uses gnome-doc-utils. Manual should appear in yelp under 'Internet'.

Important: this release will be the last mirrored on the CVS repository, wich will be shut down as of march 2010.

Changes summary:

  • wlan and wlan/radiotap protocol decoding.
  • wlan QOS support.
  • PPI (Per Packet Incapsulation) decoding.
  • basic 802.1Q VLAN support (FRQ: 1561647).
  • LLC-SNAP support.
  • unified link level modes.
  • several performance enhancements.
  • refactored and streamlined node id definition.
  • improved l3 packet deconding, now fully dynamic.
  • improved documentation, now using gnome-doc-utils.
  • borrowed some info from Mandriva .desktop file.
  • Mandriva now compiles with -Werror=format-security and EtherApe was failing to compile. Thanks to Jerome Brenier for the fix.
All the news...

Riccardo Ghetta, Juan Toledo