A graphical network monitor
EtherApe logo Download EtherApe
Hosted at Sourceforge


Screen Shots


Binary Packages
Source Code


Mailing Lists
Public Forums
Bug Reporting


Project Page
Bug Tracking
Official Mercurial repository
Bitbucket mirror
 Mini Screen Shot


EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic to be shown, and can read packets from a file as well as live from the network.
Node statistics can be exported.

Bitbucket mirror (Saturday, March 10, 2018)

For those who prefer a pull-request based workflow, EtherApe now is also on Bitbucket at

Main site, bug tracking and file download will remain on SourceForge.

Overview of changes in EtherApe 0.9.16 (Sunday, January 14, 2018):

Several distributions are phasing out Gnome 2 libraries and EtherApe needs to update as well.
Unfortunately, this mean dropping support for older distributions, for example CENTOS 5 and 6.
At this time the EtherApe executable can still be built for those distributions, but not the project as a whole.

This is an interim release, where the only Gnome 2 component is gnome-canvas. Apart of that, EtherApe is now a GTK2 application.
Work is underway to replace gnome-canvas with another component.
Documentation is now based on yelp-tools instead of Scroolkeeper/Rarian.

Many thanks to Patrick Matthäi for packaging EtherApe for Debian and helping to keep this tool current.

Changes summary:

  • require only gnome-canvas, not gnome-ui. Based on the work of Arch Linux packager bgyorgy (Balló György). Thanks!
  • migrate from deprecated gnome-doc-utils to yelp-tools. Unfortunately this change rules out older distributions, documentation-wise.
  • updated German translation, thanks to Chris Leick

As usual, and thanks to OpenSuse Build Service, prebuilt rpms are available for:

  • Arch Linux
  • Mageia 6
  • CENTOS 7
  • Fedora 24, 25, 26 and Rawhide
  • ScientificLinux 7
  • SLES 12, 12 SP1 and 12 SP3
  • OpenSUSE 13.2, Leap 42.1/42.2/42.3 and Tumbleweed/Factory. Experimental RPMS for PPC.


Overview of changes in EtherApe 0.9.15 (Friday February 10, 2017):

Big thanks to Zev Weiss, who did almost all the work for this release (Release delays are entirely mine, however).

Central node ring setting now accepts multiple node specifiers (separated by any combination of spaces and/or commas), and also now understands glob syntax, so you can put for example, *.mydomain.tld, somehost.otherdomain.tld

and it will do what you'd expect.

There is now a compile-time configure option ('--with-c-ares', disabled by default) to enable DNS resolution via the c-ares library, supplanting EtherApe's built-in multithreaded gethostbyaddr(3)-based resolver. This is a fully non-blocking DNS library and thus has potential for better performance while using only a single background resolver thread, but also means that name-lookup is strictly DNS-based, and will thus not take /etc/hosts, NIS, or other name services into account.

There is a slightly backwards-incompatible change in the syntax of the node-position file used with the '-P' flag added in release 0.9.14. It now uses the same CIDR notation plus hostname-globbing syntax used by the central node ring setting (instead of POSIX regular expressions). This provides simpler and more consistent syntax with essentially the same real-world utility, but may require some small changes to existing node-position files.
Some examples:

old (regex)   new (CIDR+glob)
.*   *
fe80:.*   fe80::/16

Additionally, each line of the node-position file may now include multiple such node-matching patterns (separated by spaces and/or commas as with the central node ring setting), so a single line might look like:

*, 3

(to put all nodes matching the given domain or CIDR range into column 3).

As a security feature (privilege separation), packet-capture operations are now isolated in a separate background process. The new '-Z' flag can be used to specify a user to run the main (foreground) process as.

Changes summary:

  • New option to use c-ares for DNS resolution.
  • Multiple node/subnets and glob syntax now supported for central node ring.
  • Node-matching syntax for '-P' flag's file now uses CIDR notation and hostname-globbing instead of regexes.
  • Multiple patterns can now be given on a single line of the node-position ('-P') file.
  • The columnar-layout ('-P') code has been changed to re-adjust the spacing of nodes within a column when the number of nodes decreases.
  • The 10-column limit has also been removed.
  • The background-image feature introduced in 0.
  • 9.14 can now be turned off via a preference check-box.
  • The background of the protocol legend is now black so that lighter colors (e.
  • g. yellow) are more readable.
  • There is now an option to display packet-capture statistics from libpcap in the main window (hover the mouse over them for an explanation in the status bar).
  • The show/hide state of the toolbar, protocol legend, and status bar are now preserved along with other preferences in the user's config file.
  • New '-Z' flag (or '--relinquish-privileges') can be used to run most processing as an unprivileged user.

As usual, and thanks to OpenSuse Build Service, prebuilt rpms are available for:

  • Arch Linux
  • Mageia 5
  • CentOS 6 and 7
  • Fedora 21, 22, 23 and 24
  • ScientificLinux 6 and 7
  • OpenSUSE 13.2, Leap 42.1/42.2 and Tumbleweed/Factory. Experimental RPMS for ARM and PPC.


All the news...

Riccardo Ghetta, Juan Toledo