Iftop Monitoring Linux Server network card traffic

(1) Source code compilation installation Iftop

To install the required software library for Iftop:

[[Email protected] ~] #yum install libpcap libpcap-devel ncurses ncurses-devel

[[Email protected] ~] #yum Install Flex BYACC

Download iftop, compile and install:

[[Email protected] ~] #wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz

[[Email protected] ~] #tar zxvf iftop-0.17.tar.gz

[[Email protected] ~] #cd iftop-0.17

[Email protected] ~]#./configure

[[Email protected] ~] #make

[[Email protected] ~] #make Install

(2) Yum mode installation

To install the required software library for Iftop:

[[Email protected] ~] #yum install libpcap libpcap-devel ncurses ncurses-devel

[[Email protected] ~] #yum Install Flex BYACC

[[Email protected] ~] #wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

[[Email protected] ~] #rpm-IVH epel-release-6-8.noarch.rpm

[[Email protected] ~] #yum Install Iftop

In this way, the Iftop installation is complete.

Third, the use of Iftop monitoring network card real-time traffic

After installing the Iftop tool, enter the Iftop command directly to display the network card real-time traffic information. By default, Iftop displays the traffic information for the first NIC of the system, and if you want to display the specified NIC information, you can do so through the "-i" parameter.

(1) Iftop Output Interface Description

Execute the "iftop-p-I em1" command to get a typical output interface as shown in the Iftop.

Wkiol1qo8oqhz2f4aallxonnzcm394.jpg

The output of the iftop can be divided into three parts in general:

The first part. Is the topmost row in the Iftop output, which is the traffic scale used to display network card bandwidth traffic.

The second part. is the largest part of the Iftop output, which is divided into left, middle, and right three columns, and the left and middle columns record which IPs or hosts are connecting to the local network. Among them, the "+" in the column to send the data, "<=" means to receive data, through this indicator can be very clear to know two IP communication between the situation. The right-most column is divided into three columns, which represent the average traffic value for the external IP connected to the native within 2 seconds, 10 seconds, and 40 seconds, respectively. In addition, this section also has a traffic graph bar, traffic graph bar is a dynamic display of traffic size, the first part of the traffic scale as a benchmark. Through this flow graph bar can easily see which IP traffic is the largest, and then quickly locate the network may appear traffic problems.

The third part is located at the bottom of the iftop output, can be divided into three lines, where "TX" means sending data, "RX" means receiving data, "total" means sending and receiving all traffic. There are three columns corresponding to these three rows, where the "Cum" column represents the Send, receive, and total data traffic from running Iftop to current. The peak column represents the send, receive, and total traffic spikes. The "Rates" column represents the average traffic value for the past 2s, 10s, and 40s.

(2) iftop use parameter description

Iftop also has many additional parameters and functions. Perform "iftop-h" to display all the parameter information Iftop can use. Iftop commonly used parameters and meanings are shown in the following table.

Example of parameter meaning

-I specifies the NIC to be monitored iftop–i em1

-N will output the host information through IP display, do not perform DNS reverse resolution IFTOP-N

-B Displays the output in bytes for network card traffic, which by default is Bitsiftop–b

-p runs Iftop in promiscuous mode, at which point Iftop can be used as a network sniffer iftop–p

-N displays only the connection port number and does not display the service name for the port Iftop–n

-p display host and port information, this parameter is very useful iftop–p

-F shows the network card for a specific segment traffic iftop–f 192.168.12.0/24

-M sets the maximum flow scale at the top of the Iftop output interface, with a flow scale of five large segments showing iftop–m

(3) Interactive operation of Iftop

In the iftop real-time monitoring interface, the output can also be interactively manipulated to collate and filter the output information, in the interface shown, the button "H" to enter the interactive options interface, as shown in.

Wkiol1qo8r3g0ricaajuo3uznh4579.jpg

The interactive function of Iftop is very similar to the top command under Linux, and the interactive parameters are divided into 4 parts, namely general parameters, host display parameters, port display parameters and output sorting parameters. The meanings of the relevant parameters are shown in the following table.

Parameter meaning

P Toggle Pause/Resume display with this key

H Use this key to switch back and forth between interactive parameter interface/state output interface

b Use this key to toggle whether the average flow graph bar is displayed

b This key toggles the display of average flow in 2 seconds, 10 seconds, 40 seconds

This key toggles whether to show the total traffic per connection

J/k Press the J key or the K key to scroll up or down to display the current connection information

L Use this key to open the Iftop output filtering function, such as Enter the IP to be displayed, press ENTER, the screen will display only the traffic information related to this IP

L Use this key to toggle the display Flow scale range, the scale is different, the flow graph bar will follow the change

Q Use this key to exit the Iftop traffic monitoring interface

n This key enables the Iftop output to be displayed as an IP or host name

s to toggle whether the source host information is displayed by this key

D Use this key to toggle whether remote destination host information is displayed

T through this key can switch iftop display format, continuously press this key to display: Send receive traffic in two lines, send receive traffic in a row, display only send traffic/show only receive traffic

n This key toggles the display port number/port number corresponding to the service name

s to toggle whether the port information of the local source host is displayed by this key

D Use this key to toggle whether the port information for the remote destination host is displayed

P Use this key to toggle whether the port information is displayed

< Use this key to sort by the local hostname or IP address on the left

> This key can be used to sort the host name or IP address of the remote target host

O This key toggles whether the current connection is fixed

The power of iftop is that it can display the traffic status of the network in real-time, monitor the source IP and destination address of NIC traffic, which is very useful for detecting server network fault and traffic anomaly, and can quickly locate the cause of traffic anomaly or network fault through a single command, therefore, for OPS personnel, The Iftop command is a necessary network troubleshooter.

This article is from the "Operation and maintenance of the Road" blog, please be sure to keep this source http://deepzx.blog.51cto.com/11385098/1962221

Iftop Monitoring Linux Server network card traffic