Network monitoring tools are an important feature for businesses of any size. The objectives of network monitoring may vary widely. For example, the goal of monitoring activities can be to ensure long-term network services, security protection, performance troubleshooting, Network usage statistics. Because of its different goals, the Network Monitor uses many different ways to accomplish the task. For example, packet-level sniffing, data flow level statistics, to the network to inject the detection of traffic, Analysis server logs and so on.
While there are many dedicated network monitoring systems that can be monitored 365 days and 24 hours, you can still use a command-line Network Monitor in certain situations, and some command-line network monitors are useful in some way. If you are a system administrator, you should have the experience of using some well-known command-line network monitors yourself. Here's a list of popular and useful web monitors on Linux .
Packet-level Sniffer
Under this category, monitoring tools capture separate packages on the link, analyze their content, and display decoded content or packet-level statistics. These tools monitor and manage the network at the lowest level, as well as the most granular monitoring, at the expense of the process of affecting network I/O and analysis.
dhcpdump: A command-line DHCP traffic sniffing tool that captures DHCP request/reply traffic and displays decoded DHCP protocol messages in a user-friendly manner. This is a useful tool for troubleshooting DHCP-related failures.
Dsniff: A tool collection based on command line sniffing, forgery, and hijacking, designed for network review and penetration testing. It can sniff out a variety of information, such as passwords, NSF traffic (LCTT: NFS traffic here), email messages, network addresses, and so on.
httpry: An HTTP message sniffer that captures, decodes, and displays the HTTP request and reply messages in a user-friendly manner. (LCTT: Extended reading.) )
Iptraf: A command-line-based network statistics viewer. It shows the packet level, connection plane, interface level, protocol level of the message/byte number in real-time. The packet capture process is controlled by the protocol filter, and the process is all menu-driven. (LCTT: Extended reading.) )
Mysql-sniffer: A tool for crawling and decoding data packets related to MySQL requests. It displays the most frequent or full requests in a readable manner.
ngrep: Execute grep in the network message. It captures messages in real time and matches (filters) messages in regular expressions or hexadecimal expressions. It is a utility that can detect, store, or crawl abnormal traffic on a specific pattern message in a live stream.
p0f: A passive packet sniffing-based fingerprint capture tool that reliably identifies operating systems, NAT or proxy settings, network link types, and many other properties related to active TCP connections.
pktstat: A command-line tool that displays information about connection bandwidth usage and related protocols (for example, HTTP get/post, FTP, X11) by analyzing messages in real time.
Snort: An intrusion detection and prevention tool that detects/prevents various backdoor, botnet, phishing, and spyware attacks in active traffic through rule-driven protocol analysis and content matching.
tcpdump: a command-line sniffer tool that can fetch packets from the network based on the filter expression, analyze the messages, and output the message content at the packet level to facilitate packet-level analysis. He is widely used in many network-related troubleshooting, network program debug, or security monitoring.
tshark: a command-line sniffer tool that is used with the Wireshark window program. It captures and decodes real-time messages on the network and displays their content in a user-friendly manner.
Flow/process/interface-level monitoring
In this classification, the Network Monitor collects statistics for each stream, each process, and each interface by classifying the traffic according to the stream, the associated process, or the interface. The source of the information can be either the Libpcap capture library or the SYSFS kernel virtual file system. The cost of monitoring these tools is low, but lacks the ability to inspect at the package level.
Bmon: A command-line-based bandwidth monitoring tool that can display various interface-related information, including not only the total/average data received/sent, but also the historical bandwidth usage view.
iftop: A bandwidth usage monitoring tool that can display the bandwidth usage of a network connection in real time. It sorts all bandwidth usage and visualizes it through the ncurses interface. He can easily monitor which connection consumes the most bandwidth. (LCTT: Extended reading.) )
nethogs: A process monitoring tool based on the ncurses display that provides real-time upstream/downstream bandwidth usage information related to the process. It is useful for detecting processes that consume large amounts of bandwidth. (LCTT: Extended reading.) )
netstat: A tool that displays statistical information for many TCP/UDP network stacks. Statistics and attributes such as open TCP/UDP Connection book, network interface send/Receive, routing table, Protocol/socket. It is useful when you diagnose performance and resource usage related to the network stack.
speedometer: A terminal tool that visualizes the historical trend of bandwidth usage for an interface sent/received, and is displayed based on a ncurses bar chart.
Sysdig: A tool that enables comprehensive, system-level debugging of individual Linux subsystems through a unified interface. Its network monitoring module can monitor online or offline, many process/host related network statistics, such as bandwidth, number of connections/requests, etc. (LCTT: Extended reading.) )
tcptrack: A TCP connection monitoring tool that can display active TCP connections, including source/destination IP address/port, TCP status, bandwidth usage, and so on.
Vnstat: A traffic monitor that stores and displays the historical receive/Send bandwidth view for each interface (for example, current, daily, monthly). As a daemon, it collects and stores statistics, including interface bandwidth usage and the total number of bytes transferred. (LCTT: Extended reading.) )
Active Network Monitor
Unlike the previously mentioned passive monitoring tools, this category of tools will actively "inject" the content into the network when listening, and will collect corresponding responses. Monitoring targets include routing paths, available bandwidth, packet loss rate, delay, jitter (jitter), System setup, or defects.
dnsyo: A DNS Detection tool that manages DNS queries for open parsers spanning up to 1500 different networks. It is useful when you are checking DNS for propagation or troubleshooting DNS settings.
iperf: A TCP/UDP bandwidth measurement tool capable of measuring the maximum available bandwidth between two endpoints. It measures the available bandwidth by TCP/UDP probing traffic between one-way or two-way output across two hosts. It is useful for monitoring network capacity and Tuning network protocol stack parameters. A variant called Netperf has more features and better stats.
Netcat/socat: A universal network debugging tool that can read, write, or listen to TCP/UDP sockets. It is usually combined with other programs or scripts to listen to the network transmission or port on the backend. (LCTT: Extended reading.) )
nmap: a command-line port scan and Network Discovery tool. It relies on several tcp/udp-based scanning techniques to find open ports, active hosts, or operating systems that exist on the local network. It is useful when you are reviewing a local host vulnerability or establishing a host mapping for maintenance purposes. Zmap is a similar alternative to an Internet-wide scanning tool. (LCTT: Extended reading.) )
Ping: A common network testing tool. Its function is realized by exchanging the Echo and reply messages of ICMP. It is useful for measuring the rtt of a route, the packet loss rate, and the detection of remote system firewall rules. The variant of ping has a more beautiful interface (for example, noping), Multi-protocol support (for example, hping), or parallel probing capabilities (for example, fping). (LCTT: Extended reading.) )
sprobe: A heuristic command-line tool that infers network bandwidth bottlenecks between a local host and any remote IP address. It uses the TCP three-time handshake mechanism to evaluate bandwidth bottlenecks. It is useful for detecting large-scale network performance and routing-related issues.
traceroute: A network discovery tool that discovers a third-tier routing/forwarding path from the local to the remote host. It sends a detection packet that limits the TTL and collects ICMP feedback information for intermediate routes. It is useful for troubleshooting low-speed network connections or routing-related issues. The variants of traceroute have better RTT statistics (for example, MTR).
Application Log Resolver
The Network Monitor under this category targets a specific server application (for example, a Web server or a database server). The network traffic generated or consumed by the server program is analyzed and monitored through its logs. Unlike the network layer monitors mentioned earlier, this category of tools can analyze and monitor network traffic at the application level.
goaccess: An interactive viewer for Apache and Nginx server traffic. Based on the analysis of the obtained log, it can display multiple real-time statistics including daily traffic, maximum request, client operating system, client location, client browser, etc., and is displayed in a scrolling manner.
mtop: a command-line monitor for the MYSQL/MARIADB server that displays the most expensive queries and the current database server load in a visual manner. It is useful when you optimize MySQL server performance and tune server parameters.
ngxtop: A traffic monitoring tool for Nginx and Apache servers that can visualize the traffic to the Web server in a manner similar to the top command. It parses the Web server's query log file and collects traffic statistics for a destination or request.
Summarize
In this article, I've shown a number of command-line monitoring tools, from the lowest layer of the packet-level monitor to the most high-level application-level Network Monitor. It's one thing to know what that tool does, and it's another to choose which tool to use. A single tool is not a common solution that you use every day. A good system administrator should be able to decide which tool is better suited to the current environment. Hopefully this list will help.
Linux Command line Network monitoring tool