Network Monitoring Tool: IPTraf

Article Title: Network Monitoring Tool: IPTraf. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: nixe0n
　　
Introduction
1. Install
　　
1. System Requirements
1. 2. Installation
1. 3. Start IPTraf
1. 4. command line options
. Go to the menu interface
　　
2. Use IPTraf
　　
2. 1. General information
2.2.IP traffic monitoring
2. 3. General Interface Statistics)
. Network Interface Details Statistics (Detailed Interface Statistics)
2. 5. Statistical analysis (Statistical Breakdowns)
. LAN Station Statistics)
　　
3. Display Filter)
　　
3.1.TCP filter (TCP Filters)
3.2. Other protocol Filters
　　
4. IPTraf Configuration
　　
4. 1. Switch Options>
4. 2. Clock options (Timers)
4. Information setting options
4. LAN Station Identifiers)
　　
Introduction
　　
IPTraf is an IP network monitoring tool. It intercepts packets on the network and provides information about each part of the packets. Information that can be returned by IPTraf includes:
　　
Total number of IP, TCP, UDP, ICMP packets, and non-IP bytes.
　　
The source/destination address of the TCP connection and the source/destination port.
　　
Number of TCP packets and number of nodes.
　　
TCP flag status.
　　
UDP source/destination information.
　　
ICMP type information.
　　
OSPF source/destination information.
　　
TCP and UDP Service value.
　　
Network Interface Message count.
　　
Network interface IP address checksum and error count.
　　
Network Interface Activity indicator.
　　
LAN statistics
　　
IPTraf can be used to monitor the load of an IP network. IPTraf uses the built-in raw packet capture interface of the Linux kernel and can be widely used in Ethernet cards. It supports FDDI adapter, ISDN adapter, and any asynchronous SLIP/PPP interfaces.
　　
1. Install
　　
1. System Requirements
　　
To compile and use IPTraf, you must meet the following requirements:
　　
80386 or better computers (less demanding: P), naturally, the higher the configuration, the better. The better the configuration, the less likely packet loss. IPTraf may also be used as a processor for other systems (for example, the CPU type of the instance, the CPU type, the CPU type, and the CPU type of the instance), but it has not been tested.
　　
Linux 2.2.0 and kernel update
　　
Note: If you use a self-compiled kernel, you must enable the Packet Socket kernel compilation option. Otherwise, IPTraf cannot be executed.
　　
Memory larger than 8 MB and virtual memory larger than 16 Mb. More beneficial.
　　
Gnu c dynamic library. The ncurses dynamic library is not required for precompiled programs. If you want to compile it by yourself, you need ncurses and panels dynamic libraries.
　　
The terminfo database in/usr/share/Terminfo.
　　
Console or high-speed terminal.
　　
Ethernet, FDDI, ISDN, PLIP, or asynchronous SLIP/PPP interfaces.
　　
The X Window System is not required for IPTraf.
　　
1. 2. Installation
　　
You can download IPTraf from http://iptraf.seul.org. Run the following command to install IPTraf:
　　
Decompress the file
　　
# Tar zxvf Iptraf-2.4.0.tar.gz
　　
# Cd iptraf-x.y.z
　　
Execute the setup script. This step must be performed with the root permission. setup will automatically compile and install IPTraf to the/usr/local/bin directory. Other directories will also be created:
　　
./Setup
　　
1. 3. Start IPTraf
　　
After the security is complete, enter:
　　
# Iptraf
　　
You can start IPTraf. First, you will see the copyright notice. Press any key to go to the main menu. Note: Using iptraf requires the root permission. IPTraf must reference the terminal information database in the/usr/share/terminfo directory. Therefore, if this directory is located elsewhere, IPTraf will output the "Error opening terminal" Error message and fail to start. This error may occur in Slackware, because in Slackware release, terminfo is generally located in/usr/lib/terminfo. You can solve this problem as follows:
　　
# TERMINFO =/usr/lib/terminfo
# Export TERMINFO
　　
Or add a connection:
　　
# Ln-s/usr/lib/terminfo/usr/share/terminfo
　　
In addition, IPTraf does not currently support the SIGWINCH processing function. You can start iptraf on xterm or other terminals. If the size of the terminal changes, IPTraf will not adjust its own size.
　　
1. 4. command line options
　　
Like most UNIX system commands, IPTraf also supports some command line parameters, although not many. The following are all the functional options supported by iptraf:
　　
-I Network Interface
　　
Let IPTraf monitor specific network interfaces, such as eth0. -I all indicates all network interfaces of the monitoring system.
　　
-G
　　
The general statistics of network interfaces.
　　
-D network interface
　　
Displays detailed statistics of specific network interfaces.
　　
-S Network Interface
　　
Monitors the TCP/UDP data traffic of a specific network interface.
　　
-Z Network Interface
　　
Monitors specific network interfaces of a LAN. -L all indicates all.
　　
-T timeout
　　
Enable IPTraf to exit automatically after the specified time. If IPTraf is not set, it runs until the user presses the exit key (x.
　　
-B
　　
Enable IPTraf to run in the background. The usage is invalid (ignored and directly enters the menu interface). It can only be used with a parameter in-I,-g,-d,-s,-z, and-l.
　　
-L filename
　　
If the-B parameter is used, use-L filename to enable IPTraf to write log information to other files (filename. If filename does not include the absolute path of the file, put the file in the default log directory (/var/log/iptraf ).
　　
-Q
　　
This parameter is no longer used. It turns out that if IPTraf runs on the kernel using IP address disguise (IP Masquerading), a large amount of warning information will appear. Now the new version of IP Masquerading Code does not have this problem.
　　
-F
　　
Enable IPTraf to forcibly clear all lock files and reset all instance counters.
　　
-H
　　
Show brief help information
　　
. Go to the menu interface
　　
As mentioned earlier, running IPTraf without any parameters will enter the menu interface. Move the menu bar with the up and down arrow keys. You can also use the letters highlighted in each menu item as the shortcut key to run a menu option.
　　
2. Use IPTraf
　　
2. 1. General information
　　
2.1.1. digit representation
　　
IPTraf can measure the number of received packets and number of segments. Because numbers increase rapidly, IPTraf uses symbols to represent larger numbers, including K (1x10E3) and M (1x10E6), G (1x10E9, T (1x10E12 ). These symbols are different from the number they usually represent. For example:
　　
1024 K = 1024000
1024 M = 1024000000
1024G = 1024000000000
1024 T = 1024000000000000
　　
2.1.2. instance and log
　　
IPTraf allows multiple processes to run simultaneously, but only one process listens to one or all network interfaces at a time. Except General Interface Statistics, only one process can perform this operation at a time.
　　
This feature of IPTraf brings about a problem where every process generates a log file. If you enable the IPTraf log function, when you use a function, it will prompt you to set the name of the log file. In this case, you need to specify the log files for each sample. If the log file conflicts, unexpected events may occur. If you do not specify the absolute path of log files, they will be recorded to the default log directory:/var/log/iptraf.
　　
2.1.3. supported network interfaces
　　
IPTraf currently supports the following network interfaces:
　　
Lo
　　
Local loopback interface. Each machine has this interface with the IP address 127.0.0.1.
　　
Ethn (n> = 0)
　　
Ethernet interface. n is an integer starting from 0. Eth0 is the first Ethernet interface and eth1 is the second network interface.
　　
Fddin (n> = 0)
　　
FDDI (optical fiber distributed digital interface) interface, where n is an integer starting from 0.
　　
Pppn (n> = 0)
　　
PPP (Point-to-Point Protocol) interface, where n is an integer starting from 0.
　　
Slin (n> = 0)
　　
SLIP (Serial Line Interface Protocol) interface, where n is an integer starting from 0.
　　
Ipppn (n> = 0)
　　
Use the synchronous PPP interface of ISDN. n is an integer starting from 0.
　　
Isdnn (n> = 0)
　　
ISDN (integrated business Digital Network) interface. However, the ISDN interface can only be used by IPTraf if it is named isdnn. IPTraf supports synchronous PPP interfaces, original IP addresses, and Cisco-HDLC encapsulation.
　　
Plipn (n> = 0)
　　
PLIP interface. A point-to-point IP connection protocol that uses the parallel port of the PC.
　　
2.2.IP traffic monitoring
　　
Run the IPTraf IP Traffic Monitor menu item or use the-I command line to Monitor IPTraf IP Traffic. With this function, you can monitor all packets passed through the listened Network Interface in real time. The IPTraf monitor decodes IP packets and displays the specific information of the packets, such as the source address and destination address. In addition, it can also identify IP Encapsulation protocols (such as TCP and UDP) and display some important information about these protocols.
　　
The IP traffic monitor of IPTraf has two display windows. You can use the up and down keys of the keypad to scroll up and down each window. You can use w to switch the active window.
　　
2.2.1.IP traffic monitor upper window
　　
2.2.1.1.IP traffic monitor content displayed in the upper window
　　
The display window on the top of the traffic monitor of IPTraf shows the detected TCP connection. It mainly includes the following information about TCP connections:
　　
Source Address and Port
　　
Message count
　　
Byte Count
　　
Source MAC address
　　
Packet Size
　　
Window Size
　　
TCP flag)
　　
Network Interface
　　
Use the up and down keys to scroll through the TCP window to view more connection information. IPTraf IP traffic monitor does not differentiate connected clients