Network Monitoring Tool: IPTraf

Network Monitoring Tool: iptraf
From: LinuxAid

Introduction
1. Install

1. System Requirements
1. 2. Installation
1. 3. Start IPTraf
1. 4. command line options
. Go to the menu interface

2. Use IPTraf

2. 1. General information
2.2.IP traffic monitoring
2. 3. General Interface Statistics)
. Network Interface Details Statistics (Detailed Interface Statistics)
2. 5. Statistical analysis (Statistical Breakdowns)
. LAN Station Statistics)

3. Display Filter)

3.1.TCP filter (TCP Filters)
3.2. Other protocol Filters

4. IPTraf Configuration

4. 1. Switch Options>
4. 2. Clock options (Timers)
4. Information setting options
4. LAN Station Identifiers)

Introduction

IPTraf is an IP network monitoring tool. It intercepts packets on the network and provides information about each part of the packets. Information that can be returned by IPTraf includes:

Total number of IP, TCP, UDP, ICMP packets, and non-IP bytes.

The source/destination address of the TCP connection and the source/destination port.

Number of TCP packets and number of nodes.

TCP flag status.

UDP source/destination information.

ICMP type information.

OSPF source/destination information.

TCP and UDP Service value.

Network Interface Message count.

Network interface IP address checksum and error count.

Network Interface Activity indicator.

LAN statistics

IPTraf can be used to monitor the load of an IP network. IPTraf uses the built-in raw packet capture interface of the Linux kernel and can be widely used in Ethernet cards. It supports FDDI adapter, ISDN adapter, and any asynchronous SLIP/PPP interfaces.

1. Install

1. System Requirements

To compile and use IPTraf, you must meet the following requirements:

80386 or better computers (less demanding: P), naturally, the higher the configuration, the better. The better the configuration, the less likely packet loss. IPTraf may also be used as a processor for other systems (for example, the CPU type of the instance, the CPU type, the CPU type, and the CPU type of the instance), but it has not been tested.

Linux 2.2.0 and kernel update

Note: If you use a self-compiled kernel, you must enable the Packet Socket kernel compilation option. Otherwise, IPTraf cannot be executed.

Memory larger than 8 MB and virtual memory larger than 16 Mb. More beneficial.

Gnu c dynamic library. The ncurses dynamic library is not required for precompiled programs. If you want to compile it by yourself, you need ncurses and panels dynamic libraries.

The terminfo database in/usr/share/Terminfo.

Console or high-speed terminal.

Ethernet, FDDI, ISDN, PLIP, or asynchronous slip/PPP interfaces.

The X Window System is not required for iptraf.

1. 2. Installation

You can download iptraf from http://iptraf.seul.org. Run the following command to install iptraf:

Decompress the file

# Tar zxvf Iptraf-2.4.0.tar.gz

# Cd iptraf-x.y.z

Execute the setup script. This step must be performed with the root permission. Setup will automatically compile and install iptraf to the/usr/local/bin directory. Other directories will also be created:

./Setup

1. 3. Start iptraf

After the security is complete, enter:

# Iptraf

You can start iptraf. First, you will see the copyright notice. Press any key to go to the main menu. Note: Using iptraf requires the root permission. Iptraf must reference the terminal information database in the/usr/share/terminfo directory. Therefore, if this directory is located elsewhere, iptraf will output the "error opening terminal" error message and fail to start. This error may occur in slackware, because in slackware release, terminfo is generally located in/usr/lib/terminfo. You can solve this problem as follows:

# Terminfo =/usr/lib/terminfo
# Export terminfo

Or add a connection:

# Ln-S/usr/lib/terminfo/usr/share/terminfo

In addition, iptraf does not currently support the sigwinch processing function. You can start iptraf on xterm or other terminals. If the size of the terminal changes, iptraf will not adjust its own size.

1. 4. command line options

Like most UNIX system commands, iptraf also supports some command line parameters, although not many. The following are all the functional options supported by iptraf:

-I Network Interface

Let iptraf monitor specific network interfaces, such as eth0. -I all indicates all network interfaces of the monitoring system.

-G

The general statistics of network interfaces.

-D network interface

Displays detailed statistics of specific network interfaces.

-S Network Interface

Monitors the TCP/UDP data traffic of a specific network interface.

-Z Network Interface

Monitors specific network interfaces of a LAN. -L all indicates all.

-T timeout

Enable iptraf to exit automatically after the specified time. If iptraf is not set, it runs until the user presses the exit key (X.

-B

Enable iptraf to run in the background. The usage is invalid (ignored and directly enters the menu interface). It can only be used with a parameter in-I,-G,-D,-S,-Z, and-l.

-L filename

If the-B parameter is used, use-l filename to enable iptraf to write log information to other files (filename. If filename does not include the absolute path of the file, put the file in the default log directory (/var/log/iptraf ).

-Q

This parameter is no longer used. It turns out that if iptraf runs on the kernel using IP address disguise (IP masquerading), a large amount of warning information will appear. Now the new version of IP masquerading Code does not have this problem.

-F

Enable iptraf to forcibly clear all lock files and reset all instance counters.

-H

Show brief help information

. Go to the menu interface

As mentioned earlier, running iptraf without any parameters will enter the menu interface. Move the menu bar with the up and down arrow keys. You can also use the letters highlighted in each menu item as the shortcut key to run a menu option.

2. Use iptraf

2. 1. General information

2.1.1. digit representation

Iptraf can measure the number of received packets and number of segments. Because numbers increase rapidly, iptraf uses symbols to represent larger numbers, including K (1x10e3) and M (1x10e6), g (1x10e9, T (1x10e12 ). These symbols are different from the number they usually represent. For example:

1024 K = 1024000
1024 M = 1024000000
1024G = 1024000000000
1024 T = 1024000000000000

2.1.2. instance and log

Iptraf allows multiple processes to run simultaneously, but only one process listens to one or all network interfaces at a time. Except general interface statistics, only one process can perform this operation at a time.

This feature of iptraf brings about a problem where every process generates a log file. If you enable the iptraf log function, when you use a function, it will prompt you to set the name of the log file. In this case, you need to specify the log files for each sample. If the log file conflicts, unexpected events may occur. If you do not specify the absolute path of log files, they will be recorded to the default log directory:/var/log/iptraf.

2.1.3. supported network interfaces

Iptraf currently supports the following network interfaces:

Lo

Local loopback interface. Each machine has this interface with the IP address 127.0.0.1.

Ethn (n> = 0)

Ethernet interface. N is an integer starting from 0. Eth0 is the first Ethernet interface and eth1 is the second network interface.

Fddin (n> = 0)

FDDI (optical fiber distributed digital interface) interface, where n is an integer starting from 0.

Pppn (n> = 0)

PPP (Point-to-Point Protocol) interface, where n is an integer starting from 0.

Slin (n> = 0)

Slip (Serial Line Interface Protocol) interface, where n is an integer starting from 0.

Ipppn (n> = 0)

Use the synchronous PPP interface of ISDN. N is an integer starting from 0.

Isdnn (n> = 0)

ISDN (integrated business Digital Network) interface. However, the ISDN interface can only be used by iptraf if it is named isdnn. Iptraf supports synchronous PPP interfaces, original IP addresses, and Cisco-HDLC encapsulation.

Plipn (n> = 0)

PLIP interface. A point-to-point IP connection protocol that uses the parallel port of the PC.

2.2.ip traffic monitoring

Run the iptraf IP traffic monitor menu item or use the-I command line to monitor iptraf IP traffic. With this function, you can monitor all packets passed through the listened Network Interface in real time. The iptraf monitor decodes IP packets and displays the specific information of the packets, such as the source address and destination address. In addition, it can also identify IP Encapsulation protocols (such as TCP and UDP) and display some important information about these protocols.

The IP traffic monitor of iptraf has two display windows. You can use the up and down keys of the keypad to scroll up and down each window. You can use W to switch the active window.

2.2.1.ip traffic monitor upper window

2.2.1.1.ip traffic monitor content displayed in the upper window

The display window on the top of the traffic monitor of iptraf shows the detected TCP connection. It mainly includes the following information about TCP connections:

Source Address and Port

Message count

Byte Count

Source MAC address

Packet Size

Window Size

TCP flag)

Network Interface

Use the up and down keys to scroll through the TCP window to view more connection information. The IP traffic monitor of iptraf does not distinguish the connected client from the server. It can work in hybrid mode to monitor the connection status of the LAN.

The IP traffic monitor displays the TCP traffic in two directions. The left side of the window is the two ends of the TCP connection (displayed in host: PORT format ). For ease of display, each TCP connection pair uses [connected together.

Each entry in the upper window of the IP traffic monitor includes the following fields. Note: by default, some fields are not displayed and must be displayed by pressing the M key:

Source Address. Port (source address and port)

Display in Source Address: PORT format. Indicates the data source. The destination address and port are [Source Address at the other end: port pair.

Packet Count)

The number of packets received.

Byte Count)

The number of bytes received. This number includes IP address, TCP header information, and actual data. The data link layer header is not included.

Source MAC address)

The MAC address of the message. To use this function, you must first use the configuration menu (configure) to enable the source MAC addrs in traffic monitor function, and then press the M key.

Packet Size)

The size of the recently received message. The M key must be used for display. This value is only the size of the IP packet and is not included in the data link header.

Window Size)

The size of the window for receiving the message recently. You need to press the M keyboard to display this item.

Flag statuses)

TCP flag of the recently received message

S

Synchronous flag (SYN), used to establish a connection. S --- indicates initiating a connection, and S-A-indicates a response to the connection request.

A

Confirm the valid mark (ACK ).

P

Psh. This article requests a push request ). For the sender, the protocol software is forced to send all data without a buffer filled up; for the receiver, the TCP provides the data to the application without delay.

U

URG. Indicates that the message contains emergency data.

Reset

Rst. Reset the connection flag.

DONE

FIN. No data is sent, and the connection is closed.

CLOSED

FIN is confirmed by another host.

2.2.1.2.rvnamed Process

When using the IP traffic monitoring function, IPTraf starts an elf process rvnamed to accelerate Domain Name Lookup. After the reverse lookup of the rvnamed domain name is completed, IPTraf uses the Domain Name of the message source to replace the IP address. The reason why a unique Domain Name Lookup program is used in IPTraf is that the standard Domain Name Lookup call will block the process until the Domain Name Lookup function is completed, which is a waste of time.

2.2.1.3.IP forwarding and IP address disguise

If the kernel has the IP camouflage function, the earlier version of IPTraf needs to handle the warning information. However, the new kernel version has changed the IP Forwarding and IP camouflage functions, and IPTraf no longer needs to handle related error messages. Therefore, the-q command option has no effect.

For IP Forwarding without disguised IP addresses, the forwarding host will appear twice in the same TCP connection, but the inbound and outbound network interfaces are different. For hosts with disguised IP addresses, the two ends of each TCP connection are internal/external network addresses and interfaces.

2.2.1.4. closed, idle, and time-out)

In practice, some connections are often closed, reset, or idle for a long time. If there are too many connections, IPTraf automatically mentions the active connection to the display window. You can also use configure-> timer-> TCP closed/idle persistence... to configure the menu to set the time for IPTraf to automatically clean up these connections, or use the f key to manually clean up.

2.2.1.5. Display sorting of entries

You can sort the display entries in the upper window. Press the s key to display a sorting menu. Press p to sort the packets. Press B to sort the packets by the number of bytes.

2.2.2. display window at the bottom

The bottom display window of the IP traffic monitor displays network traffic of other types. IPTraf supports the following protocols:

User Data Protocol (UDP)

Internet Control Message Protocol (ICMP)

Open Shortest-Path First (OSPF)

Interior Gateway Routing Protocol (IGRP)

Interior Gateway Protocol (IGP)

Internet Group Management Protocol (IGMP)

General Routing Encapsulation (GRE)

Address Resolution Protocol (ARP)

Reverse Address Resolution Protocol (RARP)

In addition, IPTraf displays its Protocol Number for IP packets that are not recognized. For non-IP packets, IPTraf indicates in the window. In the entries displayed at the bottom, UDP packets are also displayed in the address: PORT format. ICMP entries include ICMP protocol types. For proper differentiation, each protocol uses a different color.

The display window at the bottom can contain 512 entries. You can use the up and down arrow keys to scroll. If 512 entries are entered and new entries are added, the oldest entry will be lost. Some entries may be long. You can use the left and right keys to scroll the display. Use w to switch the activity status of the two display windows.

If you enable the Source MAC addrs in traffic monitor function in the configuration menu (Configure), IPTraf will also display the Source MAC address of the received non-IP Message.

2. 3. General Interface statistics)

The second menu item in the main menu is the general interface statistics ). In the displayed window, iptraf displays some general statistics about the network interfaces to be monitored, including IP addresses, non-IP addresses, and bad IP addresses (checksum errors) on these interfaces) the number of packets. Another activity indicator shows the number of packets passing through each network interface per second. This activity indicator uses the activity mode configuration option to control the on/off. If you enable the logging function (the logging option of the configuration menu), all the statistics will be copied to the/var/log/iptraf/iface_stats_general.log file.

You can press X or Q to return to the main menu.

. Network Interface Details statistics (detailed interface statistics)

The third option of the main menu is the network interface detail statistics function. In addition to the statistics provided by the general interface statistics option, the detailed interface statistics option also provides more detailed statistics about network interfaces. It provides the following statistics:

Number of IP packets and number of segments.

Number of TCP packets and number of nodes

Number of UDP packets and number of nodes

ICMP packets and number of nodes

Number of non-IP messages and number of segments

Number of packets and segments of other IP types

Checksum and error count

Network Interface Activity Status

The number of bytes of IP packets (IP, TCP, UDP, ICMP, and other IP addresses) includes the number of IP address headers and the number of load bytes, but the number of data link headers is not included; in the total (total) the number of bytes and the number of non-IP packets include the number of bytes of the Data Link header.

If you want to directly start the detailed statistics function of the network interface, you can use the following command:

# Iptraf-D eth0 (or other network interfaces)

In addition, you can also turn on the log function, the network interface detail statistics recorded in the log file, the default log file name is the iface_stats_detailed-iface.log, where iface with the relevant network device name (for example: eth0) instead.

Press X or Q to return to the main menu.

2. 5. Statistical analysis (statistical breakdowns)

The statistical analysis (statistical breakdowns) function of iptraf helps you optimize network settings and monitor network security issues. The statistical analysis of iptraf includes packet size analysis and TCP/UDP port analysis.

2.5.1. packet size analysis (statistical breakdown: packet sizes)

Choose statistical breakdowns> by packet size on the main menu to go To the packet size analysis page. In earlier versions of iptraf, this function was used to collect statistics on Network Interface Details (detailed interface statistics) and was later released independently. Iptraf divides the maximum transmission unit (MTU) of the network interface into 20 ranges to measure the packet size distribution.

You can also enable the log function to record the packet size distribution information to the log file, the default log file name is the packet_size-iface.log, where iface is replaced by the relevant network device name (such as: eth0.

In addition, use the following command line to directly access the packet size analysis interface:

# Iptraf-Z eth0

Press X or Ctrl + X to exit.

2.5.2.tcp/UDP traffic analysis

Iptraf can also calculate the number of TCP/UDP packets over each port (less than 1024.

Note: The number of bytes displayed in the display window includes the IP address header and IP load, excluding the data link header. For easy differentiation, the colors of TCP and UDP are different. TCP uses yellow and UDP uses green.

Some network programs use ports greater than 1023. For example, some Web servers use port 8080 and htts uses port 443. In the default settings, iptraf does not collect statistics on the traffic of these ports. You can use configure-> additional port... to add another port to the menu.

If you turn on the log feature, the default log file for TCP/UDP traffic analysis is/var/log/iptraf/tcp_udp_services-iface.log, where iface takes the relevant network device name (for example: eth0).

You can also sort the display entries. Press the s key to display a sorting menu. Press the P key to sort messages by the number of packets. Press the B key to sort messages by the number of bytes. Press the T key, sort by the number of incoming packets, sort by the O key, sort by the number of incoming bytes, sort by the f key, sort by the number of outgoing packets, and press the M key, sort by the number of bytes to the outside; sort by any key to cancel.

In addition, use the following command to directly access the TCP/UDP traffic analysis interface:

# Iptraf-s eth0

Press X or Ctrl + X to return to the main menu or exit.

. Lan station statistics)

Using the LAN station statistics function of iptraf, you can get Lan nodes (nodes that can be monitored in hybrid mode, if they are switched networks, they may not be implemented) number of incoming and outgoing packets. This function is valid for Ethernet, FDDI, and PLIP, but cannot be used for local loopback (LO), ISDN, and slip/PPP networks. Statistics include:

Number of incoming packets

Incoming IP Packets

Total incoming bytes

Inbound speed

Total outgoing packets

Outbound packets

Total outgoing bytes

Outbound rate.

The number of bytes here includes the header of the data link layer. The unit of rate can be kbits/s or kbytes/s, which is determined by the Activity mode configuration option.

If you turn on the log feature, all the statistics will be saved to the/var/log/iptraf/lan_statistics-n.log file, n is the instance number (iptraf can run multiple times on the same host to avoid mutual interference ).

For ease of management, you can also sort the entries in the display window of the IPTraf LAN wks statistical function. By s, A sort dialog is displayed ., Then, press the P key to sort the incoming packets. Press the I key to sort the incoming IP packets. Press the B key to sort the incoming IP packets; sort the outgoing packets by K keyboard, by O key, by outgoing IP packets, and by Y key, by outgoing bytes. Unsort by any key.

Press the X or Q keyboard to exit from the LAN workstation statistics display interface to the main menu. Use the following command line to go to the LAN workstation statistics display page:

# Iptraf-e

3. Display Filter)

In actual use, the IP traffic monitor quickly displays a large amount of information, most of which you may not care about. In this case, you can use the display filter to control the display information of the IP traffic monitor.

3.1.TCP filter (TCP Filters)

Using this function, you can define some parameters to determine the TCP connections displayed on the IP traffic monitor display interface.

3.1.1. define a New Filter)

The IPTraf installed by default does not have any filters, so you need to define your own filters. Select TCP Display Filters-> Define new filter.... A dialog box will pop up asking you to enter a brief filter description. After the input is complete, press enter to bring up another dialog box asking you to enter the source address and Destination Address, subnet mask, and service port.

The network address can be a single host, network, and the entire network address space, determined by the subnet mask. For example:

Single host 207.0.115.44:

IP Address: 207.0.115.44
Subnet Mask: 255.255.255.255

All hosts on the network 202.47.132.x:

IP Address: 202.47.132.0
Subnet Mask: 255.255.255.0

All IP addresses:

IP Address: 0.0.0.0
Subnet Mask 0.0.0.0

The Include (included)/Exclude (excluded) domain determines whether to display such entries in the display window.

3.1.2.TCP filter application example

Monitor TCP connections between 202.47.132.1 and 207.0.115.44

Host name/IP Address 202.47.132.2 207.0.115.44
Wildcard mask 255.255.255.255.255 255.255.255
Port 0 0
Include/Exclude I

Monitor the TCP connection between the host 207.0.115.44 and the network 202.47.32.0:

Host name/IP Address 207.0.115.44 202.47.132.0
Wildcard mask 255.255.255.255.255 255.255.0
Port 0 0
Include/Exclude I

Monitor all WEB connections:

Host name/IP Address 0.0.0.0 0.0.0.0
Wildcard mask 0.0.0.0 0.0.0.0
Port 80 0
Include/Exclude I

Monitor the traffic from any address to the SMTP port of the host 202.47.132.2:

Host name/IP Address 202.47.132.2 0.0.0.0
Wildcard mask 255.255.255.255 0.0.0.0
Port 25 0
Include/Exclude I

Monitor the traffic of cebu.w.com.com between hosts sunsite.unc.edu:

Host name/IP Address sunsite.unc.edu cebu.w.com.com
Wildcard mask 255.255.255.255.255 255.255.255
Port 0 0
Include/Exclude I

Ignore traffic between network 140.66.5.x and any address

Host name/IP Address 140.66.5.x 0.0.0.0
Wildcard mask 255.255.255.0 0.0.0.0
Port 0 0
Include/Exclude E

If a filter is defined, IPTraf's IP traffic monitor only displays the traffic destined for the connection specified by the filter. This is similar to the default firewall deny policy. Therefore, if you want to monitor all connections except an IP address, you can define only one filter for exclusion type, and the last one includes) type Filter (all fields are 0 ).

For example, we want to display the network traffic of all TCP connections, except for SMTP, WEB port, and 207.0.115.44 connections:

Host name/IP address 0.0.0.0 0.0.0.0
Wildcard mask 0.0.0.0 0.0.0.0
Port 25 0
Include/Exclude E

Host name/IP address 0.0.0.0 0.0.0.0
Wildcard mask 0.0.0.0 0.0.0.0
Port 80 0
Include/Exclude E

Host name/IP address 207.0.115.44 0.0.0.0
Wildcard mask 255.255.255.255 0.0.0.0
Port 0 0
Include/Exclude E

Host name/IP address 0.0.0.0 0.0.0.0
Wildcard mask 0.0.0.0 0.0.0.0
Port 0 0
Include/exclude I

3.1.3. Other menu items

After the filter definition is complete, we need to use the applying a filter menu item to make it take effect; you can select the editing a defined filter menu item to edit the existing filter; select the deleting a defined filter menu item, delete a filter. Select the detaching a filter menu to deactivate a filter. This is relatively simple, so I will not go into details here.

3.2. Other protocol Filters

Iptraf also supports other types of filters. However, in addition to UDP filters, other protocol filters only enable (whether to display such protocols. The settings of UDP protocol filters are similar to those of TCP filters. I will not go into details here.

4. iptraf Configuration

You can use the configure configuration menu to configure iptraf. All configurations are saved in/var/local/iptraf. cfg or/var/iptraf. cfg. If the configuration file cannot be found, iptraf uses the default configuration. Select the configure menu item from the main menu of iptraf to go to the configuration page:

4. 1. Switch options

4.1.1. Reverse query (reverse lookup)

Iptraf supports reverse domain name resolution and converts an IP address to a host name. However, domain name reverse resolution is slow, which may cause packet loss. By default, this option is disabled.

4.1.2.tcp/UDP Service name (TCP/UDP Service names)

Iptraf can use the/etc/services file to convert the port number to the corresponding service name. For example, port 80 corresponds to the WWW Service. This option is disabled by default.

4.1.3. Force promiscuous)

With this option enabled, your network devices can enter the hybrid mode. In this way, all packets in your LAN can be captured. This option is effective for Ethernet and FDDI,

4.1.4. Color)

Determines whether to use the color display mode.

4.1.5. Log (logging)

Enable the log function to enable IPTraf to save the statistics and analysis results to the disk for later analysis. We have introduced the settings of log files in the previous section: P

4.1.6. Activity mode)

The unit of switching rate (kbits/s and kbytes/s ). The default rate unit is kbits/s.

4.1.6.Source MAC addrs in traffic monitor

Determines whether to display the MAC Source Address of the packet in the IP traffic monitor, which is effective for Ethernet, FDDI, or PLIP network interfaces. For non-TCP packets (the lower part of the IP traffic monitor display window), the MAC Source Address of the packet is displayed directly in the window. For TCP packets (the upper part of the IP traffic monitor display window ), press the M key.

4. 2. Clock options (Timers)

You can use the Timers sub-menu to set various time intervals and time-out times for IPTraf.

4.2.1.TCP Timeout (TCP Timeout)

Set the retention time of idle connection entries, which is replaced by a new connection after this time. The default value is 15 minutes.

4.2.2. Log update Interval (Log Interval)

This option sets the number of minutes to save log information. The default value is 60 minutes.

4.2.3. Screen Update Interval

This option sets the number of seconds at each interval to refresh the screen. The default value is 0, indicating that the screen is refreshed as quickly as possible.

4.2.4.tcp shutdown/idle retention time (TCP closed/idle persistence)

This parameter determines how many minutes a TCP connection that is closed, idle, and timed out will be retained in the IP traffic monitor display window. The default value is 0, indicating that these connections are retained until they are replaced by new connections.

4. Information setting options

4.3.1. Additional port (additional port)

As mentioned above, by default, iptraf only performs Traffic Analysis on port numbers smaller than 1024. You can use this option to add the port for traffic analysis. This option also defines the port range.

4.3.2. delete port/range)

Naturally, it is opposite to the preceding option. Delete the port or port range defined in the previous option.

4. Lan station identifiers)

The LAN workstation statistics of iptraf are based on MAC addresses. However, the hexadecimal MAC address is hard to remember, so iptraf introduces LAN station identifiers ). Using LAN station identifiers helps you better differentiate workstations in a LAN.

Select "Ethernet/PLIP host descriptions or FDDI host descriptions" in the main menu to display a sub menu. You can add or edit the. Lan workstation identifier in this sub menu.