Use Iptraf in Linux to analyze network traffic

Using Iptraf in Linux for network traffic analysis Iptraf is an excellent free software that monitors network traffic in linux, especially installed on the firewall, and works with Iptables, the network that monitors the flow through the firewall is abnormal, and the effect is very good. My installation and configuration environment is re... using Iptraf in Linux for network traffic analysis Iptraf is an excellent free software that monitors network traffic in linux, especially installed on the firewall, and works with Iptables, the network that monitors the flow through the firewall is abnormal, and the effect is very good. My installation and configuration environment is redhat 9.0. 1. download the latest version of Iptraf 2.7.0 from the address below. ftp://Iptraf.seul.org/pub/Iptraf/ II. installation environment --- gcc 2.7.2.3 or later --- gnu c (glibc) development library 2.1 or later --- ncurses development libraries 4.2 or later can be executed in linux: # rpm-qa | grep gcc # rpm-qa | grep glibc # rpm-qa | install grep ncurses if it does not exist. 3. install and upload the downloaded iptraf-2.7.0.tar.gz to the machine you want to install. my firewall/home/yang/directory: # cd/home/yang # tar zxf Iptraf-2.7.0.tar.gz # cd Iptraf-2.7.0 #. /Setup: installation is complete. The installer installs the executable program in the/usr/local/bin directory, and creates the/var/local/Iptraf directory to put the Iptraf configuration file, create the/var/log/Iptraf directory and place the log files generated by Iptraf. 4. run Iptraf to confirm that the PATH variable of the environment variable contains the PATH/usr/local/bin # Iptraf generates a character interface menu after Iptraf runs. click x to exit Iptraf, the menu description is as follows: 1. menu Configure... you can configure Iptraf here. all modifications will be saved in the file:/var/local/Iptraf. in cfg --- Reverse DNS Lookups option, Reverse lookup of the DNS name for the IP address is disabled by default. --- For the TCP/UDP Service Names option, use the server instead of the port number, for example, use www instead of 80, which is disabled by default. --- Force promiscuous hybrid mode. at this time, the network adapter will accept all incoming data, whether or not it is sent to itself. --- The Color is displayed on the terminal. of course, only connections via telnet or ssh are allowed. that is, connection via a terminal that does not support Color is certainly not colored. --- Logging generates log files at the same time in the/var/log/Iptraf directory. --- The Activity mode can be set to kbit/sec or kbyte/sec. --- After selecting Source MAC addrs in traffic monitor, the Source MAC address of the data packet is displayed. 2. menu Filters... you can set filter rules here. this is the most useful option. when you connect to the monitoring machine from the remote end, your machine and monitoring opportunities generate a steady stream of tcp packets, which is sometimes annoying, in this case, you can exclude your IP address. It includes six options: Tcp, Udp, Other IP, ARP, RARP, and Non-ip. Taking TCP as an example, the configurations of other options are similar. --- After Defining a New Filter is selected as Defining a New Filter, a dialog box is displayed. enter the description name of the created rule, press enter to confirm, and press Ctrl + x to cancel. In the dialog box that appears, enter the source address in First of Host name/IP address:, and enter the target address in Second, the two boxes of Wildcard mask are respectively the mask corresponding to the source address and target address. Note that the address here can be a single address or a network segment. if it is a single IP address, fill in the corresponding subnet mask as 255.255.255.255.255. if it is a network segment, fill in the corresponding subnet mask. for example, to represent 192.168.0.0 and a network segment with 256 IP addresses, fill in 192.168.0.0, subnet: 255.255.255.0. Similarly, All is represented by 0.0.0.0, and subnet is also represented by 0.0.0.0. Port: enter the Port number to be filtered in the column. 0 indicates any Port number. The Include/Exclude column must be filled with I or E, I indicates including, and E indicates exclusion. After entering the information, press enter to confirm and Ctrl x to cancel. --- Applying a Filter one or more Filter rules defined in the previous step will be stored as a Filter list, which does not work before they are applied. here we can select the Filter rules we apply. Rules of all applications always work, even if you restart Iptraf. We can execute the Detaching a Filter to cancel executing the rules of all applications currently. --- Editing a Defined Filter edit an existing rule --- Deleting a Defined Filter delete a Defined rule --- Detaching a Filter cancel executing the rules of all applications currently 3. menu IP Traffic Monitor IP real-Time packet traffic monitoring window, note that all incoming and outgoing data packets, including your own, will be monitored here. Therefore, if you connect to the host using a remote terminal, you and the invigilator will continuously generate data streams, therefore, we recommend that you... filter out your IP address in the menu, which does not affect the IP address. Here we can see the traffic status of each connection in real time. it has two windows with the TCP connection status above, the following window shows the packets of UDP, ICMP, OSPF, IGRP, IGP, IGMP, GRE, ARP, and RARP. You can click the s key to select the sort option, which can be sorted by the number of packages or by the byte size. if it is not clear due to real-time changes, you can enable the Logging function in the Configure menu, which records logs in the/var/log/Iptraf directory for future viewing. when the Logging function is enabled, when you start monitoring Iptraffic, the program will prompt you to enter the Log file name, the default is the ip_traffic-1.log. In a busy network, the display results may be messy, so it is difficult for you to find the data you are interested in. in this case, you can use the Filters menu to filter the displayed data. 4. menu General Interface Statistics data traffic Statistics for each network device going out and entering, including Total, IP packet, non-IP packet, Bad IP packet, and flow rate per second, the unit is kbit/sec or kbyte/sec, which is determined by the Activity option in the Configure menu. If the Filter option is set, it is also affected. 5. menu Detailed Interface Statistics Detailed Statistics of each network device are provided here, which is very simple and will not be repeated. 6. Statistical Breakdowns provides more detailed statistics here, which can be classified by the package size and collected separately. It can also be classified by Tcp/Udp services for statistics. 7. LAN Station Statistics provides Statistics on the data of each network address passing through the local machine.