Article title: use Iptraf in Linux to analyze network traffic. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Iptraf is an excellent free software for monitoring network traffic in linux, especially installed on the firewall. it works with Iptables to monitor network exceptions flowing through the firewall, the results are very good.
My installation and configuration environment is redhat 9.0
I. software download
The latest version of Iptraf is 2.7.0, you can download the ftp://Iptraf.seul.org/pub/Iptraf/ from the address below
II. installation environment requirements
--- Gcc 2.7.2.3 or later
--- Gnu c (glibc) development library 2.1 or later
--- Ncurses development libraries 4.2 or later
Run the following command in linux:
# Rpm-qa | grep gcc
# Rpm-qa | grep glibc
# Rpm-qa | grep ncurses
If not, install.
III. Installation
Upload the downloaded iptraf-2.7.0.tar.gz to the machine you want to install. my directory is/home/yang/of the firewall:
# Cd/home/yang
# Tar zxf Iptraf-2.7.0.tar.gz
# Cd Iptraf-2.7.0
#./Setup
So far, the installation is complete.
The installer installs the executable program in the/usr/local/bin directory, and creates the/var/local/Iptraf directory to put the Iptraf configuration file, create the/var/log/Iptraf directory and place the log files generated by Iptraf.
[NextPage]
4. run Iptraf
Make sure that the PATH variable of the environment variable contains the PATH/usr/local/bin.
# Iptraf
After Iptraf is run, a character interface menu is generated. click x to exit Iptraf. the menus are described as follows:
1. menu Configure...
You can configure Iptraf. all the modifications will be saved in the file:/var/local/Iptraf. cfg.
--- Reverse DNS Lookups option: Reverse lookup of the DNS name for the IP address. it is disabled by default.
--- For the TCP/UDP Service Names option, use the server instead of the port number, for example, use www instead of 80, which is disabled by default.
--- Force promiscuous hybrid mode. at this time, the network adapter will accept all incoming data, whether or not it is sent to itself.
--- The Color is displayed on the terminal. of course, only connections via telnet or ssh are allowed. that is, connection via a terminal that does not support Color is certainly not colored.
--- Logging generates log files at the same time in the/var/log/Iptraf directory.
--- The Activity mode can be set to kbit/sec or kbyte/sec.
--- After selecting Source MAC addrs in traffic monitor, the Source MAC address of the data packet is displayed.
2. menu Filters...
You can set filter rules here. this is the most useful option. when you connect to the monitoring machine from the remote end, your machine and monitoring opportunities generate a steady stream of tcp packets, which is sometimes annoying, in this case, you can exclude your IP address.
It includes six options: Tcp, Udp, Other IP, ARP, RARP, and Non-ip. Taking TCP as an example, the configurations of other options are similar.
--- Defining a New Filter
When Defining a New Filter is selected, a dialog box is displayed, requiring that you enter the description name of the created rule, press enter to confirm, and Ctrl + x cancel. In the dialog box that appears, enter the source address in First of Host name/IP address:, and enter the target address in Second, the two boxes of Wildcard mask are respectively the mask corresponding to the source address and target address. Note that the address here can be a single address or a network segment. if it is a single IP address, fill in the corresponding subnet mask as 255.255.255.255.255. if it is a network segment, fill in the corresponding subnet mask. for example, to represent 192.168.0.0 and a network segment with 256 IP addresses, fill in 192.168.0.0, subnet: 255.255.255.0. Similarly, All is represented by 0.0.0.0, and subnet is also represented by 0.0.0.0.
Port: enter the Port number to be filtered in the column. 0 indicates any Port number. The Include/Exclude column must be filled with I or E, I indicates including, and E indicates exclusion. After entering the information, press enter to confirm and Ctrl x to cancel.
--- Applying a Filter
One or more filter rules defined in the previous step will be stored as a filter list, which does not work until there is no application. here we can select the filter rules we apply. Rules of all applications always work, even if you restart Iptraf. We can execute the Detaching a Filter to cancel executing the rules of all applications currently.
--- Editing a Defined Filter: edit an existing rule
--- Deleting a Defined Filter: Delete a Defined rule.
--- Detaching a Filter: cancels the rule for executing all applications currently.
3. menu IP Traffic Monitor
IP packet traffic real-time monitoring window. Note that all incoming and outgoing packets, including your own, will be monitored here. Therefore, if you use a remote terminal to connect up, you and the supervisor will continuously generate data streams, so we recommend that you... filter out your IP address in the menu, which does not affect the IP address. Here we can see the traffic status of each connection in real time. it has two windows with the TCP connection status above, the following window shows the packets of UDP, ICMP, OSPF, IGRP, IGP, IGMP, GRE, ARP, and RARP. You can click the s key to select the sort option, which can be sorted by the number of packages or by the byte size. if it is not clear due to real-time changes, you can enable the Logging function in the Configure menu, which records logs in the/var/log/Iptraf directory for future viewing. when the Logging function is enabled, when you start monitoring Iptraffic, the program will prompt you to enter the Log file name, the default is the ip_traffic-1.log.
In a busy network, the display results may be messy, so it is difficult for you to find the data you are interested in. in this case, you can use the Filters menu to filter the displayed data.
4. menu General Interface Statistics
The data traffic statistics for each network device going out and entering are displayed, including total traffic, IP packet, non-IP packet, Bad IP packet, and flow rate per second. the unit is kbit/sec or kbyte/sec, this is determined by the Activity option in the Configure menu.
If the Filter option is set, it is also affected.
5. menu Detailed Interface Statistics
The detailed statistical information of each network device is included here, which is very simple and will not be repeated.
6. Statistical Breakdowns
Here we provide more detailed statistics, which can be classified by the package size and statistics separately. we can also classify statistics by Tcp/Udp services, and we will not go into details.
7. LAN Station Statistics
Provides statistics on the data of each network address passing through the local machine.