Network Monitoring Tools: IPTRAF Date: 2004-08-03 From: LinuxAID
Introduction 1. Installation 1.1. System Demand 1.2. Install 1.3. Start iptraf 1.4. Command Row Option 1.5. Enter the menu interface 2. Using IPTRAF 2.1. General Information 2.2.ip Traffic Monitor 2.3. General Information Statistics (General Interface Statistics 2.4. Detail information statistics of network interfaces 2.5. Statistical breakdowns 2.6. LAN Station Statistics 3. Display Filter 3.1.TCP Filter (TCP Filters) 3. Other protocol filter 4.iptraf configuration 4.1. Switch option> 4.2. Clock Options 4.3. Information Settings Option 4.4. LAN Station Identifiers Introduction IPTRAF is an IP Network Monitoring tool. It intercepts messages on the network and gives information from each part of the message. The information that IPTRAF can return includes: IP, TCP, UDP, ICMP packets and non-IP bytes. The source / destination address and source / destination port connected to the TCP. The number of TCP packets and the number of bytes. TCP flag status. UDP source / destination information. ICMP type information. OSPF source / destination information. TCP and UDP service values. Network interface packet count. Network interface IP checksum error Number. Network interface activity indicator. LAN statistics IPTRAF can be used to monitor the load of the IP network. IPTRAF uses a Linux kernel built-in original (RAW) packet capture interface, which can be widely used in Ethernet cards, support FDDI adapters, ISDN adapters, and any asynchronous SLIP / PPP interface. 1. Install 1.1. System requirements compile, using IPTRAF requires the following conditions: 80386 or better computer (not high: p), nature is the higher the configuration, better. The better the configuration, the less patching packets. IPTRAF may also also be used for processors of other systems (SPARC, Alpha, M68k, PowerPC, etc.), but not tested. Linux 2.2.0 and updated version kernel Note: If you use your own compiled kernel, open the Packet Socket kernel compilation option, otherwise IPTRAF cannot be executed. 8M or more memory, more than 16M or more virtual memory. A lot of benefits. GNU C dynamic library. The precompiled program does not require NCurses dynamic libraries. If you have to compile yourself, you need NCURSES and PANELS dynamic libraries. / usr / share / terminfo Terminfo database. Console or high speed terminal. Ethernet, FDDI, ISDN, PLIP or asynchronous SLIP / PPP interface. IPTRAF does not require a x window system. 1.2. Installation You can download iptraf from http://iptraf.seul.org. Then use the following command to install the iptraf: Unzip file #TAR ZXVF iptraf-2.4.0.tar.gz #CD iptraf-xyz Execute the setup script, this step is to perform with root permissions, setup will automatically compile and put iptraf to / usr In / local / bin directory, other directories are also created: ./setup 1.3. After starting the IPTRAF, you can start the iptraf as long as you enter: #iptraf in the shell. First you will see the copyright statement, after pressing any key, enter the main menu. Note: Use iptraf to need root privileges. IPTRAF needs to reference the terminal information database in the / usr / share / terminfo directory, so if this directory is in other locations, the iptraf will output "ERROR OPENING TERMINAL" error message, start failed.
This mistake may occur in Slackware, because in Slackware release, Terminfo is generally located in / usr / lib / terminfo. This can be solved by: # Terminfo = / usxport terminfo or fill a connection: #Ln -s / usr / lib / terminfo / usr / share / terminfo In addition, IPTRAF is still not Support SIGWINCH processing feature, starting iptraf in xterm or other terminal, if the size of the terminal changes, IPTRAF does not adjust its size. 1.4. Command line options, like most UNIX systems, IPTRAF also supports some command line parameters, although not much. The following is all function options supported by IPTRAF: -i network interface allows IPTRAF to monitor specific network interfaces, such as: eth0. -i all represents all network interfaces of the monitoring system. -g network interface general statistics. The -D network interface displays detailed statistics for a particular network interface. -S network interface monitors TCP / UDP data traffic for a particular network interface. -z Network Interface Monitor the specific network interface of the LAN. -l ALL is all. -t timeout makes iptraf to exit after the specified time. If you do not set iptraf, you will run until the user presses the exit key (x). -B makes iptraf run in the background. Use not to use alone (ignored directly into the menu interface), only one parameter in -i, -g, -d, -s, -z, -l is used. -L filename If you use -b parameters, use -l filename to write the log information into other files (filename) using -l filename. If FileName does not include the absolute path of the file, put the file in the default log directory (/ var / log / iptraf). -q This parameter is now no longer available. It turns out that a large number of warning information will occur if IPTRAF is running on the kernel using the IP address camouflage (IP masquerading). Now the new version of IP masquerading code has no problem. -f allows IPTRAF to remove all lock files and reset all instance counters. -H Show short help information 1.5. Before entering the menu interface, you have already talked, do not use any parameters to run iptraf to enter the menu interface. Use the down arrow keys to move the menu selection bar. You can also use the letter on each menu item as a shortcut to run a menu option. 2. Using IPTRAF 2.1. General Information 2.1.1. Number indicates that IPTRAF can measure the number of packets and bytes that pass through. Because the number of numbers will grow very quickly, IPTRAF uses some symbols to represent large numbers, including: k (1x10e3), M (1x10e6), g (1x10e9, t (1x10e12). These symbols and them often represent The number is different. For example: 1024K = 1024000 1024M = 10240000000000000000000000000000 2.1.2. Examples and log IPTRAF Allows multiple processes at the same time, but only one process monitors some or all network interfaces. But general Except for the General Interface Statistics function, only one process can perform this operation at a time. This feature of IPTRAF has a problem, and each process will generate a log file. If you open the iptraf log function, you are in you When you use a feature, it prompts you to set the name of the log file. At this time, you need to specify the log files for each example. If the log file conflicts, there may be something that cannot be expected.
If you don't specify the absolute path of the log file, they will be recorded to the default log directory: / var / log / iptraf. 2.1.3. Supported Network Interface IPTRAF currently supports the following network interface: LO native loop interface. Each machine has this interface, the IP address is 127.0.0.1. Ethn (n> = 0) Ethernet interface, N is an integer starting from 0. Eth0 is the first Ethernet interface, and Eth1 is the second network interface. FDDIN (N> = 0) FDDI (fiber distributed digital interface) interface, N is an integer starting from 0. PPPN (n> = 0) PPP (point-to-point protocol) interface, N is an integer starting from 0. Slin (n> = 0) SLIP (Serial Line Interface Protocol) interface, N is an integer starting from 0. IPPPN (n> = 0) uses ISDN's synchronous PPP interface, N is an integer starting from 0. ISDNN (N> = 0) ISDN (Integrated Business Digital Network) interface. However, the name of the ISDN interface is more casual, only by ISDNN naming can be used by IPTRAF. IPTRAF supports synchronous PPP interface, original IP and Cisco-HDLC EncapSulation. PLIPN (n> = 0) PLIP interface. Use a point-to-point IP connection protocol using PC. 2.2.ip Traffic Monitor Perform IPTRAF's IP Traffic Monitor menu item or use the -i command line, you can use the IPTRAF IP traffic monitoring. With this feature, you can monitor all messages passed by the listening network interface in real time. IPTRAF monitors decodes IP packets, display specific information for packets, such as source addresses, and destination addresses. In addition, it can identify protocols for IP packages (for example: TCP, UDP, etc.) and displays certain important information of these protocols. IPTRAF's IP traffic monitor has two display windows. Each window can use the UP of the keypad, the DOWN key scrolls. Use W to switch the event window. 2.2.1. The upper window of the IP traffic monitor 2.2.1.1. IIP Flow Monitor upper window Displays the display window of the upper part of the traffic monitor of the contents of the IPTRAF displays the currently detected TCP connection. It mainly includes the following information of the TCP connection: Source Address and Port Message Counting Data Source MAC Address Packet Size Window (Window) Size TCP Sign (FLAG) Network Interface Up Up, DOWN Key Rolling TCP Window can see more Connection information. IPTRAF's IP traffic monitor does not distinguish between the client and the server side. It works in mixed mode to monitor the connection status of the local area network. The IP traffic monitor displays the TCP traffic in both directions, the leftmost side of the window is both ends of the TCP connection (displayed in the format of the port). For convenience, each TCP connection is used to connect to [connection. Each entry of the upper window of the IP traffic monitor includes the following domain, note: Some domains are not displayed by default, press M key to display: source address. Source Address and ports are displayed in the source address: port format. Represents the source of the data. The destination address and port are [another source address: port pair. The number of packets received by packet counts. The number of bytes received (byte count) received. This number includes IP, TCP header information, and actual data. The header of the data link layer is not included. Source Mac Address delivers the MAC address of this message. To use this feature, you first use the configuration menu to open the Source Mac AddRS in Traffic Monitor function, then press the M key. Packet size recently received the size of the message. To use the M key to display. This value is only the size of the IP packet, and the data link clamp is not included. Window size recently received the window size of the packet. This item also needs to press M keyboard to display.
Flag Statuses Recently received TCP Sign S Synchronization Sign (SYN) for establishing connections. S --- Indicates the initiative connection, S-A-means a response to the connection request. A Confirm the effective flag (ACK). P psh. This newspaper will request a push (PUSH). For the sender, the mandatory protocol software does not wait for a buffer to fill in the filled; for the recipient, the data is supplied to the application to the application. U URG. Indicates that this message contains emergency data. RESET RST. Reset connection sign. Done fin. The send release no longer sends any data, turn off the connection. Closed fin is confirmed by the other end. 2.2.1.2.2.Rvnamed Process When using IP traffic monitoring, IPTRAF starts a sprite process RVNAMED to accelerate the speed of the domain name. After the RVNAMED's domain referendum is complete, IPTRAF will use the domain name of the message source to replace the IP address. The reason why the use of a unique domain name in IPTRAF is because the standard domain name reverse callback will block the process until the domain name is complete, and time is ware. 2.2.1.3.IP forwarding and IP address camouflage If the kernel has IP camouflage functions, the old version of IPTRAF needs to process warning information. However, the new version of the kernel has rewritten on IP forwarding and IP camouflage function, and IPTRAF no longer needs to handle the relevant error message. Therefore, the -q command option has lost its role. For IP forwardings without IP address camouflage, the forwarding host will appear twice in the same TCP connection, but the network interface is different; for the host for IP addresses, each TCP connection is inside, respectively / External network address and interface. 2.2.1.4. Connection, Idle (IDLE), Time Out, often there is a connection, reset, or long time, long-term. If these connections are too large, IPTRAF automatically refers the active connection to the display window. You can also use the IPTRAF to automatically clean up these connections with the configure-> Timer-> TCP Closed / IDle Persistence ... Configuration menu, or use the F button to manually clean up. 2.2.1.5. Display entries Sort You can sort the display entries of the upper window. Press the S button to display a sort menu. Press the P button, will be sorted by the number of packets; press B to sort by the number of bytes. 2.2.2. Bottom Display Window IP Traffic Monitor The bottom display window displays other kinds of network traffic. IPTRAF supports the following protocols: User Dataset Protocol (UDP) Internet Control Message Protocol, ICMP Open Shortest-Path First, OSPF) Internal Gateway Routing Protocol (Interior Gateway Routing protocol, IGRP) interior gateway protocol (interior gateway protocol, IGP) Internet group management protocol (Internet group management protocol, IGMP) General Routing Encapsulation (GRE) ARP (Address Resolution protocol, ARP) reverse ARP (reverse Address Resolution Protocol, RARP) In addition, IPTRAF displays its protocol numbers for unforming IP packets; for non-IP packets IPTRAF, it is pointed out in the window. In the entries displayed at the bottom, the UDP packets are also displayed in the address: port format; the ICMP entry includes the ICMP protocol type. In order to distinguish it correctly, each protocol uses different colors. The bottom display window can accommodate 512 entries.
You can use the up and down arrow keys to scroll. If you reach 512 entries, there is a new entry to join, the oldest will be lost. Some entries may be very long, you can also scroll through the left and right keys. Use W to switch the active status of two display windows. If you open the Source Mac AddRS in Traffic Monitor feature of the Configure, IPTRAF also displays the source MAC address of the received non-IP packet. 2.3. General Information Statistics of Network Interface (General Interface Statistics main menu) The second menu item of the main menu is the general statistical function of the network interface (General Interface Statistics). In its display window, IPTRAF displays some general statistics that are monitored network interfaces, including the number of IPs, non-IP, and bad IP (checksum errors) packets on these network interfaces. Another activity indicator displays the number of packets through each network interface per second, this activity indicator uses the Activity Mode Configuration option to control the on / off. If you open the log function (Configure the Logging option of the menu), all statistics will be copied to the /var/log/iptraf/iface_stats_general.log file. You can press the x or q key to return to the main menu. 2.4. Detail Information Statistics of Network Interface The third function option for the main menu is the details of the details of the network interface (Detailed Interface Statistics). In addition to the statistics provided by the General Interface Statistics option, the Detailed Interface Statistics option also provides some other more detailed statistics about the network interface. It provides the following statistics: IP packets and number of bytes. TCP packets and bytes number UDP packets and numbers ICMP packets and bytes Number of packets and numbers and bytes of number of bytes and bytes number checks and errors The number of bytes of the count network interface activity status IP packet (IP, TCP, UDP, ICMP, and other IP) includes IP cladding head and load authentication number, and the data link clamp is not included; in total byte The number of bytes including the data link cladding in the number and non-IP packet counts. If you want to directly start the details statistics of the network interface, you can use the following command: #iptraf -d eth0 (or other network interface) In addition, you can also open the log function, record the details statistics of the network interface to the log file The default log file name is IFACE_STATS_DETAILED-IFACE.LOG, where IFACE is replaced by related network device names (eg, ETH0). This feature is also the main menu of the X or Q button. 2.5. Statistical Breakdowns uses IPTRAF statistical analysis, which helps you optimize your network settings and monitoring your network security issues. The statistical analysis of IPTRAF includes: packet size analysis and TCP / UDP port analysis. 2.5.1. Statistical Breakdown: Packet Sizes Select in the main menu: Statistical Breakdowns-> by packet size can enter the packet size analysis interface. In the old version of IPTRAF, this feature belongs to the Detailed Interface Statistics, which is later independent. IPTRAF divides 20 scope and statistical packet size distribution in accordance with the size of the Maximum Transmission Unit (MTU) maximum transmission unit (MTU).
You can also open the log function, record the message size distribution information to the log file, the default log file name is packet_size-ifce.log, where IFACE replaces the relevant network device name (for example: eth0). In addition, you can enter the message size analysis interface using the following command line: #iptraf -z eth0 Press the X or CTRL X button to exit. 2.5.2.TCP / UDP traffic analysis IPTRAF can also be counted on the number of TCP / UDP packets that flow through each port (less than 1024). Note: The number of bytes displayed in the display window includes an IP cladding head and an IP load, not including the data link header. In order to facilitate distinguishing, TCP and UDP have different colors, TCP uses yellow, UDP uses green. Some network programs use ports greater than 1023. For example: Some web servers use 8080 ports; HTTS uses 443 ports. In the default settings, IPTRAF does not count the traffic of these ports. You can use the Configure-> Additional Port ... menu item to fill another port. If you open the log function, the default log file for TCP / UDP traffic analysis is /var/log/iptraf/tcp_udp_services-iface.log, where IFACE is replaced by related network device names (for example: eth0). You can also sort the display entry. Press the S button to display a sort menu; press the P key, will be sorted by the number of packets; press the B key, will be sorted by bytes; press the T key to sort the number of packets to enter; press O Sort by the number of bytes of bytes; press the F key to sort the number of packets, press the M key to sort the number of bytes outward; press any key to cancel the sort. In addition, use the following command to enter the TCP / UDP traffic analysis interface: #iptraf -s eth0 Press the X or CTRL X key to return to the main menu or exit. 2.6. LAN Station Statistics (LAN STATION STATISTICS) uses IPTRAF LAN Workstation Statistics (LAN Station Statistics), you can get a local area network node (node that can be listened to in mixed mode, if it is the exchange network may not be implemented) flow, outflow The number of packets, this feature is valid for Ethernet, FDDI, PLIP, but cannot be used for local loopback (LO), ISDN, and SLIP / PPP networks. Statistics include: The number of incoming packets flow into the number of IP packets flow into the total byte inflow rate flow out of the total number of flowers flow out of the total byte number flow rate. The number of bytes here includes a data link layer header. The unit of the rate can be KBITS / S or KBYTES / S, determined by the Activity Mode Configuration option. If you open the log feature, all statistics will be saved to the /var/log/iptraf/lan_statistics-n.log file, n is the example number (IPTRAF can run multiple times on the same host multiple times without interference ). To manage convenience, you also sort the entries in the display window of the IPTRAF LAN Workstation Statistics. Press S to pop up a sorting dialog. , Then, press the P key to sort by the number of packets flowing; press the I key to sort the number of IP packets inflow; press the B key to sort by the number of bytes flowing; press the k keyboard to flow out Sort by the number of words; Press any key to cancel the sort. Press the X or Q keyboard to exit from the LAN Workstation Statistics display interface to the main menu.
Use the following command line to enter the local area network workstation statistics display interface: #iptraf -e 3. Display Filter In actual use, IP traffic monitor will quickly display a lot of information, and most of these information you It may not be concerned. At this time, you can use the display filter to control the display information of the IP traffic monitor. 3.1.TCP Filters Use this feature that you can define some parameters to determine the TCP connection displayed in the IP traffic monitor display interface. 3.1.1. Defining a new filter (Defining a new filter) The default installed IPTRAF does not have any filter, so you need to define your own filter. Select TCP Display Filters-> Define New Filter ... menu item, a dialog box will pop up to enter a short filter description. After the input is complete, press Enter to pop up another dialog box, ask you to enter the source address and destination address, subnet mask, and service port. The network address can be a single host, network, and the entire network address space, determined by subnet mask. For example: single host 207.0.115.44: IP address: 207.0.115.44 Subnet mask: 255.255.255.25 belongs to all hosts of network 202.47.132.x: IP address: 202.47.132.0 Subnet mask: 255.255.255.0 All IP addresses : IP Address: 0.0.0.0 Subnet Mask 0.0.0.0 Include (including) / Exclude Domain Decide whether such entries are displayed in the display window. 3.1.2.2.TCP Filter Application Example Monitoring TCP Connection between 202.47.132.1 and 207.0.115.44 Host Name / IP Address 202.47.132.2 207.0.115.47.132.2 207.0.115.47.132.2 207.055.255.255 255.255.255.255 Port 0 0 Include / Exclude i Monitoring Host 207.0.115.44 TCP connections between 202.47.32.0: Host Name / IP Address 207.0.115.44 202.47.132.0 Wildcard Mask 255.255.255.0 Port 0 0 Include / Exclude i Monitor All Web Connections: Host Name / IP Address 0.0.0.0.0.0.0 Wildcard Mask 0.0.0.0 0.0.0.0 Port 80 0 Include / Exclude i Monitor the traffic from any address to the host 202.47.132.2: Host Name / IP Address 202.47.132.2 0.0.0.0 Wildcard Mask 255.255.255.255 0.0.0.0 Port 25 0 Include / Exclude i Monitor Host Sunsite.Unc.edu Between Cebu.Mozcom.com traffic: host name / ip address sunsite.Unc.edu cebu.mozcom.com Wildcard Mask 255.255.255.255 255.255.255.255 Port 0 0 Include / Exclude i ignores the traffic between the network 140.66.5.x and any address host name / ip address 140.66.5.x 0.0.0.0 Wildcard Mask 255.255.255.0 0.0.0.0 Port 0 0 Include / Exclude E If a filter is defined, the IPTRAF's IP traffic monitor will only display the flow of the filter to specify the connection, and others are not displayed. This is similar to the default prohibition strategy for the firewall.
Therefore, if you want to monitor all connections other than an address, you can only define a filter that excluded types, and finally defines a filter that includes (all domains is 0). For example: We want to display network traffic on all TCP connections, except for SMTP, web port, and 207.0.115.44: Host Name / IP address 0.0.0.0 0.0.0.0 Wildcard Mask 0.0.0.0 0.0.0.0 Port 25 0 Include / Exclude E Host name / IP address 0.0.0.0 0.0.0.0 Wildcard mask 0.0.0.0 0.0.0.0 Port 80 0 Include / Exclude E Host name / IP address 207.0.115.44 0.0.0.0 Wildcard mask 255.255.255.255 0.0.0.0 Port 0 0 Include / Exclude E Host Name / IP Address 0.0.0.0 0.0.0.0 Wildcard Mask 0.0.0.0 0.0.0.0 Port 0 0 INCLUDE / Exclude i 3.1.3. Other menu items After the filter is complete, we need to use the Applying A Filter menu item Enable it to take effect; you can select the Editing a Defined Filter menu item, edit an existing filter; select the DELETING a Defined Filter menu item, delete a filter; select the DetAaching A Filter menu item to make a filter inactivation. This is relatively simple, and there will be no more details here. 3.2. Other protocol filters IPTRAF also support other types of filters. However, in addition to the UDP filter, other protocol filters are just a switch (whether such protocols) is displayed. The setting of the UDP protocol filter and the setting of the TCP filter are similar, and there is not much to do it here. 4.iptraf Configuration You can configure the IPTRAF with the Configure configuration menu, all configurations are saved on /var/local/iptraf/iptraf.cfg or /var/iptraf/iptraf.cfg. If the configuration file is not found, IPTRAF uses the default configuration. In the main menu of IPTRAF, select the Configure menu, you can enter the configuration interface: 4.1. Switch option 4.1.1. Reverse lookup iptraf supports reverse domain name resolution, convert the IP address to the host name. However, due to the slow resolution of the domain name, it may cause packet loss. By default, this option is closed. 4.1.2.2.2.TCP / UDP Service Name (TCP / UDP Service Names) iptraf You can use the / etc / service file to convert port numbers to the corresponding service name, such as the 80-port corresponding to WWW service. By default, this option is also closed. 4.1.3. Force Promiscuous Opens this option to enable your own network devices into mixed mode. This can capture all packets of your LAN, this option is valid for Ethernet and FDDI, 4.1.4. Color (color) decides whether it is using color display. 4.1.5. Logging Opens the log function, allows IPTRAF to save statistics and analysis results to disk for future analysis. For the settings of the log file, we have already inserted in front: P 4.1.6. Activity mode switching rate unit (KBITS / S and KBYTES / S). The default rate unit is KBITS / S.