IPTraf User’s Manual. Copyright © , by Gerard Paul Java. Version 0 Preparing to Use IPTraf · Number Display Notations · Instances and Logging . iptraf is an ncurses-based IP LAN monitor that generates various network Frederic Peters ([email protected]), using iptraf –help General manual page. IPTraf User’s Manual IPTraf has a few optional command-line parameters. As with most UNIX commands, IPTraf command-line parameters are case-sensitive .
|Published (Last):||1 October 2004|
|PDF File Size:||7.51 Mb|
|ePub File Size:||2.33 Mb|
|Price:||Free* [*Free Regsitration Required]|
Instances and Logging Starting with version 2. This applies to all facilities except the General Interface Iphraf, which is still restricted to only one instance at a time. Because of this relaxation, each instance now generates log files with unique names for instances, depending on either their instance or the interface they’re listening on.
If the Logging option is turned on see Configuration section belowIPTraf will prompt you for a log file name while presenting a default. You may accept this default or change it. Cancelling will turn logging off for that particular session. See the Logging section below for detailed information on logging.
See also the documentation on each statistical facility for the default log file names. The default log jptraf names will also be used if the -B parameter is used to run IPTraf in the background. You can override the defaults with the -L parameter. See the section on Background Operation below. However, screen updates are one of the slowest operations the program performs.
See the Screen update interval Supported Network Interfaces IPTraf currently supports the following network interface types and names. Every machine has one, and has an IP address of Therefore, eth0 refers to the first Ethernet interface, eth1 to the second, and so on. Most machines only have one. Therefore, ppp0 is the first PPP interface, ppp1 is the second, and so on.
These are point-to-point IP connections using the PC parallel port. Your system’s network interfaces must be named according to the schemes specified above. The Traffic Monitor is a real-time monitoring system that intercepts all packets on all detected network interfaces. The monitor decodes the IP information on all IP packets and displays the appropriate information about it, most notably the source and destination addresses. In addition to that, it also determines the encapsulated protocol within the IP packet, and displays some important information about that as well.
There are two windows in the Traffic Monitor. Both of them can be scrolled with the Up and Down cursor keys. Just press W to move the Active indicator to the window you want to control. Information about TCP packets are displayed here. The window contains these pieces of information: IPTraf 2 shows only the source host: TCP connection endpoints are still indicated with the green brackets along the left edge of the screen.
Because this monitoring system relies solely on packet information, it does not determine which endpoint initiated the connection. In other words, it does not determine which endpoint is the client, and which is the server.
This is necessary because it can operate in promiscuous mode, and as such cannot determine the socket statuses for other machines on the LAN. That being the case, the system displays two entries for each connection, one for each direction of the TCP connection. To make it easier to determine the direction pairs of each connection, a bracket is used to “join” both together. This bracket appears at the leftmost part of each entry. Just because a host entry appears at the upper end of a connection bracket doesn’t mean it was the initiator of the connection.
Each entry in the window contains these fields: Source address and port The source address and port indicator is in address: This indicates the source machine and TCP port on that machine from which this data is coming. The destination is the host: Data link header e. Ethernet and FDDI data are not included.
Packet Size The size of the most recently received packet. This item is visible if you press M for more TCP information. This is the size of the IP datagram only, not including the data link header.
Window Size The advertised window size of the most recently received packet.
Flag statuses The flags of the most recently received packet. A synchronization is taking place in preparation for connection establishment.
If only an S is present S the source is trying to initiate a connection. If an A is also present S-A-this is an acknowledgment of a previous connection request, and is responding. This is an acknowledgment of a previously received packet P PSH. A request to push all data to the top of the receiving queue U URG.
The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections. DONE The connection is done sending data in this direction, and has sent a FIN finished packet, but has not yet been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.
The M key displays more TCP information. If the Source MAC addrs in traffic monitor option is not enabled, pressing M simply toggles between the counts and the packet and window sizes. By default, only IP addresses are displayed, but if you have access to a name server or host table, you may enable reverse lookup for the IP addresses.
Just enable reverse lookup in the Configure menu. The rvnamed Process The IP Traffic Monitor starts a daemon called rvnamed to help speed up reverse lookups without sacrificing too much keyboard control and accuracy of the counts.
While reverse lookup mamual being conducted in the background, IP addresses will be used until the resolution is complete. If for some reason rvnamed cannot start probably due to improper installation or lack of memoryand you are on the Internet, and you enable reverse lookup, your keyboard control can become very slow.
This is because the standard lookup functions do not return until they have completed their tasks, and it can take several seconds for a name resolution in the foreground to complete. Apply appropriate measures, or the targeted machine may begin denying network services. Entries iptrar updated within a user-configurable amount of time may get replaced with new connections.
The default time is 15 minutes. This is regardless manua, whether the connection is closed or not. Some unclosed connections may be due to extremely slow links or crashes at mannual end of the connection.
This figure can be changed at the Configure menu. This means the connection was already established when the monitor started. In other words, the figures indicated do not reflect the counts since the start of the TCP connection, but rather, since the start of the traffic monitor. This is because the traffic monitor cannot determine if a connection was already half-closed when it started.
iptraf(8) – Linux man page
These entries will eventually time out. To minimize these entries, an entry is not added by the monitor until a packet with data or a SYN packet is received.
Direction entries also become available for reuse if an ICMP Destination Unreachable message is received for the connection. The non-IP count includes the data-link headers. The new kernels no longer do it as before and IPTraf now gives output properly on masquerading machines. The -q parameter is no longer required to suppress the warning screen.
On forwarding non-masquerading machines packets and TCP connections simply appear twice, one each for the incoming and outgoing interfaces. On masquerading machines, packets and connections from the internal network to the external network also appear twice, one for the internal and external interface.
iptraf(8): Interactive Colorful IP LAN Monitor – Linux man page
Packets coming from the internal network will be indicated as coming from the internal IP address that sourced them, and also as coming from the IP address of the external interface ipfraf your masquerading machine. In much the same way, packets coming in from the external network will look like they’re destined for the external network’s IP address, and again as destined for the final destination on the internal network.
However, if these get too many, active connections may become interspersed among closed, reset, or idle entries. You can also press the F lptraf to arbitrarily itpraf it at any time.
Note The TCP timeout This does not determine how long it remains onscreen. Pressing S will display a box showing the available sort criteria. Press P to sort by packet count, B to sort by byte count. Pressing any other key will cancel the sort. The sort operation compares the larger values in each connection entry pair and sorts the counts in descending order. Over time, the entries will go out of order as counts proceed at varying rates.
Sorting is not done automatically so as not to degrade ipttaf. Lower Window The lower window displays information about the other types of traffic on your network. The following protocols are detected: For all packets in the lower window, only the first IP fragment is indicated since that contains the header of the IP-encapsulated protocol but with no further information from the encapsulated protocol. UDP packets are also displayed in address: For easier location, each type of maanual is color-coded text console only.