1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
***
README DOCUMENT FOR IPTRAF 1.1
***
DESCRIPTION
IPTraf is a console-based network monitoring program that displays
information about IP traffic. It returns such information as:
Current TCP connections
UDP, ICMP, OSPF, and other types of IP packets
Packet and byte counts on TCP connections
IP, TCP, UDP, ICMP, non-IP, and other packet and byte counts
Interface activity
Flag statuses on TCP packets
Ethernet station statistics
Others
This program can be used to determine the type of traffic on your network,
and what kind of service is the most heavily used on what machines, among
others.
IPTraf works on Ethernet and SLIP/PPP interfaces.
The IPTraf Web page is at http://cebu.mozcom.com/riker/iptraf
NEW FEATURES TO VERSION 1.1
Command-line Interface
Options are now available at the command line that allow you to
immediately start a facility, rather than start from the main menu.
See the manual or issue iptraf with the -h parameter to display
a help screen.
Improved Interface Lists and Access
The general interface statistics screen will now grow as packets are
detected on new interfaces (such as new PPP interfaces). In addition to
this, long interface lists can now be scrolled in both the selection
boxes and the general interface statistics window.
The rvnamed Daemon
IPTraf 1.1 now comes with rvnamed, a daemon that resolves IP addresses
into host names in the background, while allowing IPTraf to continue in
the meantime. This minimizes the blocking action of gethostbyaddr(),
allowing better keyboard control and less lost packets due to the delay
caused by reverse name lookup on the Internet. When an IP address is
submitted for resolution into a host name, IPTraf submits it to rvnamed
which forks off and performs the resolution in the background. In the
meantime, an IP address will be returned. Subsequent requests will
cause rvnamed to look up its internal table for already-resolved IP
addresses and return those to IPTraf once they're found.
COMPILATION AND INSTALLATION
The package already comes with a precompiled executable. It should work
with no problems. You can install the software by issuing a "cd src" then
"make install" at the shell prompt.
Do not skip the "make install". This step also creates the necessary
directories the program is going to use.
Should you wish to recompile the program (perhaps to reduce the size of the
binary by letting it use the shared versions of the ncurses and panels
libraries), you will need these:
1. Kernel 2.0.0 or later, with sources decompressed in
/usr/src/linux. Earlier versions may still work, but cannot
be confirmed. Kernel 2.0.32 or higher is recommended.
2. ncurses 1.9.9e or later. Apparently the mapping for the
backspace key works here. Earlier versions may still work,
but my tests on 1.9.4 didn't work well on the backspace
key. You may want to use the Delete key though. Earlier
versions also did give very desirable results with
overlapping windows.
3. gcc 2.7.0 or later.
To compile, just cd to the src directory and type "make" at the shell
prompt. You may want to edit the Makefile to tweak some options before
you compile. There should be no errors.
The distribution binary was compiled with GCC 2.7.2.3, and linked with
ncurses 1.9.9e.
GLIBC2 (LIBC6) SUPPORT
I've done some rather extensive modifications to the code to get it to
compile with glibc2. It's probably somewhat dirty now, but it's going
to get cleaned up. Right now, I have to get the package to compile with
both libc5 and libc6, and to do that, I had to include a few files
normally part of the library right in the distribution directory included
as local headers, and a custom definition of the TCP header in tcphdr.h.
libc6 will most likely overtake and eventually replace libc5 as the
standard as distributions are moving in that direction (much like
ELF took over the a.out format a few years ago). However, I will continue
to distribute the precompiled binaries for libc5, that being the least
common denominator.
DOCUMENTATION
The manual is found in the Documentation subdirectory and is now available
in HTML and plain text. The HTML version can be viewed with any browser
supporting HTML 3.2.
For information on the fixes and other changes made to IPTraf, see
the included CHANGES file.
For a detailed description of the new rvnamed program, see the
README.rvnamed file.
TECHNICAL NOTES
Program Security
IPTraf reads in raw network packets by using the raw socket interface to the
kernel. As such, it must be run as root. This program was written for use
by administrators. While effort has been exerted to avoid buffer overruns,
no guarantee is still given, as this is not intended for ordinary users.
Setting the setuid bit is NOT recommended. Doing so may pose a security
risk to your system. Do so only if you are the only user on your system.
(If the program is not compiled with the ALLOWUSERS tag defined in the
Makefile, only the root user will be able to run the program, even if its
setuid bit is on. If you want to override this and allow setuid
operation, you will have to include the -DALLOWSERS option in the
Makefile and recompile.
The distribution executable program comes compiled to disallow non-root
users from using the program.)
In short, this program is not declared safe for non-root users to use.
(The new rvnamed reverse lookup daemon runs in the background and uses
UNIX domain sockets. It has been tested, but may become a possible
entry point should parts of it be broken. If you come across a possible
weak spot, please inform me immediately so that it can be fixed.)
Kernel
Kernel 2.0.x is recommended because its raw socket interface is known to be
stable. Compiling on development kernels may or may not work. You may
have to set the kernel configuration before you compile.
IMPORTANT: Kernels prior to version 2.0.24 had a serious bug that allowed
oversized IP packets to crash the system, while kernels prior to 2.0.32
crashed whenever certain badly fragmented IP packets were received.
It is recommended that you upgrade your kernel to at least 2.0.32, or
apply kernel patches to fix these problems.
Terminal
This program was designed to run on the Linux console. It should work on
80x25 xterms and rxvt windows. I'm still working on a SIGWINCH handler for
X shells. Run this program from the console (text or xterm) or a high-speed
terminal for best results.
User Interface
Operating the IP traffic monitor with reverse lookups enabled, but without
the new rvnamed daemon running will cause lookups to block. This will
cause keyboard response to become very slow and cause IPTraf to miss
packets. Unless something is wrong with the system or resources are
extremely low, rvnamed should start with no problem whenever the traffic
monitor is initiated with reverse lookups turned on. See README.rvnamed
for more details.
IPTraf was designed and tested with ncurses 1.9.9e. Earlier versions may
cause undesirable screen behavior.
There is also a little concern regarding the Backspace key. Apparently
the backspace key mapping (KEY_BACKSPACE) is considered unreliable, and
is marked as such in ncurses as late as 1.9.9e, although my tests on this
version already worked. Tests for 1.9.4 failed; pressing the Backspace
key yielded ^?. The Delete key works with no problem though. If you
want the program to not recognize the Backspace key, you can enable the
BSSETTING = DISABLEBS directive in the Makefile.
Network Interfaces
IPTraf currently includes support for Ethernet and SLIP/PPP interfaces.
Work is still being done for other types of media.
For Ethernet, IPTraf can receive packets in promiscuous mode (i.e. all
packets on the LAN, regardless of their destination). Promiscuous mode is
pointless on SLIP/PPP interfaces, since these things are point-to-point
links.
IPTraf imposes no additional load on the network (except for DNS traffic if
reverse name lookup is enabled).
COPYING AND DISTRIBUTION
This program is distributed under the terms of the GNU General Public
License, Version 2 as published by the Free Software Foundation, Inc.
See the accompanying COPYING file for details.
FEEDBACK
A WHATELSE file has been included in the distribution. It are about
some other features I don't know whether to include or not. If you have
anything to suggest, or if you discover a bug, please contact me. I
would love to hear from you. If you think this program can potentially
address a need but falls short, tell me the feature you desire and I will
determine whether I will include it in this program or whether I will
write another.
Please mail to
riker@mozcom.com
Remember in this system, we improve our software when we know what users
need and what they have. So please return feedback. It will be greatly
appreciated.
Gerard Paul Java
riker@mozcom.com
|
