1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
***
README DOCUMENT FOR IPTRAF 1.3
***
DESCRIPTION
IPTraf is a console-based network monitoring program for Linux that
displays information about IP traffic. It returns such information as:
Current TCP connections
UDP, ICMP, OSPF, and other types of IP packets
Packet and byte counts on TCP connections
IP, TCP, UDP, ICMP, non-IP, and other packet and byte counts
TCP/UDP counts by ports
Interface activity
Flag statuses on TCP packets
LAN station statistics
This program can be used to determine the type of traffic on your network,
and what kind of service is the most heavily used on what machines, among
others.
IPTraf works on Ethernet, FDDI, and SLIP/PPP interfaces.
The IPTraf Web page is at http://cebu.mozcom.com/riker/iptraf
DISTRIBUTION NOTICE
This is the general release of IPTraf. Version 1.1.0 and 1.2.0 have been
incorporated into the Debian GNU/Linux distribution, and are still currently
classified as "unstable". Debian-specific versions can be found at the
Debian site http://www.debian.org.
NEW FEATURES TO VERSION 1.3
Screen Update Speed Control
An additional option to control the screen update interval. This allows
you to control IPTraf's traffic generation on remote terminals and slow
links.
Better Organized Menus
The selection menus have been modified with separator lines to better
sight logically-related items.
FDDI Support
FDDI is now supported. (FDDI is still undergoing observation. Keep an eye
out on it, and report any problems.)
ISDN Reenabled
With incoming reports that the packet parsing errors are gone with kernel
2.0.35, synchronous PPP over ISDN interfaces have been reenabled.
Better Numeric Overflow Protection
IPTraf now begins to display numbers in K(ilo), M(ega), G(iga) and T(era)
notation as they grow on long-term monitors. Storage space for
rapidly-increasing counts have also been doubled.
Internal Hash Table for IP Traffic Monitor
A hash table has been incorporated into the IP Traffic Monitor for better
search times.
NEW FEATURES TO VERSION 1.2
Literal TCP/UDP Service Identifiers
Starting with version 1.2, IPTraf can now display (at the user's option)
TCP and UDP service identifiers in both literal (service name, e.g.
telnet) and numeric (port number, e.g. 23) forms. The display form can be
set at the Options menu and will affect both the IP traffic monitor and
TCP/UDP services monitor.
Ethernet Address Mappings
The make the LAN station monitor a bit clearer, version 1.2.0 now
includes a facility that allows you to attach descriptions for various
Ethernet addresses. This facility can be accessed from the Ethernet host
descriptions main menu item.
See the manual for more details.
Inverse Filter Logic
TCP and UDP filters now contain an extra field that allows users to
selectively include or exclude sites from the display. This is good if you
want to display "all data except from/to etc., etc."
See the manual for more details.
TCP/UDP Filter Autosave
TCP and UDP filters now stay in effect even after the program exits. They
take effect immediately on the next restart.
NEW FEATURES TO VERSION 1.1
Command-line Interface
Options are now available at the command line that allow you to
immediately start a facility, rather than start from the main menu.
See the manual or issue iptraf with the -h parameter to display
a help screen.
Improved Interface Lists and Access
The general interface statistics screen will now grow as packets are
detected on new interfaces (such as new PPP interfaces). In addition to
this, long interface lists can now be scrolled in both the selection
boxes and the general interface statistics window.
The rvnamed Daemon
IPTraf 1.1 now comes with rvnamed, a daemon that resolves IP addresses
into host names in the background, while allowing IPTraf to continue in
the meantime. This minimizes the blocking action of gethostbyaddr(),
allowing better keyboard control and less lost packets due to the delay
caused by reverse name lookup on the Internet. When an IP address is
submitted for resolution into a host name, IPTraf passes it to rvnamed
which forks off and performs the resolution in the background. In the
meantime, an IP address will be returned. Subsequent requests will
cause rvnamed to look up its internal table for already-resolved IP
addresses and return those to IPTraf once they're found.
GLIBC2 (LIBC6) SUPPORT
I've done some rather extensive modifications to the code to get it to
compile with glibc2. It's probably somewhat dirty now, but it's going
to get cleaned up. Right now, I have to get the package to compile with
both libc5 and libc6, and to do that, I had to include a few files
normally part of the library right in the distribution directory included
as local headers, and a custom definition of the TCP header in tcphdr.h.
libc6 will most likely overtake and eventually replace libc5 as the
standard as distributions are moving in that direction (much like
ELF took over the a.out format a few years ago). However, I will continue
to distribute the precompiled binaries for libc5, that being the least
common denominator.
DOCUMENTATION
The manual is found in the Documentation subdirectory and is now available
in HTML and plain text. The HTML version can be viewed with any browser
supporting HTML 3.2.
The HTML version is also online on the World Wide Web at
http://cebu.mozcom.com/riker/iptraf/manual.html
For information on the fixes and other changes made to IPTraf, see
the included CHANGES file.
For a detailed description of the new rvnamed program, see the
README.rvnamed file.
TECHNICAL NOTES
Program Security
IPTraf reads in raw network packets by using the raw socket interface to the
kernel. As such, it must be run as root. This program was written for use
by administrators. While effort has been exerted to avoid buffer overruns,
no guarantee is still given, as this is not intended for ordinary users.
Setting the setuid bit is NOT recommended. Doing so may pose a security
risk to your system. Do so only if you are the only user on your system.
(If the program is not compiled with the ALLOWUSERS tag defined in the
Makefile, only the root user will be able to run the program, even if its
setuid bit is on. If you want to override this and allow setuid
operation, you will have to include the -DALLOWSERS option in the
Makefile and recompile.
The distribution executable program comes compiled to disallow non-root
users from using the program.)
In short, this program is not declared safe for non-root users to use.
(The new rvnamed reverse lookup daemon runs in the background and uses
UNIX domain sockets. It has been tested, but may become a possible
entry point should parts of it be broken. If you come across a possible
weak spot, please inform me immediately so that it can be fixed.)
Kernel
Kernel 2.0.x is recommended because its raw socket interface is known to be
stable. Compiling on development kernels may or may not work. You may
have to set the kernel configuration before you compile.
IMPORTANT: Kernels prior to version 2.0.24 had a serious bug that allowed
oversized IP packets to crash the system, while kernels prior to 2.0.32
crashed whenever certain badly fragmented IP packets were received. Even
the 2.0.33 kernel had a denial-of-service vulnerability also in its
fragmentation code. A fix is available.
It is recommended that you upgrade your kernel to at least 2.0.35, or
apply kernel patches to fix these problems.
Terminal
This program was designed to run on the Linux console. It should work on
80x25 xterms and rxvt windows. I'm still working on a SIGWINCH handler for
X shells. Run this program from the console (text or xterm) or a high-speed
terminal for best results.
Starting with version 1.2.0, IPTraf will use the maximum number of lines
on the terminal (however, only the first 80 characters on each line will
be utilized)
User Interface
Operating the IP traffic monitor with reverse lookups enabled, but without
the new rvnamed daemon running will cause lookups to block. This will
cause keyboard response to become very slow and cause IPTraf to miss
packets. Unless something is wrong with the system or resources are
extremely low, rvnamed should start with no problem whenever the traffic
monitor is initiated with reverse lookups turned on. See README.rvnamed
for more details.
IPTraf was designed and tested with ncurses 1.9.9e and ncurses 4.2.
Earlier versions may cause undesirable screen behavior.
There is also a little concern regarding the Backspace key. Apparently
the backspace key mapping (KEY_BACKSPACE) is considered unreliable, and
is marked as such in ncurses as late as 1.9.9e, although my tests on this
version already worked. Tests for 1.9.4 failed; pressing the Backspace
key yielded ^?. The Delete key works with no problem though. If you
want the program to not recognize the Backspace key, you can enable the
BSSETTING = DISABLEBS directive in the Makefile.
Network Interfaces
IPTraf currently includes support for Ethernet and SLIP/PPP interfaces.
Work is still being done for other types of media.
For Ethernet, IPTraf can receive packets in promiscuous mode (i.e. all
packets on the LAN, regardless of their destination). Promiscuous mode is
pointless on SLIP/PPP interfaces, since these things are point-to-point
links.
IPTraf imposes no additional load on the network (except for DNS traffic if
reverse name lookup is enabled).
Multiple Instances
IPTraf 1.2 did not allow multiple instances of IPTraf running at the
same time. With 1.3, this restriction is relaxed, and now operates on a
per-facility basis. In other words, you can run multiple copies of
IPTraf, but only one copy of each facility can run. The -f parameter to
the iptraf command removes all tags, and will cause that instance to think
it's the only one running. This option may be used to recover from an
abnormal termination. Only the first instance started can change the
configuration.
COPYING AND DISTRIBUTION
This software is open-source and is distributed under the terms of the GNU
General Public License, Version 2 as published by the Free Software
Foundation, Inc. See the accompanying COPYING file for details.
FEEDBACK
A WHATELSE file has been included in the distribution. It is about
some other features I don't know whether to include or not. If you have
anything to suggest, or if you discover a bug, please contact me. I
would love to hear from you. If you think this program can potentially
address a need but falls short, tell me the feature you desire and I will
determine whether I will include it in this program or whether I will
write another.
Please mail to
riker@mozcom.com
Remember in this system, we improve our software when we know what users
need and what they have. So please return feedback. It will be greatly
appreciated.
Gerard Paul Java
riker@mozcom.com
|
