1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
.TH traffic-vis 8 "30 Jan 1999"
.SH NAME
.BI traffic-vis
\- Network traffic analysis suite
.SH SYNOPSIS
.nf
.BI traffic-collector
.BI traffic-resolve
.BI traffic-exclude
.BI traffic-sort
.BI traffic-totext
.BI traffic-tohtml
.BI traffic-tops
.BI traffic-togif
.fi
.SH DESCRIPTION
.I traffic-vis
is a suite of tools for network analysis. Its main purpose is to
determine which hosts have been communicating on a network, with whom
and the volume of traffic.
.PP
The collection and summarisation of network packets is performed by
.I traffic-collect(8)
This program runs as a daemon, collecting packets off the network
interface of your choice, optionally applying a
.I bpf(4)
packet filter prior to collection. These packets are summarised and can
be dumped to a file at any time. This summary is not intended for human
consumtion, and should be processed using the other tools in the suite to
produce a report.
.PP
.I traffic-exclude(8)
will remove specific hosts from a summary, based on IP address.
.PP
.I traffic-resolve(8)
is a filter performs the task of resolving hostnames in the summary
file. This cannot be done effectivley in the collection program as the
DNS traffic may pollute the sampling of network traffic.
.PP
.I traffic-sort(8)
will sort a report in one of several ways and can limit the size of
a report.
.PP
One of the three frontends:
.I traffic-tops(8)
.I traffic-totext(8)
.I traffic-tohtml(8)
can be used to convert the summary into a human-readable form.
All the processing tools are filters, accepting a summary on standard
input and producing their results on standard output. It is thus
possible to combine them for more complex processing.
.SH "EXAMPLES"
This is a quick example on how to produce a basic "10 busiest hosts"
report using traffic vis.
.LP
First, start
.I traffic-collector
and let it run for a while. When you feel
it has collected enough data, send it a SIGUSR1:
.IP
\fCkillall \-USR1 traffic-collector\fP
.LP
It will (unless you have specified otherwise) write a report in
/var/run/traffic-collector
.LP
This report must be processed before it is understandable. First we will
sort the report by bytes transferred and limit the number of hosts in the output to ten:
.LP
\fCtraffic-sort -Hb -L10 < reportfile > report-sorted.tv
.LP
We then resolve the hostnames in the report:
.LP
\fCtraffic-resolve < report-sorted.tv > report-resolved.tv
.LP
Finally we convert the report to a readable form:
.LP
\fCtraffic-tohtml < report-resolved.tv > report.html
.LP
These steps could have been combined into a single command-line:
.LP
\fCtraffic-sort -Hb -L10 < reportfile | traffic-resolve | traffic-tohtml > report.html
.LP
.SH "SEE ALSO"
.I traffic-collect(8),
.I traffic-resolve(8),
.I traffic-exclude(8),
.I traffic-totext(8),
.I traffic-tohtml(8),
.I traffic-tops(8),
.I traffic-togif(8),
.SH "AUTHORS"
Damien Miller <dmiller@ilogic.com.au>
.LP
http://www.ilogic.com.au/~dmiller/traffic-vis.html
.SH "BUGS"
Hopefully none, probably legion.
|
