Thursday, January 3, 2013

HOW TO MONITOR NETWORK TRAFFIC IN LINUX

Ref: http://techthrob.com/2010/07/26/how-to-monitor-network-traffic-in-linux/


  1. Basic Usage
  2. iftop is easy to use if you just want to see your current network connections and how much bandwidth is being used by each remote host. Simply launch it from the command line, passing the -i option with the interface you want to monitor, and optionally the -Boption to display values in bytes (the default is to display in bits). So for example, to monitor the wlan0 device in bytes, you would run:
    iftop -i wlan0 -B
    There’s a lot of information displayed on the screen, but it is formatted intelligently and quickly becomes easy to digest. Here is what the basic screen is showing you, when you first launch iftop:
    As you can see, the display is packed full of useful information (click on the image above for a larger version). Don’t worry if it’s a little overwhelming at first; it won’t take long to get used to reading the display, and you’ll appreciate having all this information available so quickly.
    Now let’s move on to some of the more powerful features that iftop provides.
  3. Filtering networks, hosts, and ports
  4. While it’s nice to see all the hosts your computer is talking to, it’s often the case that you’re only interested in a certain segment of the network. iftop allows you to filter connections by network, host, and port, which gives you complete control over which connections are displayed.
    iftop accepts pcap-filter formatted filters on the commandline with the -f flag. Below is a table of some of the filers you might want to use with iftop:
    dst host hostsrc host host
    dst net netsrc net net
    dst port portsrc port port
    dst portrange start-endsrc portrange start-end
    gateway gateway
    ip proto protocol
    For example, to view only traffic going from your local machine to google.com over eth0, you could run:
    iftop -i eth0 -f “dst host google.com”
    Or to see only ssh traffic over wlan0:
    iftop -i wlan0 -f “dst port 22″
    Additionally, iftop allows you to set arbitrary filters based upon regular expressions. It’s important to note that when you specify a filter with a regular expression, you are only filtering the on-screen output, whereas using a pcap filter (above) will filter what iftop actually listens to. As a result, the totals displayed at the bottom of the screen won’t be affected by regex filters. You can press the l key to enter regular expression filters while iftop is running.
  5. Controlling the interface and the online help
  6. Once you’ve got the information you want on the screen, you’ll need to be able to move around and tweak the exact output. There are many options, and the easiest thing to do is just hit the h or ? key to see the on-screen help:
    Notice that you can toggle things like hostname and port resolution, port display, and whether iftop sorts by destination or source. Showing connections by port is useful for monitoring throughput on programs that create many connections, while turning DNS resolution on might make it easier to read the display if you are watching things like web traffic.
nethogs
Now I’ll show you how to use nethogs, which is a great little program that was mentioned by one of TechThrob’s readers (thanks, dasen!). Whereas iftop displays network usage by destination IP address and port number, nethogs takes a process-oriented approach and shows you usage based on the program that is accessing the network.
nethogs is much simpler than iftop and doesn’t have as many options. You can specify the interface to listen on when you launch it:
nethogs eth1
Which will give you a screen similar to the following, showing the processes that are sending or receiving traffic on that interface.
While it’s running, you can use the m key to toggle between units (megabytes, kilobytes, and bytes) and to change whether you are viewing instantaneous throughput or the total throughput since nethogs was started.
Being so simple is the greatest advantage of nethogs, since it makes it much more user-friendly than iftop and lets you see in an instant what applications are using your network, and how much bandwidth they are using. If you think your network is being hammered and you want to know who to hold responsible, nethogs is probably the command you want.
Don’t be evil
With great power comes great responsibility. If you have root on a machine that is routing a lot of traffic, tools like this will let you see what people are doing on the network; don’t be evil. Use these tools to monitor your own traffic, and to troubleshoot problems, but don’t spy on other people.


No comments: