IPTraf - rather than TCPDump
Published Friday, June 09, 2006 by Satriyo Pamungkas | E-mail this post
IPTraf is a console-based network statistics utility for Linux. It gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
Features
* An IP traffic monitor that shows information on the IP traffic passing over your network. Includes TCP flag information, packet and byte counts, ICMP details, OSPF packet types.
* General and detailed interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity, packet size counts.
* A TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports
* A LAN statistics module that discovers active hosts and shows statistics showing the data activity on them
* TCP, UDP, and other protocol display filters, allowing you to view only traffic you're interested in.
* Logging
* Supports Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interface types.
* Utilizes the built-in raw socket interface of the Linux kernel, allowing it to be used over a wide range of supported network cards.
* Full-screen, menu-driven operation.
Read More...
here is a screenshot of iptraf in my box
Features
* An IP traffic monitor that shows information on the IP traffic passing over your network. Includes TCP flag information, packet and byte counts, ICMP details, OSPF packet types.
* General and detailed interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity, packet size counts.
* A TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports
* A LAN statistics module that discovers active hosts and shows statistics showing the data activity on them
* TCP, UDP, and other protocol display filters, allowing you to view only traffic you're interested in.
* Logging
* Supports Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interface types.
* Utilizes the built-in raw socket interface of the Linux kernel, allowing it to be used over a wide range of supported network cards.
* Full-screen, menu-driven operation.
Read More...
Protocols Recognized
* IP
* TCP
* UDP
* ICMP
* IGMP
* IGP
* IGRP
* OSPF
* ARP
* RARP
Non-IP packets will simply be indicated as "Non-IP" and, on Ethernet LAN's, will be supplied with the appropriate Ethernet addresses.
Supported Interfaces
* Local loopback
* All Linux-supported Ethernet interfaces
* All Linux-supported FDDI interfaces
* SLIP
* Asynchronous PPP
* Synchronous PPP over ISDN
* ISDN with Raw IP encapsulation
* ISDN with Cisco HDLC encapsulation
* Parallel Line IP
The information generated by IPTraf can be valuable in making network organization decisions, troubleshooting LANs and tracking activity of various IP hosts.
So lets get the show on the road, start off by downloading the latest version. (2.7.0 at the time of this update). Once you have it downloaded, move it to /usr/local/src and untar it by running:
tar -zxvf iptraf-2.7.0.tar.gz
That will create a directory called iptraf-2.7.0, enter it and then go into the src directory. Here you will find the IPTraf source code aswell as a precompiled binary. You can just run:
make install
Or if you feel you must recompile the code, you can run:
make
make install
And that will recompile the source and install the binaries into /usr/local/bin so make sure that directory is in your PATH.
Once you have it installed, start it up by typing /usr/local/bin/iptraf as root. An ncurses based main menu will come up on your screen and you will have a list of options that you can select.
The first one you will probably want to go into is the "Configure" menu. Here you can turn on/off a bunch of featuers such as logging, Reverse DNS lookups and showing TCP/UDP service names. IPTraf logs to /var/log/iptraf and the logfiles can get real big real fast so make sure your partition has enough space or just disable the logs until you really need them, like in the case of an attack.
From the main menu, if you go into "Other protocol filters" it will present you with a list of protocols that you can enable or disable. I normally just have ICMP and UDP enabled here but your tastes may differ.
Let the fun begin, from the main menu, enter into "IP traffic monitor" and it will ask you to select your interface. Either select ALL or just whatever your network interface is, such as ppp0 for PPP connections and eth0 for cable/DSL connections.
Now as you see, the screen is broken up into two sections. All TCP connections are shown on the top part and all ICMP/UDP etc connections are listed on the bottom.
TCP Connections (Source Host:Port) Packets Bytes Flags Iface
216.176.130.250:ircd > 2 108 --A- eth0
24.114.19.126:3610 > 1 67 -PA- eth0
A simple breakdown of what this means is that my host, 24.114.19.126 was contacted by 216.176.130.250 (finger-for-port-scan-info-at-hebron.in.us.dal.net) from port 6667 (ircd) to port 3610.
The TCP Connections section is great for monitoring most attempts of people trying to access your machine. It will display pretty much everything, telnet, ftp, ssh attempts as well as port scans etc. The bottom half of the screen will display whichever protocols you selected in the "Other protocol filters" section. So if you selected ICMP and UDP, it will show all ICMP/UDP packets.
If you find yourself being attacked, first try to establish the IP of the attacker. Generally they normally use more then one IP and that IP is spoofed (not their real one). However, not all attackers are geniuses if you know what I mean. Once you have established if the IP is really theirs, turn on the logging and log the attack.
If you survive, you should probably email the log, as well as a description of what went down to their ISP. You don't know their email address? Sure you do, lets say the Host of the attacker was tspsl2-188.gate.net, you could probably get away with emailing abuse@gate.net since most ISP's have an abuse@isp.com email addresshave. Also, most ISP's have a zero tolerance attitude for denial of service attacks so the attackers account will probably be closed. You can also visit http://www.arin.net and perform a lookup on the IP. From this you should find out who their ISP and what thier abuse address is.
Also, don't install IPTraf and think that you're secure now because you are watching the network. You should consider setting up firewall
* IP
* TCP
* UDP
* ICMP
* IGMP
* IGP
* IGRP
* OSPF
* ARP
* RARP
Non-IP packets will simply be indicated as "Non-IP" and, on Ethernet LAN's, will be supplied with the appropriate Ethernet addresses.
Supported Interfaces
* Local loopback
* All Linux-supported Ethernet interfaces
* All Linux-supported FDDI interfaces
* SLIP
* Asynchronous PPP
* Synchronous PPP over ISDN
* ISDN with Raw IP encapsulation
* ISDN with Cisco HDLC encapsulation
* Parallel Line IP
The information generated by IPTraf can be valuable in making network organization decisions, troubleshooting LANs and tracking activity of various IP hosts.
So lets get the show on the road, start off by downloading the latest version. (2.7.0 at the time of this update). Once you have it downloaded, move it to /usr/local/src and untar it by running:
tar -zxvf iptraf-2.7.0.tar.gz
That will create a directory called iptraf-2.7.0, enter it and then go into the src directory. Here you will find the IPTraf source code aswell as a precompiled binary. You can just run:
make install
Or if you feel you must recompile the code, you can run:
make
make install
And that will recompile the source and install the binaries into /usr/local/bin so make sure that directory is in your PATH.
Once you have it installed, start it up by typing /usr/local/bin/iptraf as root. An ncurses based main menu will come up on your screen and you will have a list of options that you can select.
The first one you will probably want to go into is the "Configure" menu. Here you can turn on/off a bunch of featuers such as logging, Reverse DNS lookups and showing TCP/UDP service names. IPTraf logs to /var/log/iptraf and the logfiles can get real big real fast so make sure your partition has enough space or just disable the logs until you really need them, like in the case of an attack.
From the main menu, if you go into "Other protocol filters" it will present you with a list of protocols that you can enable or disable. I normally just have ICMP and UDP enabled here but your tastes may differ.
Let the fun begin, from the main menu, enter into "IP traffic monitor" and it will ask you to select your interface. Either select ALL or just whatever your network interface is, such as ppp0 for PPP connections and eth0 for cable/DSL connections.
Now as you see, the screen is broken up into two sections. All TCP connections are shown on the top part and all ICMP/UDP etc connections are listed on the bottom.
TCP Connections (Source Host:Port) Packets Bytes Flags Iface
216.176.130.250:ircd > 2 108 --A- eth0
24.114.19.126:3610 > 1 67 -PA- eth0
A simple breakdown of what this means is that my host, 24.114.19.126 was contacted by 216.176.130.250 (finger-for-port-scan-info-at-hebron.in.us.dal.net) from port 6667 (ircd) to port 3610.
The TCP Connections section is great for monitoring most attempts of people trying to access your machine. It will display pretty much everything, telnet, ftp, ssh attempts as well as port scans etc. The bottom half of the screen will display whichever protocols you selected in the "Other protocol filters" section. So if you selected ICMP and UDP, it will show all ICMP/UDP packets.
If you find yourself being attacked, first try to establish the IP of the attacker. Generally they normally use more then one IP and that IP is spoofed (not their real one). However, not all attackers are geniuses if you know what I mean. Once you have established if the IP is really theirs, turn on the logging and log the attack.
If you survive, you should probably email the log, as well as a description of what went down to their ISP. You don't know their email address? Sure you do, lets say the Host of the attacker was tspsl2-188.gate.net, you could probably get away with emailing abuse@gate.net since most ISP's have an abuse@isp.com email addresshave. Also, most ISP's have a zero tolerance attitude for denial of service attacks so the attackers account will probably be closed. You can also visit http://www.arin.net and perform a lookup on the IP. From this you should find out who their ISP and what thier abuse address is.
Also, don't install IPTraf and think that you're secure now because you are watching the network. You should consider setting up firewall
here is a screenshot of iptraf in my box
Post a Comment
Author
- Satriyo Pamungkas, is
My Yahoo Messenger
My Gmail
My Friendster
My Country
+628562888905- My Company
Candra
ye ye ye