itrafmon.html

一个网络流量分析的完整的程序

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<HTML
><HEAD
><TITLE
>The IP Traffic Monitor</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.64
"><LINK
REL="HOME"
TITLE="IPTraf User's Manual"
HREF="manual.html"><LINK
REL="PREVIOUS"
TITLE="Supported Network Interfaces"
HREF="ifaces.html"><LINK
REL="NEXT"
TITLE="Lower Window"
HREF="lowerwin.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>IPTraf User's Manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="ifaces.html"
>&#60;&#60;&#60; Previous</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="lowerwin.html"
>Next &#62;&#62;&#62;</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ITRAFMON"
>The IP Traffic Monitor</A
></H1
><P
>  Executing the first menu item or specifying <TT
CLASS="COMPUTEROUTPUT"
>-i</TT
>
  to the <B
CLASS="COMMAND"
>iptraf</B
> command takes you to the IP traffic monitor. The traffic
  monitor is a real-time monitoring system that intercepts all packets
  on all detected network interfaces. The monitor decodes the
  IP information on all IP packets and
  displays the appropriate information about it, most notably the
  source and destination addresses. In addition to that, it also
  determines the encapsulated protocol within the IP packet, and
  displays some important information about that as well.</P
><P
>  There are two windows in the traffic monitor. Both of them can be
  scrolled with the Up and Down cursor keys. Just press W to
  move the <TT
CLASS="COMPUTEROUTPUT"
>Active</TT
> indicator to the window you
  want to control.</P
><DIV
CLASS="FIGURE"
><A
NAME="AEN546"
></A
><P
><IMG
SRC="iptraf-iptm1.png"></P
><P
><B
>Figure 1. The IP traffic monitor</B
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="UPPERWIN"
>The Upper Window</A
></H1
><P
>  The upper window of the traffic monitor displays the currently
  detected TCP
  connections. Information about TCP packets are displayed here. The
  window contains these pieces of information:</P
><P
></P
><UL
COMPACT="COMPACT"
><LI
><P
>Source address and port</P
></LI
><LI
><P
>Packet count</P
></LI
><LI
><P
>Byte count</P
></LI
><LI
><P
>Source MAC address</P
></LI
><LI
><P
>Packet Size</P
></LI
><LI
><P
>Window Size</P
></LI
><LI
><P
>TCP flag statuses</P
></LI
><LI
><P
>Interface</P
></LI
></UL
><DIV
CLASS="NOTE"
><P
></P
><TABLE
CLASS="NOTE"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="./stylesheet-images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TH
ALIGN="LEFT"
VALIGN="CENTER"
><B
>Note</B
></TH
></TR
><TR
><TD
>&nbsp;</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
> Previous versions of IPTraf showed
  both the source and destination addresses on each line. IPTraf 2 shows
only the <TT
CLASS="COMPUTEROUTPUT"
><TT
CLASS="REPLACEABLE"
><I
>source
host</I
></TT
>:<TT
CLASS="REPLACEABLE"
><I
>port</I
></TT
></TT
> combination to save
on screen real estate. TCP
  connection endpoints are still indicated with the green
  brackets (on color terminals) along the left edge of the screen.</P
></TD
></TR
></TABLE
></DIV
><P
>  The Up and Down cursor keys move an indicator bar between entries in the
  TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys
  display the previous and next screenfuls of entries respectively.</P
><P
>  The IP traffic monitor computes the data flow rate
  of the currently highlighted TCP flow and displays it on the lower-right
  corner of the screen. The flow rate is in kilobits or kilobytes per
  second depending on the Activity mode switch
in the <I
CLASS="EMPHASIS"
><A
HREF="config.html"
>Configure...</A
></I
> menu.</P
><P
>  Because this monitoring system relies solely on packet information, it
  does not determine which endpoint initiated the connection. In other
  words, it does not determine which endpoint is the client, and which
  is the server. This is necessary because it can operate in promiscuous
  mode, and as such cannot determine the socket statuses for other
  machines on the LAN.</P
><P
>  The system therefore displays two entries for each connection, one for
  each direction of the TCP connection. To make it easier to determine the
  direction pairs of each connection, a bracket is used to "join" both
  together. This bracket appears at the leftmost part of each entry.</P
><P
>  Just because a host entry appears at the upper end of a
  connection bracket doesn't mean it was the initiator of the connection.</P
><P
>  Each entry in the window contains these fields:</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
><I
CLASS="EMPHASIS"
>Source address and port</I
></DT
><DD
><P
>  The source address and port indicator is
in <TT
CLASS="REPLACEABLE"
><I
>address</I
></TT
>:<TT
CLASS="REPLACEABLE"
><I
>port</I
></TT
> format.
  This indicates the source machine and TCP port on that machine
  from which this data is coming.</P
><P
>  The destination is the host:port at the other end of the bracket.</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Packet count</I
></DT
><DD
><P
>  The number of packets received for this direction of the TCP connection</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Byte count</I
></DT
><DD
><P
>  The number of bytes received for this direction
  of the TCP connection. These bytes include total IP and TCP header
  information, in addition to the actual data. Data link
  header (e.g. Ethernet and FDDI) data are not included.</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Source MAC address</I
></DT
><DD
><P
>  The address of the host on your local LAN that delivered this packet.
  This can be viewed by pressing M once if Source MAC addrs in traffic
  monitor is enabled in the <I
CLASS="EMPHASIS"
><A
HREF="config.html"
>Configure...</A
></I
> menu.</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Packet Size</I
></DT
><DD
><P
>  The size of the most recently received packet. This item
  is visible if you press M for more TCP information. This is the size
  of the IP datagram only, not including the data link header.</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Window Size</I
></DT
><DD
><P
>  The advertised window size of the most recently received packet. This
  item is visible if you press M for more TCP information.</P
></DD
><DT
><I
CLASS="EMPHASIS"
>Flag statuses</I
></DT
><DD
><P
>  The flags of the most recently received packet. 

<P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
><TT
CLASS="COMPUTEROUTPUT"
>S</TT
></DT
><DD
><P
>     SYN. A synchronization is taking place in preparation for
     connection establishment. If only an <TT
CLASS="COMPUTEROUTPUT"
>S</TT
>
     is present (<TT
CLASS="COMPUTEROUTPUT"
>S---</TT
>) the source is trying
     to initiate a connection. If an <TT
CLASS="COMPUTEROUTPUT"
>A</TT
> is
     also present (<TT
CLASS="COMPUTEROUTPUT"
>S-A-</TT
>), this is an
     acknowledgment of a previous connection request, and is responding.</P
></DD
><DT
><TT
CLASS="COMPUTEROUTPUT"
>A</TT
></DT
><DD
><P
>     ACK. This is an acknowledgment of a previously received packet</P
></DD
><DT
><TT
CLASS="COMPUTEROUTPUT"
>P</TT
></DT
><DD
><P
>     PSH. A request to push all data to the top of the receiving queue</P
></DD
><DT
><TT
CLASS="COMPUTEROUTPUT"
>U</TT
></DT
><DD
><P
>     URG. This packet contains urgent data</P
></DD
><DT
><TT
CLASS="COMPUTEROUTPUT"
>RESET</TT
></DT
><DD
><P
>     RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.</P
></DD
><DT
><TT
CLASS="COMPUTEROUTPUT"
>DONE</TT
></DT