manual.sgml

一个很好用的linux 下的流量监控软件

</sect1>
</chapter>

<chapter id="preparingtouse">
<title>Preparing to Use IPTraf</title>
<para>
This chapter provides information applicable to all of IPTraf's statistical
monitors.
</para>
<sect1 id="numbers">
<title>Number Display Notations</title>
<para>
  IPTraf initially returns exact counts of bytes and packets. However, as they
  grow larger, IPTraf begins displaying them in increasingly higher denominations.
</para>
<para>
  A number standing alone with no suffix represents an exact count. A
  number with a K following is a kilo (thousand) figure. An M,
  G, and T suffix represents mega (million), giga (billion), and
  tera (trillion) respectively. The following table shows examples.
</para>

<table frame="all">
<title>Numeric Display Notations</title>
<tgroup cols="2" align="left" colsep="0" rowsep="0">
<tbody>
<row>
<entry>1024067</entry><entry>exactly 1024067</entry>
</row>
<row>
<entry>1024K</entry><entry>approximately 1024000</entry>
</row>
<row>
<entry>1024M</entry><entry>approximately 1024000000</entry>
</row>
<row>
<entry>1024G</entry><entry>approximately 1024000000000</entry>
</row>
<row>
<entry>1024T</entry><entry>approximately 1024000000000000</entry>
</row>
</tbody>
</tgroup>
</table>

<para>
  These notations apply to both packet and byte counts.
</para>
</sect1>
<sect1 id="instances">
<title>Instances and Logging</title>
<para>
  Since version 2.4, IPTraf allows multiple instances of the
  facilities at the same time in different processes (for example, you can
  now run two or more IP Traffic Monitors at the same time).
  However only one can listen on a specific interface or all interfaces
  at once. The only exception is the general interface
  statistics, which is still restricted to only one instance at a time.
</para>
<para>
  Because of this relaxation, each instance now generates log files with
  unique names for instances, depending on either their instance
  or the interface they're listening on. If the <emphasis>Logging</emphasis> option is turned
  on (see the <link linkend="config">Configuration</link> chapter), IPTraf
  will prompt you for a log file name while presenting a
  default. You may accept this default or change it. Press Enter
  to accept, or Ctrl+X to cancel. Canceling will turn logging off for that
  particular session.
</para>
<para>
  If you don't specify an absolute path, the log file will be placed
  in <filename>/var/log/iptraf</filename>.
</para>
<figure>
<title>The logfile prompt dialog</title>
<graphic format="png" fileref="iptraf-logprompt">
</figure>
<para>
  See the Logging section
in the <link linkend="config">Configuration</link> chapter for
detailed information on logging. See also the documentation on
each statistical facility for the default log file names.
</para>
<para>
  The default log file names will also be used
if the <computeroutput>-B</computeroutput> parameter is used
  to run IPTraf in the background. You can override the defaults with the
  <computeroutput>-L</computeroutput> parameter. See
<link linkend="backop">Background Operation</link> in Chapter 9.
</para>
</sect1>
<sect1 id="updates">
<title>Screen Update Delays</title>
<para>
  Older versions of IPTraf updated the screen as soon as a
  packet was received. However, screen update is one
  of the slowest operations the program performs. Since version 1.3, a
  configuration option has been available to control screen update speed.
</para>
<para>
  See the <emphasis>Screen update interval...</emphasis> configuration option under the
  <link linkend="config">Configuration</link> chapter of this manual.
</para>
</sect1>
<sect1 id="ifaces">
<title>Supported Network Interfaces</title>
<para>
  IPTraf currently supports the following network interface types and names.
</para>
<variablelist>
<varlistentry>
<term><filename>lo</filename></term>
<listitem><para>
     The loopback interface. Every machine has one, and has an IP address
  of 127.0.0.1. <filename>lo</filename> is also indicated if data
  is detected on the
<filename>dummy<replaceable>n</replaceable></filename> interface(s).
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>eth<replaceable>n</replaceable></filename></term>
<listitem><para>
     An Ethernet interface. <replaceable>n</replaceable> starts from 0.
  Therefore, <filename>eth0</filename> refers to the first
  Ethernet interface, <filename>eth1</filename> to the second, and
  so on. Most machines only have one.
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>fddi<replaceable>n</replaceable></filename></term>
<listitem><para>
     An FDDI interface. <replaceable>n</replaceable> starts from 0.
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>tr<replaceable>n</replaceable></filename></term>
<listitem><para>
     A Token Ring interface, where <replaceable>n</replaceable> starts from 0.
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>ppp<replaceable>n</replaceable></filename></term>
<listitem><para>
     A PPP interface. <replaceable>n</replaceable> starts from 0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>sli<replaceable>n</replaceable></filename></term>
<listitem><para>
A SLIP interface. <replaceable>n</replaceable> starts from 0.
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>ippp<replaceable>n</replaceable></filename></term>
<listitem><para>
     A synchronous PPP interface using ISDN.
<replaceable>n</replaceable> starts from 0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>isdn<replaceable>n</replaceable</filename></term>
<listitem><para>
  ISDN interfaces can be given arbitrary names, but for them to work
  with IPTraf, they must
  be named <filename>isdn<replaceable>n</replaceable></filename>.
  IPTraf supports synchronous PPP
  (the <filename>ippp<replaceable>n</replaceable></filename>
  interfaces above), raw IP, and Cisco-HDLC encapsulation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>plip<replaceable>n</replaceable></filename></term>
<listitem><para>
     PLIP interfaces. These are point-to-point IP connections using the PC
     parallel port.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>ipsec<replaceable>n</replaceable></filename></term>
<listitem><para>
     This refers to Free s/WAN (and possibly other) logical VPN interfaces.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>sbni<replaceable>n</replaceable></filename></term>
<listitem><para>
     SBNI long-range modem interfaces
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>dvb<replaceable>n</replaceable></filename>,
<filename>sm200</filename>, <filename>sm300</filename></term>
<listitem><para>
     DVB satellite-receive interfaces
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>wlan<replaceable>n</replaceable></filename>,
<filename>wvlan<replaceable>n</replaceable></filename></term>
<listitem><para>
    Wireless LAN interfaces
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>tun<replaceable>n</replaceable></filename></term>
<listitem><para>
general logical tunnel interfaces
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>brg<replaceable>n</replaceable></filename></term>
<listitem><para>
general logical bridge interfaces
</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>hdlc<replaceable>n</replaceable></filename></term>
<listitem><para>
     Frame Relay base (FRAD) interfaces (non-PVC)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>pvc<replaceable>n</replaceable></filename></term>
<listitem><para>
     Frame Relay Permanent Virtual Circuit interfaces
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
  Your system's network interfaces must be named according
  to the schemes specified above.
</para>
</sect1>
</chapter>
<chapter id="itrafmon">
<title>The IP Traffic Monitor</title>
<para>
  Executing the first menu item or specifying <computeroutput>-i</computeroutput>
  to the <command>iptraf</command> command takes you to the IP traffic monitor. The traffic
  monitor is a real-time monitoring system that intercepts all packets
  on all detected network interfaces, decodes the IP information on all IP packets and
  displays the appropriate information, most notably the
  source and destination addresses. It also
  determines the encapsulated protocol within the IP packet, and
  displays some important information about that as well.
</para>
<para>
  There are two windows in the traffic monitor, both of which can be
  scrolled with the Up and Down cursor keys. Just press W to
  move the <computeroutput>Active</computeroutput> indicator to the window you
  want to control.
</para>
<figure>
<title>The IP traffic monitor</title>
<graphic format="png" fileref="iptraf-iptm1">
</figure>

<sect1 id="upperwin">
<title>The Upper Window</title>
<para>
  The upper window of the traffic monitor displays the currently
  detected TCP
  connections. Information about TCP packets are displayed here. The
  window contains these pieces of information:
</para>

<itemizedlist spacing="compact">
<listitem><para>Source address and port</para></listitem>
<listitem><para>Packet count</para></listitem>
<listitem><para>Byte count</para></listitem>
<listitem><para>Source MAC address</para></listitem>
<listitem><para>Packet Size</para></listitem>
<listitem><para>Window Size</para></listitem>
<listitem><para>TCP flag statuses</para></listitem>
<listitem><para>Interface</para></listitem>
</itemizedlist>

<note> <title>Note</title>
<para> Previous versions of IPTraf showed
  both the source and destination addresses on each line. IPTraf 2 and
higher show
only the <computeroutput><replaceable>source
host</replaceable>:<replaceable>port</replaceable></computeroutput> combination to save
on screen real estate. TCP
  connection endpoints are still indicated with the green
  brackets (on color terminals) along the left edge of the screen.
</para>
</note>

<para>
  The Up and Down cursor keys move an indicator bar between entries in the
  TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys
  display the previous and next screenfuls of entries respectively.
</para>
<para>
  The IP traffic monitor computes the data flow rate
  of the currently highlighted TCP flow and displays it on the lower-right
  corner of the screen. The flow rate is in kilobits or kilobytes per
  second depending on the <emphasis>Activity mode</emphasis> switch
in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
</para>
<para>
  Because this monitoring system relies solely on packet information, it
  does not determine which endpoint initiated the connection. In other
  words, it does not know which endpoints are the client and server.
  This is necessary because it can operate in promiscuous
  mode, and as such cannot determine the socket statuses for other
  machines on the LAN. However, a little knowledge of the well-known TCP
port numbers can give a good idea about which address is that of the server.
</para>
<para>
  The system therefore displays two entries for each connection, one for
  each direction of the TCP connection. To make it easier to determine the
  direction pairs of each connection, a bracket is used to "join" both
  together. This bracket appears at the leftmost part of each entry.
</para>
<para>
  Just because a host entry appears at the upper end of a
  connection bracket doesn't mean it was the initiator of the connection.
</para>
<para>
  Each entry in the window contains these fields:
</para>

<variablelist>
<varlistentry>
<term><emphasis role="bold">Source address and port</emphasis></term>
<listitem><para>
  The source address and port indicator is
in <replaceable>address</replaceable>:<replaceable>port</replaceable> format.
  This indicates the source machine and TCP port on that machine
  from which this data is coming.
</para>
<para>
  The destination is the host:port at the other end of the bracket.
</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Packet count</emphasis></term>
<listitem><para>
  The number of packets received for this direction of the TCP connection
</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Byte count</emphasis></term>
<listitem><para>
  The number of bytes received for this direction
  of the TCP connection. These bytes include total IP and TCP header
  information, in addition to the actual data. Data link
  header (e.g. Ethernet and FDDI) data are not included.
</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Source MAC address</emphasis></term>
<listitem><para>
  The address of the host on your local LAN that delivered this packet.
  This can be viewed by pressing M once if <emphasis>Source MAC
addrs</emphasis> in traffic
  monitor is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
</para></listitem>