manual.sgml

一个很好用的linux 下的流量监控软件

</varlistentry>
<varlistentry>
<term><emphasis role="bold">Packet Size</emphasis></term>
<listitem><para>
  The size of the most recently received packet. This item
  is visible if you press M for more TCP information. This is the size
  of the IP datagram only, not including the data link header.
</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Window Size</emphasis></term>
<listitem><para>
  The advertised window size of the most recently received packet. This
  item is visible if you press M for more TCP information.
</para></listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Flag statuses</emphasis></term>
<listitem><para>
  The flags of the most recently received packet. 

<variablelist>
<varlistentry>
<term><computeroutput>S</computeroutput></term>
<listitem><para>
     SYN. A synchronization is taking place in preparation for
     connection establishment. If only an <computeroutput>S</computeroutput>
     is present (<computeroutput>S---</computeroutput>) the source is trying
     to initiate a connection. If an <computeroutput>A</computeroutput> is
     also present (<computeroutput>S-A-</computeroutput>), this is an
     acknowledgment of a previous connection request, and is responding.
</para>
</listitem>
</varlistentry>

<varlistentry>
<term><computeroutput>A</computeroutput></term>
<listitem><para>
     ACK. This is an acknowledgment of a previously received packet
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>P</computeroutput></term>
<listitem><para>
     PSH. A request to push all data to the top of the receiving queue
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>U</computeroutput></term>
<listitem><para>
     URG. This packet contains urgent data
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>RESET</computeroutput></term>
<listitem><para>
     RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>DONE</computeroutput></term>
<listitem><para>
     The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>CLOSED</computeroutput></term>
<listitem><para>
     The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>-</computeroutput></term>
<listitem><para>
     The flag is not set
</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
</variablelist>

<para>
  Some other pieces of information can be viewed as well. The M key
  displays more TCP information. Pressing M once
  displays the MAC addresses of the LAN hosts
  that delivered the packets (if the <emphasis>Source MAC addrs in traffic
monitor</emphasis>
  option is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis>
menu). <computeroutput>N/A</computeroutput> is displayed if
  no packets have been received from the source yet, or if the interface
  doesn't support MAC addresses (such as PPP interfaces).
</para>
<para>
  If the <emphasis>Source MAC addrs in traffic monitor</emphasis> option is not enabled,
  pressing M simply toggles between the counts and the packet and window
  sizes.
</para>
<para>
  By default, only IP addresses are displayed, but if you have access to a
  name server or host table, you may enable reverse lookup for the
  IP addresses. Just enable reverse lookup
in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
</para>

<sidebar>
<title>The rvnamed Process</title>
<para>
  The IP traffic monitor starts a daemon called
  <command>rvnamed</command> to help speed
  up reverse lookups without sacrificing too much keyboard control and
  accuracy of the counts. While reverse lookup is being conducted in the
  background, IP addresses will be used until the resolution is complete.
</para>
<para>
  If for some reason <command>rvnamed</command> cannot start (probably due to
  improper installation or lack of memory), and you are
  on the Internet, and you enable reverse lookup, your
  keyboard control can become very slow. This is because the standard
  lookup functions do not return until they have completed their
  tasks, and it can take several seconds for a name resolution
  in the foreground to complete.
</para>
<para>
  <command>rvnamed</command> will spawn up to 200 children to process reverse DNS queries.
</para>
</sidebar>

<tip>
<title>Tip</title>
<para>If you notice unusual SYN activity (too many
initial (<computeroutput>S---</computeroutput>) but frozen SYN entries, or rapidly
increasing initial SYN packets for a single connection), you may
be under a SYN flooding attack or TCP port scan. Apply appropriate measures, or the
targeted machines may begin denying network services.
</para>
</tip>

<para>
  Entries not updated within a user-configurable amount of
  time may get replaced with new connections. The default time is 15
  minutes. This is regardless of whether the connection is closed or
  not. (Some unclosed connections may be due to extremely slow links
  or crashes at either end of the connection.) This figure can be changed
  at the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
</para>
<para>
  Some early entries may have a &gt; symbol in front of its packet
  count. This means the connection was already established
  when the monitor started. In other words, the figures indicated do not
  reflect the counts since the start
  of the TCP connection, but rather, since the start of the traffic
  monitor. Eventually, these &gt; entries will close (or time out) and
  disappear. TCP entries without the >
  were initiated after the traffic monitor started, and the counts
  indicate the totals of the connection itself.  Just consider entries
  with &gt; partial.
</para>
<para>
  Some &gt entries may go idle if the traffic monitor was started
  when these connections were already half-closed (FIN sent
  by one host, but data still being sent by the other). This
  is because the traffic monitor cannot determine if a
  connection was already half-closed when it started. These entries will
  eventually time out. (To minimize these entries, an entry is not added
  by the monitor until a packet with data or a SYN packet is received.)
</para>
<para>
  Direction entries also become available for reuse if an ICMP Destination
  Unreachable message is received for the connection.
</para>
<para>
  The lower part of the screen contains a summary line showing the IP,
  TCP, UDP, ICMP, and non-IP byte counts since the start of the
  monitor. The IP, TCP, UDP, and ICMP counts include only the IP
  datagram header and data, not the data-link headers. The
  non-IP count includes the data-link headers.
</para>

<note>
<title>
  Technical note: IP Forwarding and Masquerading
</title>
<para>
  Previous versions of IPTraf issued a warning if the kernel had
  IP masquerading enabled due to the way the
  kernel masqueraded and translated the IP addresses. The new kernels no
  longer do it as before and IPTraf now gives output properly on
  masquerading machines. The <computeroutput>-q</computeroutput> parameter is no
  longer required to suppress the warning screen.
</para>
<para>
  On forwarding (non-masquerading)
  machines packets and TCP connections simply appear twice, one
  each for the incoming and outgoing interfaces if all interafaces
  are being monitored.
</para>
<para>
  On masquerading machines, packets and connections from the
  internal network to the external network also appear
  twice, one for the internal and external interface. Packets coming
  from the internal network will be indicated as coming from the internal
  IP address that sourced them, and also as coming from the IP address
  of the external interface on your masquerading machine. In much the same
  way, packets coming in from the external network will look
  like they're destined for the external interface's IP address, and again
  as destined for the final host on the internal network.
</para>
</note>

<sect2>
  <title>Closed/Idle/Timed Out Connections</title>
<para>
  A TCP connection entry that closes, gets reset, or stays idle too long
  normally gets replaced with new connections. However,
  if there are too many of these, active connections may become
  interspersed among closed, reset, or idle entries.
</para>
<para>
  IPTraf can be set to automatically remove all closed, reset, and
  idle entries with the <emphasis>TCP closed/idle
  persistence...</emphasis> configuration option. You can also press the F key to
  immediately clear them at any time.
</para>

<note>
  <title>Note</title>
<para>
The <emphasis>TCP timeout...</emphasis> option only tells
IPTraf how long it should take before a connection should be considered
idle and open to replacement by new connections. This
does not determine how long it remains on-screen. The <emphasis>TCP closed/idle
persistence...</emphasis> parameter flushes entries that have been idle for the
number of minutes defined by the <emphasis>TCP timeout...</emphasis> option.
</para> </note>
</sect2>
<sect2>
<title>Sorting TCP Entries</title>
<para>
  The TCP connection entries can be sorted by pressing the S key, then
  by selecting a sort criterion. Pressing S will display a box showing the
  available sort criteria. Press P to sort by packet count, B to sort by
  byte count. Pressing any other key cancels the sort.
</para>
<para>
  The sort operation compares the larger values in each connection entry
  pair and sorts the counts in descending order.
</para>
<para>
  Over time, the entries will go out of order as counts proceed at varying
  rates. Sorting is not done automatically so as not to degrade performance
and accuracy.
</para>
<figure>
<title>The IP traffic monitor sort criteria</title>
<graphic format="png" fileref="iptraf-iptmsort">
</figure>
</sect2>
</sect1>
<sect1 id="lowerwin">
<title>Lower Window</title>
<para>
  The lower window displays information about the other types of traffic
  on your network. The following protocols are detected internally:
</para>
<itemizedlist spacing="compact">
<listitem><para>User Datagram Protocol (UDP)</para></listitem>

<listitem><para>Internet Control Message Protocol (ICMP)</para></listitem>

<listitem><para>Open Shortest-Path First (OSPF)</para></listitem>

<listitem><para>Interior Gateway Routing Protocol (IGRP)</para></listitem>

<listitem><para>Interior Gateway Protocol (IGP)</para></listitem>

<listitem><para>Internet Group Management Protocol (IGMP)</para></listitem>

<listitem><para>General Routing Encapsulation (GRE)</para></listitem>

<listitem><para>Layer 2 Tunneling Protocol (L2TP)</para></listitem>

<listitem><para>IPSec AH and ESP protocols (IPSec AH and IPSec ESP)</para></listitem>

<listitem><para>Address Resolution Protocol (ARP)</para></listitem>

<listitem><para>Reverse Address Resolution Protocol (RARP)</para></listitem>
</itemizedlist>

<para>
  Other IP protocols are looked up from the <filename>/etc/services</filename>
  file.  If <filename>/etc/services</filename> doesn't contain information about
  that protocol, the protocol number is indicated.
</para>
<para>
 Non-IP packets are indicated as
<computeroutput>Non-IP</computeroutput> in the lower window.
</para>

<note>
<title>Note</title>
<para>The source and destination addresses for ARP and
RARP entries are MAC addresses.
</para>
<para>
  Strictly speaking, ARP and RARP packets aren't IP packets, since
  they are not encapsulated in an IP datagram. They're
  just indicated because they are integral to proper IP operation on LANs.
</para>
</note>

<para>
  For all packets in the lower window, only the first IP fragment is
  indicated (since that contains the header
  of the IP-encapsulated protocol) but with no further information
  from the encapsulated protocol.
</para>
<para>
UDP packets are also displayed
in
<computeroutput><replaceable>address</replaceable>:<replaceable>port</replaceable>
</computeroutput> format while ICMP entries also contain the
ICMP message type. For easier location, each type of protocol
is color-coded (only on color terminals such as the Linux console).
</para>

<variablelist>
<varlistentry><term>UDP</term><listitem><para>Red on White</para></listitem></varlistentry>
<varlistentry><term>ICMP</term><listitem><para>Yellow on Blue</para></listitem></varlistentry>
<varlistentry><term>OSPF</term><listitem><para>Black on Cyan</para></listitem></varlistentry>
<varlistentry><term>IGRP</term><listitem><para>Bright white on Cyan</para></listitem></varlistentry>
<varlistentry><term>IGP</term><listitem><para>Red on Cyan</para></listitem></varlistentry>
<varlistentry><term>IGMP</term><listitem><para>Bright green on Blue</para></listitem></varlistentry>
<varlistentry><term>GRE</term><listitem><para>Blue on white</para></listitem></varlistentry>
<varlistentry><term>ARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
<varlistentry><term>RARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
<varlistentry><term>Other IP</term><listitem><para>Yellow on red</para></listitem></varlistentry>
<varlistentry><term>Non-IP</term><listitem><para>Yellow on Red</para></listitem></varlistentry>
</variablelist>

<para>
  The lower window can hold up to 512 entries. You can
  scroll the lower window by using the W key to move the Active indicator
  to it, and by using the Up and Down cursor keys. The lower
  window automatically scrolls every time a new entry is added, and either
  the first entry or last entry is visible. Upon reaching 512 entries, old
  entries are thrown out as new entries are added.
</para>
<para>
  Some entries may be too long to completely fit in a screen line. You can
  use the Left and Right cursor keys to vertically scroll the lower window
  when it is marked <computeroutput>Active</computeroutput>. If your
terminal can be resized (e.g. xterm), you may do so before starting
IPTraf.
</para>
<para>
  Entries for packets received on LAN interfaces also include the
  source MAC address of the LAN host which delivered it. This behavior
  is enabled by turning on the Source MAC addrs in traffic monitor toggle
  in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
</para>

<sect2>