---------------------------------------------------------------------------------------------------
iptraf一個iftop更強大的工具。
yum install iptraf -y
注意在iptraf INSTALL
IPTraf需要引用/usr/share/terminfo目錄中的終端信息數據庫,因此如果這個目錄位於其它的位置,IPTraf將輸出"Error opening terminal"錯誤信息之後,啓動失敗。一般在Slackware中可能出現這種錯誤,因爲在Slackware發佈中,terminfo一般位於/usr/lib/terminfo。這種情況可以通過如下方式解決:
#TERMINFO=/usr/lib/terminfo
#export TERMINFO
或者填加一個連接:
#ln -s /usr/lib/terminfo /usr/share/terminfo
IP流量監控,監控通過在您的網絡上的IP流量的信息。包括TCP標誌信息,數據包和字節計數,ICMP的細節,OSPF數據包類型。
全面和詳細的接口統計數據顯示IP,TCP,UDP,ICMP,非IP和其他IP數據包的數量,IP校驗和錯誤,接口狀態,數據包大小。
利用內置在Linux內核的原始套接字接口,可以支持更多類型網絡接口,如下面:
Local loopback
All Linux-supported Ethernet interfaces
All Linux-supported FDDI interfaces
SLIP
Asynchronous PPP
Synchronous PPP over ISDN
ISDN with Raw IP encapsulation
ISDN with Cisco HDLC encapsulation
Parallel Line IP
iptraf
x IP traffic monitor x
x General interface statistics x
x Detailed interface statistics x
x Statistical breakdowns... x
x LAN station monitor x
x Filters... x
x Configure... x
x Exit
執行iptraf命令按任意鍵會出現上面界面:
IP流量監視 (IP traffic monitor )
網絡接口的一般信息統計(General Interface Statistics)
網絡接口的細節信息統計(Detailed Interface Statistics)
統計分析(Statistical Breakdowns)
局域網工作站統計(LAN Station Statistics)
過濾器(Filters)
iptraf配置項(Configure)
x Current Settings x
x Reverse DNS lookups xx Reverse DNS lookups: Off x
x TCP/UDP service names xx Service names: On x
x Force promiscuous mode xx Promiscuous: On x
x Color xx Color: On x x
x Logging xx Logging: On x x
x Activity mode xx Activity mode: kbits/s x x
x Source MAC addrs in traffic monitor xx MAC addresses: On x x
x Show v6-in-v4 traffic as IPv6 xx v6-in-v4 as IPv6: On x x
x Log interval: 60 mins x x // 設置每個多少分鐘保存日誌信息,默認值是60分鐘
x Additional ports... xx Update interval: 0 secs x x//設置每間隔多少秒鐘刷新屏幕。默認值是0,表示儘可能快地刷新屏幕
x Delete port/range... xx Closed/idle persist: 0 mins x x//這個參數決定關閉、空閒和超時的TCP連接在IP流量監視器顯示窗口中保留多少分鐘。默認值是0,表示一直保留這些連接,直到被新的連接代替。
x Ethernet/PLIP host descriptions... x
x FDDI/Token Ring host descriptions... x
Reverse DNS Lookups 選項,對IP地址反查 DNS名,默認是關閉的 ,開啓這項,在使用IP流量監視功能時,IPTraf會啓動一個精靈進程/usr/bin/rvnamed來加速域名反查的速度。
在rvnamed的域名反查完成之後,IPTraf就會使用報文來源的域名來代替IP地址。之所以在IPTraf中使用獨一的域名反查程序是因爲標準的域名反查調用會阻塞進程,直到域名反查功能完成,比較浪費時間。
TCP/UDP service names 選項:會把對應端口改成對應服務名字顯示。
Force promiscuous mode :在混雜模式下工作,監視局域網的連接狀態
Logging :日誌功能,如果打開每次監控都可以指定日誌位置,默認在/var/log/iptraf目錄下。
Activity mode:切換速率單位(kbits/s和kbytes/s),默認的速率單位是kbits/s。
Source MAC addrs in traffic monitor:決定是否在IP流量監視器中顯示報文的MAC源地址,對於以太網、FDDI或者PLIP網絡接口有效。對於非TCP報文(IP流量監視器的下部分顯示窗口)報文的MAC源地址直接在窗口中顯示,對
於TCP報文(IP流量監視器的上部分顯示窗),需要按M鍵
Timers:用Timers子菜單設置iptraf的各種時間間隔和超時時間。
Additional ports:默認情況下,iptraf只對小於1024的端口號進行流量分析,使用這個選項可以填加你需要進行流量分析的端口。
Delete port/range:刪除不想監聽的端口。
Ethernet/PLIP host descriptions:十六進制的MAC地址非常難以記憶,因此iptraf引入了局域網工作站標誌符(LAN Station Identifiers)。使用局域網工作站標誌符(LAN Station Identifiers)可以幫助你更好地區別局域網內的工作站。
Filters功能也是很強大大,只是用法過於複雜,且所需功能都可以用tcpdump來實現。
------------------------------------------------------------------------------------------------
iftop,查看主機網卡流量信息。這個用法比tcpdum簡單多,iftop就一點內容。
iftop安裝:
yum install gcc gcc-c++ make automake autoconf -y
wget http://www.ex-parrot.com/~pdw/iftop/download/iftop-0.17.tar.gz
tar xf iftop-0.17.tar.gz
cd iftop-0.17
./configure
make && make install
iftop: display bandwidth usage on an interface by host
Synopsis: iftop -h | [-npbBP] [-i interface] [-f filter code] [-N net/mask]
-h display this message
-n don't do hostname lookups
-N don't convert port numbers to services
-p run in promiscuous mode (show traffic between other
hosts on the same network segment)
-b don't display a bar graph of traffic
-B Display bandwidth in bytes
-i interface listen on named interface
-f filter code use filter code to select packets to count
(default: none, but only IP packets are counted)
-F net/mask show traffic flows in/out of network
-P show ports as well as hosts
-m limit sets the upper limit for the bandwidth scale
-c config file specifies an alternative configuration file
TX:發送流量
RX:接收流量
TOTAL:總流量
Cumm:運行iftop到目前時間的總流量
peak:流量峯值
rates:分別表示過去 2s 10s 40s 的平均流量
tcpdump linux很有用的抓包工具,man文件可以看到其很詳細用法。常見用法有:
三種關鍵字:
類型關鍵字:主要包括host,net,port
傳輸方向的關鍵字:主要包括src,dst,dst or src,dst and src
協議的關鍵字,主要包括fddi,ip,arp,rarp,tcp,udp等類型
-i 指定監聽的網絡接口;
-r 從指定的文件中讀取包(這些包一般通過-w選項產生);
-w 直接將包寫入文件中,並不分析和打印出來;
-T 將監聽到的包直接解釋爲指定的類型的報文,常見的類型有rpc (遠程過程調用)和snmp(簡單網絡管理)
-nn 直接以 IP 及 port number 顯示,而非主機名服務器名
-q 僅列出較爲簡短的封包資訊,每一行的內容比較精簡
-d 將匹配信息包的代碼以人們能夠理解的彙編格式給出;
-dd 將匹配信息包的代碼以c語言程序段的格式給出;
-ddd 將匹配信息包的代碼以十進制的形式給出;
-e 在輸出行打印出數據鏈路層的頭部信息;
-f 將外部的Internet地址以數字的形式打印出來;
-l 使標準輸出變爲緩衝行形式;
-n 不把網絡地址轉換成名字;
-t 在輸出的每一行不打印時間戳;
-v 輸出一個稍微詳細的信息,例如在ip包中可以包括ttl和服務類型的信息;
-vv 輸出詳細的報文信息;
-c 監聽的封包數,如果沒有這個參數, tcpdump 會持續不斷的監聽,直到使用者輸入 [ctrl]-c 爲止。
-F 從指定的文件中讀取表達式,忽略其它的表達式;
1>監聽本機對應通迅端口。
[root@localhost ~]# tcpdump -i eth2 'udp port 53' (ping www.baidu.com)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:34:54.801224 IP 192.168.1.104.45156 > 192.168.1.1.domain: 50721+ PTR? 100.1.168.192.in-addr.arpa. (44)
23:34:54.802927 IP 192.168.1.104.42689 > 192.168.1.1.domain: 9495+ PTR? 1.1.168.192.in-addr.arpa. (42)
23:34:54.827455 IP 192.168.1.1.domain > 192.168.1.104.45156: 50721 NXDomain 0/0/0 (44)
23:34:54.828570 IP 192.168.1.1.domain > 192.168.1.104.42689: 9495 NXDomain 0/0/0 (42)
23:34:54.830756 IP 192.168.1.104.39701 > 192.168.1.1.domain: 24573+ PTR? 104.1.168.192.in-addr.arpa. (44)
23:34:54.850243 IP 192.168.1.1.domain > 192.168.1.104.39701: 24573 NXDomain 0/0/0 (44)
23:35:01.797459 IP 192.168.1.104.42501 > 192.168.1.1.domain: 47317+ A? www.baidu.com. (31)
23:35:01.812636 IP 192.168.1.1.domain > 192.168.1.104.42501: 47317 2/0/0 CNAME www.a.shifen.com., A 220.181.111.147 (74)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:11:07.165561 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [S], seq 3772457204, win 14600, options [mss 1460,sackOK,TS val 147995298 ecr 0,nop,wscale 5], length 0
00:11:07.182011 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [S.], seq 3970420755, ack 3772457205, win 14180, options [mss 1430,sackOK,TS val 2889730437 ecr 147995298,nop,wscale 6], length 0
00:11:07.182077 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [.], ack 1, win 457, options [nop,nop,TS val 147995314 ecr 2889730437], length 0
00:11:07.182406 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [P.], seq 1:171, ack 1, win 457, options [nop,nop,TS val 147995314 ecr 2889730437], length 170
00:11:07.203192 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [.], ack 171, win 239, options [nop,nop,TS val 2889730458 ecr 147995314], length 0
00:11:07.207352 IP 74.125.128.99.http > 192.168.1.104.60100: Flags [P.], seq 1:904, ack 171, win 239, options [nop,nop,TS val 2889730462 ecr 147995314], length 903
00:11:07.207369 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [.], ack 904, win 513, options [nop,nop,TS val 147995340 ecr 2889730462], length 0
00:11:07.208429 IP 192.168.1.104.60100 > 74.125.128.99.http: Flags [F.], seq 171, ack 904, win 513, options [nop,nop,TS val 147995340 ecr 2889730462], length 0
[root@localhost ~]# tcpdump -i eth2 host 220.181.111.147
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:45:33.074071 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [S], seq 381045890, win 14600, options [mss 1460,sackOK,TS val 146461206 ecr 0,nop,wscale 5], length 0
23:45:33.116185 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [S.], seq 755347942, ack 381045891, win 14600, options [mss 1440,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop], length 0
23:45:33.116245 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 1, win 14600, length 0
23:45:33.116753 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [P.], seq 1:170, ack 1, win 14600, length 169
23:45:33.162199 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [.], ack 170, win 6432, length 0
23:45:33.166012 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [P.], seq 1:385, ack 170, win 6432, length 384
23:45:33.166046 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 385, win 15544, length 0
23:45:33.167787 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [F.], seq 170, ack 385, win 15544, length 0
23:45:33.209245 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [.], ack 171, win 6432, length 0
23:45:33.209313 IP 220.181.111.147.http > 192.168.1.104.46332: Flags [F.], seq 385, ack 171, win 6432, length 0
23:45:33.209329 IP 192.168.1.104.46332 > 220.181.111.147.http: Flags [.], ack 386, win 15544, length 0
[root@localhost ~]# tcpdump -i eth2 'dst 220.181.111.147 and (port 21 or 20)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
23:55:45.831050 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147073963 ecr 0,nop,wscale 5], length 0
23:55:46.832802 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147074965 ecr 0,nop,wscale 5], length 0
23:55:48.833624 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147076966 ecr 0,nop,wscale 5], length 0
23:55:52.835319 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147080967 ecr 0,nop,wscale 5], length 0
23:56:00.836306 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147088968 ecr 0,nop,wscale 5], length 0
23:56:16.836495 IP 192.168.1.104.54923 > 220.181.111.147.ftp-data: Flags [S], seq 1443773354, win 14600, options [mss 1460,sackOK,TS val 147104969 ecr 0,nop,wscale 5], length 0
[root@localhost ~]# tcpdump -n -i eth2 icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:15:09.021481 ARP, Request who-has 192.168.1.1 tell 192.168.1.104, length 28
00:15:09.026080 ARP, Reply 192.168.1.1 is-at ec:88:8f:61:cc:4c, length 46
00:15:22.241411 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 1, length 64
00:15:22.259365 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 1, length 64
00:15:23.243472 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 2, length 64
00:15:23.260798 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 2, length 64
00:15:24.245494 IP 192.168.1.104 > 74.125.128.103: ICMP echo request, id 12361, seq 3, length 64
00:15:24.263007 IP 74.125.128.103 > 192.168.1.104: ICMP echo reply, id 12361, seq 3, length 64
00:15:24.948703 ARP, Request who-has 192.168.1.104 tell 192.168.1.100, length 46
00:15:24.948737 ARP, Reply 192.168.1.104 is-at 00:0c:29:57:3b:87, length 28
00:16:03.338775 ARP, Request who-has 192.168.1.104 tell 192.168.1.100, length 46
00:16:03.338813 ARP, Reply 192.168.1.104 is-at 00:0c:29:57:3b:87, length 28
#tcpdump -i eth0 -s 0 -l -w gaby.cap dst port 443 把本機與目的端口爲443的包都寫入到gaby.cap文件中,然後我們可以分析工具查看通迅的整個過程。
抓取45這臺主機和192.168.1.1或者192.168.2.1 通訊的包
#tcpdump host 192.168.2.45 and \(192.168.1.1 or 192.168.2.1 \)
# tcpdump -i eth2 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# tcpdump -D
1.usbmon1 (USB bus number 1)
2.eth2
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo