IPTraf is ncurses-based Network monitor which produces a variety of network statistics. This open source software is written by Gerard Paul Java, and released under the terms of GNU General Public License. (For those who do not know about ncurses, it is a tool using which graphical environment can be developed which then can be run under the terminal). IPTraf generates the details about TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and other network related information.
IPTraf can be installed using apt-get utility as follows:
sudo apt-get install iptraf
One may make use of Ubuntu Software Center to install IPTraf.
IPTraf Usage in Terminal
When IPTraf is used without any options, it will be displayed as a GUI-like application in terminal window. This interactive mode of IPTraf will show a menu wherein a number of options are provided and user is asked to select any one of them.
Monitoring TCP and UDP traffic
sudo iptraf -s <interface>
For example, sudo iptraf -s eth1
The option -s will let you start monitoring TCP and UDP traffic over the targetted interface.
Displaying Detailed Statistics
sudo iptraf -d <interface>
For example, sudo iptraf -d eth1
The option -d will provide detailed statistics of traffic over specified interface.
Define a Time-out
sudo iptraf <option> <interface> -t <timeout>
For example, sudo iptraf -d eth1 -t 5
The option -t allows you to set a time-out so that the utility will run for a specific time and you can monitor the network traffic till that particular time-out.
IPTraf in Interactive Mode
IP Traffic Monitor
This is the default option for the individual analysis of each network interface. You can even do an analysis of your loopback interface, the famous 127.0.0.1
Select the interface to be analyzed and hit the <enter>key :
Note that the screen shows enough information about all active connections passing through the interface, it also highlights the origin and destination of the connection as well as speed and packages transmission. No above example was chosen to do an analysis of all computer interfaces.
To sort the display of connections in order of number of packets transmitted or sizes of packets transmitted press the "s" and then press "p" to display first the connections that are broadcasting the greatest amount of packages and "b" to display those that are sending the largest packets. To return to the previous screen press the "ESC" key.
General Interface Statistics
It displays general information of data traffic on all interfaces, such as amount and type of package and finally the current transfer rate in each. It does exactly what the following option does, but with less detailed information.
Detailed Interface Statistics
Displays information with a greater level of detail, type of packages, quantity and speed of current transfer in each.
Note that this option shows the amount of data that is arriving / leaving the interface (Incoming and Outgoing rates) and total rate. Data packets to the broadcast and corrupted packets are also listed in this option.
This option displays data on the size of the packets that go traveling in their interfaces. The data are analyzed by standard size of MTU's (Maximum Transfer Unit) value that ranges from 1 to 1500 bytes in ethernet standard, i.e., it shows the amount of packages trafficked dividing them into groups of respective sizes.
This type of analysis is interesting because it can identify an attack by a port-scanner by their common feature, the small size of the packets sent in large quantities to specific ports.
Creating Filters for refined analysis
At some point, it will be interesting, for example, when we want to make an analysis of data from a specific computer, or certain network traffic on certain ports etc. This will hinder the capabilities of network administrators to analyze the traffic clearly, because of large chunk of data, unless filters are used. The filters are there to facilitate this, you can get just the data you really need.