Iptraf is a network monitoring program that allows you to analyze network traffic (incoming and outgoing) of your server, but also to analyze the traffic in your LAN.
This program will allow you to :
* You can also try to block this type of program by turning your server into a router. Then, you will allow only the main ports (80: HTTP 443: HTTPS, 21: FTP, ...). This solution is not 100% sure but it will block the use of these programs by most users.
Warning : This program will not work if you use it in a virtual machine created using OpenVZ (if you have a "venet" interface, it will not work). So, this program will not work on the OVH Classic VPS.
To install Iptraf, simply install the "iptraf" package.
apt-get install iptraf
To analyze the network traffic on your server, run iptraf :
Then, select "IP traffic monitor".
Select the interface to "listen" from the list :
We left the program running for a few minutes to give you an overview of the program :
In the upper part you will see "TCP" connections (connected mode) :
In the lower part, you will see the "UDP" packets (offline mode) :
Note : lines are in pairs. Ex : lines "10.0.0.9:22" and "10.0.0.3:49197" allow us to know that there is a connection between these network points. The ":" separates the port and the IP address.
In the Iptraf menu (at the launch of it), go to "Configure".
In the configuration you can :
As you can see :
- our machine that had the 10.0.0.9 IP address, owns the "debian.local" domain name.
- the client "10.0.0.3" is connected to our SSH server (port 22).
- the client "10.0.0.3" is connected to our FTP server (port 21).
As you can see :
- there is a machine named "Lionel-PC" on the network
- the client "10.0.0.3" is connected to our ssh server
- the "lionel-PC" machine is connected to an instant messaging server running with XMPP
- the user of the machine "lionel-PC" is currently connected to the facebook server with the https protocol (port : 443)
If you enable the "Logging" option, the network log will be saved in real time in the file specified when choosing the monitoring type (IP traffic monitor, lan station monitor, ...).
Note : It's recommended to indicate a new path each time to avoid overwriting the previous log file.
By default, logs will be saved in the "/var/log/iptraf/" folder.
iface_stats_detailed-eth0.log ip_traffic-1.log packet_size-eth0.log iface_stats_general.log lan_statistics-1.log rvnamed.log
Here are a part of IP Monitor log file (ip_traffic-1.log) :
Sat Jun 6 12:01:41 2015; ******** IP traffic monitor started ******** ... Sat Jun 6 12:18:36 2015; TCP; eth0; 52 bytes; from 10.0.0.3:49667 to debian.local:56526 (source MAC addr 000c29b99462); first packet (SYN) Sat Jun 6 12:18:36 2015; TCP; eth0; 52 bytes; from debian.local:56526 to 10.0.0.3:49667 (source MAC addr 000c29c363eb); first packet (SYN) Sat Jun 6 12:18:36 2015; TCP; eth0; 40 bytes; from debian.local:56526 to 10.0.0.3:49667 (source MAC addr 000c29c363eb); FIN sent; 4 packets, 3046 bytes, avg flow rate 24,00 kbits/s ... Sat Jun 6 12:18:37 2015; UDP; eth0; 201 bytes; source MAC address xxxxxxxxxxxx; from WNDR4300.local:34563 to 255.255.255.255:7423 ... Sat Jun 6 12:18:46 2015; ******** IP traffic monitor stopped ********
If you have enabled the "Source MAC addrs in traffic monitor" option, you will see MAC addresses corresponding to source IP addresses.
As you can see in the lower part, MAC addresses are preceded by "src HWaddr" (meaning : Hardware address).
General interface statistics allows you to get general statistics for each network interface.
Detailed interface statistics allows you to have detailed information about the selected network interface.
This function allows you to sort packets by size.
This function allows you to sort packets by port.
Thus, it's possible to see the number of packets passing on specific ports : 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), ...
LAN station monitor allows you to monitor the bandwidth used by machines on your local network.
As you can see, the program displays the MAC address instead of the IP address.
To know IP addresses that correspond to these MAC addresses, you can use the "nmap" command.
Note : 10.0.0.1 is the IP address of our router.
nmap -sP 10.0.0.1/24
This command displays a result like this :
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-06 12:19 CEST Nmap scan report for 10.0.0.1 Host is up (0.00080s latency). MAC Address: 04:A1:51:XX:XX:XX (Unknown) Nmap scan report for 10.0.0.3 Host is up (0.0023s latency). MAC Address: 00:0C:29:B9:94:62 (VMware) Nmap scan report for 10.0.0.4 Host is up (0.000098s latency). MAC Address: 78:24:AF:XX:XX:XX (Unknown) Nmap scan report for 10.0.0.9 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 10.32 seconds
To know the MAC address of your server, use the "ifconfig" command.
In the information displayed, you will see the line :
eth0 Link encap:Ethernet HWaddr 00:0c:29:c3:63:eb
Filters allow you to monitor network traffic according to :
The filter configuration can be used to include or exclude network traffic of the real time history.
To create a filter, go to "Filters".
In our case, we'll use a "IP" filter.
Note : As you can see, currently, there is no IP filter active.
Select "Define new filter".
Specify a name for this filter.
For now, there are no settings for this filter.
To add one, press "i" (for the insert option).
For this tutorial, we will only analyze the traffic :
- having "10.0.0.3" as source IP address
- using the TCP or ICMP protocol (to detect possible DDOS attacks using the ping)
If you wish, you can add other settings for this filter.
Then, leave the window by pressing "CTRL + X".
Select "Apply filter".
Select the filter to be applied and press Enter.
As you can see, now, the IP filter is active.
In our case, we'll use "IP traffic monitor".
On our machine "10.0.0.3", we used :
- a FTP client to connect to the server (IP: 10.0.0.9)
- the ping command to ping our server. (ICMP echo requests displayed the bottom)
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.