IPTraf User's Manual

Written by Gerard Paul Java
Copyright (c) Gerard Paul Java 1997, 1998
Permission is granted to reproduce and distribute this document with the included software under the terms of the GNU General Public License. This manual and the software that accompanies it come with absolutely no warranty, not even the implied warranties of merchantability or fitness for any particular purpose. See the included COPYING file for details.
About This Document
This document is the User's Manual for IPTraf 1.1. Documented here are the features of the program and instructions on its use.
This manual is the HTML version and can be viewed with any Web browser supporting HTML 3.0.

For Additional Information
See the included README file for summarized and late-breaking information. The CHANGES file contains a record of the changes made to the software since 1.0.0. Planned features and fixes are in the TODO file. The file README.rvnamed contains a description of the new rvnamed program and the protocol used to communicate with IPTraf.

Document Conventions

[ ]
items in brackets are optional
{ }
curly braces enclose items you choose from
|
the vertical bar separates choices in curly braces
monospace italics
italics in syntax specifications indicate items that are to be replaced with an actual item (e.g. iface should be replaced with an actual interface name, like eth0.

Introduction
IPTraf is a network monitoring utility for IP networks. It intercepts packets on the LAN and gives out various pieces of information about the current IP traffic over it. Information returned by IPTraf include:

Total, IP, TCP, UDP, ICMP, and non-IP byte counts

TCP source and destination addresses and ports

TCP packet and byte counts

TCP flag statuses

UDP source and destination information

ICMP type information

OSPF source and destination information

TCP and UDP service statistics

Interface packet counts

Interface IP checksum error counts

Interface activity indicators

Ethernet LAN station statistics

IPTraf can be used to monitor the load on an IP network, the most used types of network services, the proceedings of TCP connections, and others.
IPTraf is software-only, and utilizes the built-in raw packet capture interface of the Linux kernel, allowing it to be used with a wide range of Ethernet cards and any SLIP/PPP interface. No special hardware is required.
Installation
IPTraf is most readily available on the Internet, but some may receive it on a diskette. Here are the instructions for both types of distributions.
System Requirements
IPTraf requires the following to run:

386 or later (i486DX2-66 MHz or later will give better performance. Faster machines reduce the chances of missed packets.)

Linux 2.0.0 or later (2.0.24 or higher for protection from the Ping o' Death, 2.0.32 or later for protection from the "teardrop" attack. See the technical notes below)
Linux C library 5 (ELF libc.so.5) or GNU libc 2 (libc.so.6)

8MB of physical RAM or higher. More recommended. 16MB virtual memory recommended (physical memory + swap space)

Console or 80x25 high-speed terminal

Ethernet or SLIP/PPP interfaces

The X Window system is not required. Here are the installation instructions.
Installing the Downloaded Package
IPTraf can be downloaded from the Internet. The downloadable package is in a compressed (gzip) tar archive. To extract the files from the archive, you need these utilities:

tar

GNU zip (gzip)

If you downloaded IPTraf from the Internet, follow these steps to install the software:

Decompress the .tar.gz file by entering

tar zxvf iptraf-1.1.0.tar.gz
If your tar doesn't support the z option, you can separately decompress the tar.gz then extract the resulting .tar archive.

gunzip iptraf-1.1.0.tar.gz tar xvf iptraf-1.1.0.tar
This will decompress the sources into a directory called iptraf-1.1.0.
Change to the src directory. It already contains ready-to-run distribution binaries for IPTraf and the accompanying rvnamed daemon.

Enter

make install
This will install the distribution binary in the /usr/local/bin directory. The necessary working directory /var/local/iptraf will also be created.

Installing the Floppy Distribution
If you received IPTraf on a diskette, the sources are already decompressed. The diskette is in Second Extended filesystem format. Perform the following steps to install the software.

Insert the floppy in the drive.

Mount the floppy on an empty directory. For example, to mount the floppy in the first floppy drive under a directory called /mnt, enter

mount -t ext2 /dev/fd0 /mnt
This assumes your floppy is in /dev/fd0. You can use any empty directory in place of /mnt. With most Linux distributions, this will work.

After mounting, change to the /mnt (or whatever) directory.

Enter

make install

This will copy the binary to /usr/local/bin, and create the /var/local/iptraf directory.

Unmount the diskette by typing

umount /mnt (That's umount, not unmount.)
You can then eject the diskette. Store it in a safe place.

In both cases (downloaded and floppy), the installation will store the program in /usr/local/bin with the binaries owned by user root, readable, writable, and executable by the owner, no permissions for the group, no permissions for all others. (700 octal, or -rwx------). In either case, perform the "make install" step. This not only transfers the executable programs, but creates the necessary directories if they do not yet exist. IPTraf will not function properly without them.
Starting IPTraf
After installation, you can start the program by simply entering

iptraf
at the shell prompt. You will see a copyright notice, with an instruction to press any key to get started. Just press any character key, and you will be immediately taken to the main menu. All major functions of the program are found here.
Entering the IPTraf command without any command-line parameters brings up the program's main menu. From there, you can select the facilities you want.
Command-line Options
Version 1.1.0 now accepts options on the command line which can be used to start each individual facility.

iptraf -i
causes the IP traffic monitor to start immediately
iptraf -g
starts the general interface statistics
iptraf -d iface
shows detailed statistics for the specified interface
iptraf -s iface
starts the TCP/UDP traffic monitor for the specified interface
iptraf -e
starts the Ethernet station monitor
iptraf -h
displays a short help screen

While interactive commands in the IPTraf interface are not case-sensitive, command-line options are.
Using the Menus
Move the selection bar to the item you want by using the Up and Down arrow keys on your keyboard. Pressing Enter will execute it. Alternatively, you can also directly press the highlighted letter of the item you want. This will immediately execute the option.
Using IPTraf

IP Traffic Monitor
Executing the first menu item or specifying -i to the iptraf command takes you to the IP Traffic Monitor. The Traffic Monitor is a real-time monitoring system that intercepts all packets on all detected network interfaces. The monitor decodes the IP information on all IP packets and displays the appropriate information about it, most notably the source and destination addresses. In addition to that, it also determines the encapsulated protocol within the IP packet, and displays some important information about that as well.
There are two windows in the Traffic Monitor. Both of them can be scrolled with the Up and Down cursor keys. Just press W to move the Active indicator to the window you want to control.
Upper Window
The upper window of the Traffic Monitor displays the currently detected TCP connections. Information about TCP packets are displayed here. The window contains these pieces of information:

Source address and port

Destination address and port

Packet count

Byte count

Packet Size

Window Size

TCP flag statuses

Interface

The TCP window is scrollable, and you can view more connections by using the Up and Down arrow keys on your keyboard.
Because this monitoring system relies solely on packet information, it does not determine which endpoint initiated the connection. In other words, it does not determine which endpoint is the client, and which is the server. This is necessary because it can operate in promiscuous mode, and as such cannot determine the socket statuses for other machines on the LAN.
That being the case, the system displays two entries for each connection, one for each direction of the TCP connection. To make it easier to determine the direction pairs of each connection, a bracket is used to "join" both together. This bracket appears at the leftmost part of each entry.
The directions of data flow do not determine which entries appear at the top and at the bottom of the bracket. That is, just because the direction appears at the upper part of the bracket doesn't mean its source machine initiated the connection.
Each entry in the window contains these fields:
Source address and port
The source address and port indicator is in address:port format. This indicates the source machine and TCP port on that machine from which this data is coming.
Destination address and port
The destination address and port field indicates to which machine and port on that machine packets are being sent to.
Packet count
The number of packets received for this direction of the TCP connection
Byte count
The number of bytes received for this direction of the TCP connection
Packet Size
The size of the most recently received packet. This item is visible if you press M for more TCP information.
Window Size
The advertised window size of the most recently received packet. This item is visible if you press M for more TCP information.
Flag statuses
The flags of the most recently received packet.

S
SYN. A synchronization is taking place in preparation for connection establishment. If only an S is present (S---) the source is trying to initiate a connection. If an A is also present (S-A-), this is an acknowledgment of a previous connection request, and is responding.
A
ACK. This is an acknowledgment of a previously received packet
P
PSH. A request to push all data to the top of the receiving queue
U
URG. This packet contains urgent data
RESET
RST. The entire connection has been reset by the source machine in this direction. The direction entries for reset connections become available for new connections.
DONE
The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.
CLOSED
The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.
-
The flag is not set

Interface
The network interface this packet was received from. The following types of interfaces are currently supported:

lo
The loopback interface. Every machine has one, and has an IP address of 127.0.0.1. lo is also indicated if data is detected on the dummyn interface(s).
ethn
An Ethernet interface. n starts from 0. Therefore, eth0 refers to the first Ethernet interface, eth1 to the second, and so on. Most machines only have one.
pppn
A PPP interface. n starts from 0. Therefore, ppp0 is the first PPP interface, ppp1 is the second, and so on.
slin
A SLIP interface. n starts from 0. Same sequence as above
Two more data items can also be viewed, the packet size and the advertised window size. Pressing M will replace the packet and byte counts with the packet size and window size. Press M again to view the packet counts and byte counts.
By default, only IP addresses are displayed, but if you have access to a name server or host table, you may enable reverse lookup for the IP addresses. Just enable reverse lookup in the Options menu.

The rvnamed Process
The IP Traffic Monitor starts a daemon called rvnamed to help speed up reverse lookups without sacrificing too much keyboard control and accuracy of the counts. While reverse lookup is being conducted in the background, IP addresses will be used until the resolution is complete.
If for some reason rvnamed cannot start (probably due to improper installation or lack of memory), and you are on the Internet, and you enable reverse lookup, your keyboard control can become very slow. This is because the lookup functions will not return until they have completed their tasks, and it can take several seconds for a name resolution in the foreground to complete.

Tip
If you notice unusual SYN activity (too many initial but frozen SYN entries (S---), or rapidly increasing initial SYN packets for a single connection), you may be under a SYN flooding attack. Apply appropriate measures, or the targeted machine may begin denying network services.

Entries not updated within a user-configurable amount of time may get replaced with new connections. The default time is 15 minutes. This is regardless of whether the connection is closed or not. (Some unclosed connections may be due to extremely slow links or crashes at either end of the connection.) This figure can be changed at the Options menu.
Some early entries may have a > symbol in front of its packet count. This means the connection was already established when the monitor started. In other words, the figures indicated do not reflect the counts since the start of the TCP connection, but rather, since the start of the traffic monitor. Eventually, these > entries will close (or time out) and disappear. TCP entries without the > were initiated after the traffic monitor started, and the counts indicate the totals of the connection itself. Just consider entries with > partial.
Some > entries may go idle if the traffic monitor was started when these connections were already half-closed (FIN sent by one host, but data still being sent by the other). This is because the traffic monitor cannot determine if a connection was already half-closed when it started. These entries will eventually time out. (To minimize these entries, an entry is not added by the monitor until a packet with data or a SYN packet is received.)
Direction entries also become available for reuse if an ICMP Destination Unreachable message is received for the connection.

Lower Window
The lower window displays information about the other types of traffic on your network. The following protocols are detected:

UDP

ICMP

OSPF

IGRP

IGP

IGMP

ARP

RARP

Non-IP packets are simply indicated as Non-IP in the lower window.

Note
The source and destination addresses for ARP and RARP entries are Ethernet MAC addresses.
Well, strictly speaking, ARP and RARP packets aren't IP packets, since they are not encapsulated in an IP datagram. They're just indicated because they are integral to proper IP operation on Ethernet LANs.

UDP packets are also displayed in address:port format. ICMP entries also contain the ICMP message type. For easier location, each type of protocol is color-coded (text console only).

UDP Red on White ICMP Yellow on Blue OSPF Black on Cyan IGRP Bright white on Cyan IGP Red on Cyan IGMP Bright green on Blue ARP Yellow on Red RARP Yellow on Red Other IP Yellow on Red Non-IP Yellow on Red
The lower window can hold up to 512 entries. You can scroll the lower window by using the W key to move the Active indicator to it, and by using the Up and Down cursor keys. The lower window automatically scrolls every time a new entry is added, and either the first entry or last entry is visible. Upon reaching 512 entries, old entries are thrown out as new entries are added.
Entry Details
In general, the entries in the lower window indicate the protocol, the source address, the destination address, the network interface the packet was detected on. However, some protocols have a little more information.
ICMP: ICMP entries are displayed in this format:

ICMP type (subtype) from source to destination on interface
where type could be any of the following:

echo request, echo reply
ICMP echo request and reply. Usually used by the ping program and other network monitoring systems.
dest unreach
ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponsing TCP entry in the upper window to be made available for reuse by new connections.
redirect
ICMP redirect. Usually generated by a router to tell a host that a better gateway is available.
source quench
The ICMP source quench is used to stop a host from transmitting. It's some kind of flow control mechanism.
time exceeded
Indicates a packet's time-to-live value expired before it got to its destination. Mostly happens if a destination is too far away. Also used by the traceroute program.
router adv
ICMP router advertisement
router sol
ICMP router solicitation
timestamp req
ICMP timestamp request
timestamp rep
ICMP timestamp reply
info req
ICMP information request
info rep
ICMP infromation reply
addr mask req
ICMP address mask request
addr mask rep
ICMP address mask reply
parameter problem
ICMP parameter problem
bad/unknown
An unrecognized ICMP packet was received, or the packet is corrupted. However, this type is also generated if a fragmented ICMP packet is detected. The fragments are tagged with the bad/unknown indicator.

The destination unreachable message also includes information on the type of error encountered. Here are the destination unreachable codes:

network
network unreachable
host
host unreachable
protocol
protocol unreachable
port
port unreachable
DF set
the packet has to be fragmented somewhere, but its don't fragment (DF) bit is set.
src route failed
source route failed
src isoltd
source isolated (obsolete)
net comm denied
network communication denied
host comm denied
host communication denied
net unreach for TOS
network unreachable for specified IP type-of-service
host unreach for TOS
host unreachable for specified IP type-of-service
prec violtn
precedence violation
prev cutoff
precedence cutoff
dest net unkn
destination network unknown
dest host unkn
destination network unknown

For more information on ICMP, see RFC 792.
OSPF: OSPF messages also include a little more information. The format of an OSPF message in the window is:

OSPF type (a=area r=router) from source to destination on interface
The type can be one of the following:

hlo
OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence.
DB desc
OSPF Database Description
LSR
OSPF Link State Request
LSU
OSPF Link State Update. Messages indicating the states of the OSPF network links
LSA
OSPF Link State Acknowledgment

The entries in parentheses:

a=area
The area number the of the OSPF message
r=router
The IP address of the router that generated the message. It is not necessarily the same as the source address of the encapsulating IP packet.

Many times, the destination addresses for OSPF packets are class D multicast addresses in standard dotted decimal notation. Such multicast addresses are defined as follows:

224.0.0.5
OSPF all routers
224.0.0.6
OSPF all designated routers

See RFC 1247 for details on the OSPF protocol.
At any time, you can press X or Q to return to the main menu (or back to the shell if the monitor was started with iptraf -i).

General Statistics
The second menu option displays a list of attached network interfaces, and some general packet counts. Specifically, it displays counts of IP, non-IP, and bad IP packets (packets with IP checksum errors). It also includes an activity indicator, which shows the number of kilobits and packets the interface sees per second. All figures are for incoming and outgoing packets. (Again, considering promiscuous mode for Ethernet, which simply causes the packets to be intercepted by the machine). This is useful for general monitoring of all attached interfaces. If byte counts and additional information are needed for a specific interface, the Detailed interface statistics option is also available.
The general statistics window will dynamically add new entries as packets from newly-created interfaces (e.g. new PPP interfaces) are intercepted. Long lists can be scrolled with the Up, Down, PgUp, and PgDn keys.
Copies of the statistics are written to the log file at regular intervals if logging is enabled. See the Logging option below.
This facility can be started directly from the command line with the -g option to the iptraf command.
You can press X or Q to return to the main menu.
Detailed Statistics
The third menu option displays packet statistics for any selected interface. It provides basically the same information as the General interface statistics option, with additional information. This option provides the following information:

IP packet and byte counts

TCP packet and byte counts

UDP packet and byte counts

ICMP packet and byte counts

Other IP-type packet and byte counts

Non-IP packet and byte counts

Checksum error count

Interface activity in kilobits per second

Packet size counts

The upper portion of the screen contains the packet and byte counts for all IP and non-IP packets intercepted on the interface. The lower portion contains the counts of packets whose sizes fall within the indicated brackets. This can be useful when monitoring the sizes of packets passing over the network.
If you wish to start this facility directly from the command line, you can specify the -d parameter and an interface to monitor. For example,

iptraf -d eth0
starts the statistics for eth0. The interface must be specified, or IPTraf will not start the facility.

Note
In both the general and detailed statistics screens, as well as in the IP Traffic Monitor, the packet counts are for actual network packets (layer 2), not the logical IP packets (layer 3) that may be reconstructed after fragmentation. That means, if a packet was fragmented into four pieces, and these four fragments pass over your interface, the packet counts will indicate four separate packets. The figure for the IP checksum error is a packet count only, because the corrupted IP header cannot be relied upon to give a correct IP packet length value.
The figures are logged at regular intervals if logging is enabled.
Pressing X or Q takes you back to the main menu (if this facility was started with the command-line option, X or Q drops you back to the shell).

Ethernet Station Statistics
The Ethernet Station Monitor discovers Ethernet addresses and displays statistics on the number of incoming, and outgoing packets. It also includes figures for incoming and outgoing kilobits per second for each discovered station.
The entry above each line of statistics is the Ethernet hardware address. Each statistics line follows this format:

ITP IIP ITB IA OTP OIP OIB OA Legend: ITP - total incoming packets IIP - incoming IP packets ITB - incoming bytes IA - incoming activity in kbits/sec OTP - total outgoing packets OIP - outgoing IP packets OIB - outgoing bytes OA - outgoing activity in kbits/sec
This facility works only for Ethernet frames. Loopback and SLIP/PPP networks are not monitored here.
Copies of the statistics are written to the log at regular intervals if logging is enabled.
The window can be scrolled with the Up and Down cursor keys. Press X or Q to return to the main menu (or the shell if this facility was started with the -e command-line option).
TCP and UDP Traffic Statistics
IPTraf also includes a facility that generates statistics on TCP and UDP traffic. This facility displays counts of all TCP and UDP packets with source or destination ports numbered less than 1024. Ports 1 to 1023 are reserved for the TCP/IP application protocols (well-known ports).
The statistics window indicates the protocol (TCP or UDP), the port number, the total packets and bytes counted for this particular protocol/port combination, the packets and bytes destined for that protocol and port, and the packets and bytes coming from that protocol and port.
Some network applications or protocols may use port numbers higher than 1023. Examples of these include application proxy servers (HTTP proxy servers typically use values like 8000, 8080, 8888, and the like), and IRC (IRC servers commonly accept connections on ports 6660 to 6669). These ports are by default not included in the counts. If you do want to include a higher-numbered port in the statistics, you can add them yourself from the Options/Additional port... menu item. See the section below.
The statistics are also written to the log file if logging is enabled.
If you wish to start this facility from the command line, you can use the -s option followed by an interface to monitor. For example,

iptraf -s eth0
brings up this module for traffic on eth0. The interface must be specified, or IPTraf will drop back to the shell.
The Up and Down cursor keys scroll the window. Pressing X or Ctrl+X exits and returns to the main menu (or the shell if it was started from the command line).
Display Filters
The Display Filters are used to control the information displayed by the IP Traffic Monitor. In many cases, the Traffic Monitor fills up very rapidly with information, most of which you may not need. You may want to use such a display just to get a general idea of the network traffic, but if you're interested only in particular traffic, you must restrict the information displayed. The filters also apply to logging activity.

TCP Filters
The TCP display filters option allows you to define a set of parameters that determine which connections the Traffic Monitor returns information about. Selecting this option pops up another menu with the tasks used to define and apply custom TCP display filters.
A freshly installed program will have no filters defined, so before anything else, you will have to define a filter. You can do this by selecting the Define new filter... option.
Selecting this option displays a box asking you to enter a short description of the filter you are going to define. Just enter any text that clearly identifies the nature of the filter.
Press Enter when you're done with that box. As an alternative, you can also press Ctrl+X to cancel the operation. Following that will be another dialog box asking you for the source and target IP addresses, wildcard masks, and service ports.
You can enter addresses of individual hosts, networks, or a catch-all address. The nature of the address will be determined by the wildcard mask.
You'll notice two sets of fields. You fill these out with the information about your source and targets. Strictly speaking, because packets alone don't provide information about which side initiated the connection (except for SYN packets), you may think of these as "endpoint" fields rather than strict source/target fields. That means, you can enter information about the "from" side in the first set of fields, and the "to" side in the second set, or vice versa. It doesn't matter, since TCP is full duplex. (Also important, since the Traffic Monitor displays information about both sides of the connection).
Fill out the IP address of the hosts or networks in the first field marked Host name/IP Address. Enter it in standard dotted- decimal notation. When done, press Tab to move to the Wildcard mask field. The wildcard mask is similar but not exactly identical to the standard IP subnet masks. The wildcard mask is used to determine which bits to ignore when processing the filter. In most cases, it will work very closely like a subnet mask. Place ones (1) under the bits you want the filter to recognize, and keep zeros (0) under the bits you want the filter to ignore. For example:

To recognize the host 207.0.115.44 Enter IP address: 207.0.115.44 Wildcard mask: 255.255.255.255 To recognize all hosts belonging to network 202.47.132.x Enter IP address: 202.47.132.0 Wildcard mask: 255.255.255.0 To recognize all hosts with any address: Enter IP address: 0.0.0.0 Wildcard mask 0.0.0.0
The IP address/wildcard mask mechanism of the display filter doesn't recognize IP address class. It uses a simple bit- pattern matching algorithm.
The wildcard mask also does not have to end on a byte boundary; you may mask right into a byte itself. For example, 255.255.255.224 masks 27 bits (224 is 11100000 in binary).
Leaving the wildcard mask fields blank or storing invalid data in them causes the filter to recognize the entries as 255.255.255.255.
Starting with version 1.1.0, IPTraf accepts host names in place of the IP address. IPTraf will resolve the host name when the filter is loaded. When the filter is interpreted, the wildcard mask will also be applied. This can be useful in cases where a single host name may resolve to several IP addresses.

Tip
See the Linux Network Administrator's Guide if you need more information on IP addresses and subnet masking.

The Port field should contain a port number of the service you may be interested in. Leave it at 0 to let the filter ignore it. You will most likely be interested in target ports rather than source ports (which are usually unpredictable anyway, perhaps with the exception of FTP data).
Fill out the second set of fields with the parameters of the opposite end of the connection. As previously mentioned, you may place either set of parameters in either set. By default, the second set of parameters are defaulted to 0.0.0.0, 0.0.0.0, 0. Just Backspace or Delete over them and replace them if needed.
Press Enter to accept all parameters when done. The parameters will be accepted and you'll be presented with another blank form. You can enter another set of parameters, or you can end with Ctrl+X.
Examples
To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port

Host name/IP Address 202.47.132.2 207.0.115.44 Wildcard mask 255.255.255.255 255.255.255.255 Port 0 0
To see all traffic from/to 207.0.115.44 to/from network 202.47.32.0

Host name/IP Address 207.0.115.44 202.47.132.0 Wildcard mask 255.255.255.255 255.255.255.0 Port 0 0
To see all Web traffic, regardless of source or destination

Host name/IP Address 0.0.0.0 0.0.0.0 Wildcard mask 0.0.0.0 0.0.0.0 Port 80 0
To see all mail (SMTP) traffic to/from a single host (202.47.132.2) from/to anywhere

Host name/IP Address 202.47.132.2 0.0.0.0 Wildcard mask 255.255.255.255 0.0.0.0 Port 25 0
To see traffic to/from host sunsite.unc.edu from/to cebu.mozcom.com

Host name/IP Address sunsite.unc.edu cebu.mozcom.com Wildcard mask 255.255.255.255 255.255.255.255 Port 0 0
In all cases, you could have interchanged the first and second sets of IP addresses, wildcard masks, and port values; they wouldn't have made any difference. That's why they're better referred to as "first" and "second" rather than "source" and "target".
You can enter as many parameters as you wish. All of them will be interpreted when the filter is processed.
Applying a Filter
The above steps only add the filter to a defined list. To actually apply the filter, you must select Apply filter. from the menu. You will be presented with a list of filters you already defined. Select the one you want to apply, and press Enter.
Deleting a Defined Filter
Select Delete Filter. from the menu to remove a filter from the list. Just move the pointer to the filter you want to delete, and press Enter.
Detaching a Filter
The Detach filter option deactivates the filter currently in use. Selecting this option causes all TCP information to be displayed by the traffic monitor.
When you're done with the menu, just select the Exit menu option.
Other Protocol Filters
You can select the other IP-type protocols you want to display or omit with the Other protocol filters... option. With the exception of UDP, the filters for other protocols are simply toggled. To toggle a protocol's display, just select the protocol and press Enter. Visible protocols are listed in the box next to the menu.
Because UDP packets are also significantly high in volume, you can also define a UDP filter the same way you do a TCP filter. To work with UDP filters, select the UDP... option. You can opt to display all UDP packets, no UDP packets, and define a custom UDP filter. Other than the first two options, the others are almost identical to the custom TCP filter options.
If you applied a custom UDP filter, or set IPTraf to display all UDP packets, UDP will be included in the list of visible protocols.
Configuring IPTraf
IPTraf can be easily configured with the Options item in the main menu. The configuration is stored in the /var/local/iptraf/iptraf.cfg file. If the file is not found, IPTraf uses the default settings. Any changes to the configuration immediately get stored in the configuration file.
Reverse Lookup
Activating reverse lookup causes IPTraf to find out the name of the hosts with the addresses in the IP packets. As pointed out earlier, if you're on the Internet, your keyboard control can become very clumsy with this option enabled, and you can lose packet counts. You may want to keep this off if you're monitoring a machine on the Internet, or if you have no accessible name server or host table. A local DNS server on an isolated LAN though won't give much trouble.
This option is off by default.
Promiscuous Operation
If this option is enabled, your Ethernet interface will capture all packets on your LAN. Using this option enables you to see all TCP connections and packets passing your LAN segment, even if they're not from or for your machine. When this option is active in the statistics windows, the Activity indicators will show a good estimate of the load on your Ethernet segment.
When this option is disabled, you'll only receive information about packets coming from and entering your machine.
The setting of this option affects all Ethernet interfaces on your machine, if you have more than one.
Regardless of the initial setting of the interfaces' promiscuous flags, IPTraf turns them off when it exits. Promiscuous mode is off by default.

Note
Do not use other programs that change the interface's promiscuous flag at the same time you're using IPTraf. The programs can interfere with each other's expected operations.

Color
Turn it on with color monitors. Turn it off with black-and- white monitors or non-color terminals (like xterms). Changes to this setting will take effect only upon restarting the program.
Color is on by default on consoles, off on non-color terminal types like xterms and VT100s.
Logging
When this option is active, IPTraf will log information to a disk file, which can be examined later. The log file is /var/local/iptraf/iptraf.log.
The traffic monitor will write the following pieces of information to the log file:

Start of the traffic monitor

Receipt of the first TCP packet for a connection. If that packet is a SYN, (SYN) will be indicated in the log entry. (Of course, the traffic monitor may start in the middle of established connections. It will still count those packets. This also explains why some connection entries may become idle if the traffic monitor is started in the middle of a half-closed connection, and miss the first FIN. Such entries time out in a while.)

Receipt of a FIN

ACK of a FIN

Timeouts of TCP entries

Everything that appears in the bottom window of the traffic monitor

Stopping of the traffic monitor

Each log entry includes the date and time the entry was written. Logging is also affected by the defined filters.
Log files can grow very fast, so be prepared with plenty of free space and delete unneeded logs. Log write errors are not indicated.
Copies of the interface statistics, TCP/UDP statistics, and Ethernet host statistics are also written to the log files at regular intervals. See "Log Interval" below.
Logging comes disabled by default.
TCP Timeout
This figure determines the amount of time (in minutes) a connection entry may remain idle before it becomes eligible for replacement by a new connection. The default is 15 minutes. You may want to reduce this on an isolated (not connected to the Internet) LAN or a LAN connected to the Internet with high-speed links. Just enter the new value and press Enter. You can press Ctrl+X to leave the current value unchanged.
Log Interval
This figure determines the number of minutes between logging of interface statistics, TCP/UDP figures, and Ethernet host statistics. The default is 60 minutes. This figure is meaningless if logging is disabled.
Additional port
Select this item to enter a port number to be included in the TCP/UDP counts in the TCP/UDP service statistics main menu item described above. By default, port numbers above 1023 are not monitored. If you do have a higher-numbered port to monitor, enter it here. You can select this option multiple times to add more values.
Delete port
Select this item to remove a higher-numbered port number you entered earlier with the Additional port... option. You cannot delete ports less than 1024.

Messages
Unable to create config file
IPTraf cannot create the configuration file. The most likely cause of this is that you didn't properly install the program, and the necessary directory /var/local/iptraf does not exist. Can also be generated if you have a disk problem or if you have too many files open.
Unable to read config file
The configuration record cannot be read. You most likely have a disk problem.
Unable to write config file
The configuration file cannot be written. You either have a disk problem, or (more likely), your disk is full.
Unable to read filter record file
IPTraf cannot access the list of defined TCP or UDP filters. Can also be an indicator of a bad disk.
Unable to read filter file
IPTraf cannot read the filter data off the file. Could be caused by a bad disk.
Unable to write filter record file
IPTraf cannot add the newly defined filter to the filter list.
Unable to write filter file
IPTraf cannot write the data of the newly defined filter.
Cannot open log file
There is a problem opening the log file. There is most likely a problem with the disk, or there are too many open files.
Critical error: unable to allocate memory for a critical function
May occur if you have too little memory to allocate for windows, the menu system, or dialog boxes. IPTraf tries to prevent further allocations if memory runs out during a monitor.
This program can be run only by the system administrator
IPTraf normally does not allow anybody but uid 0 (root) to run it. This measure is included for safety reasons. See the section on recompiling the program below if you want to override this. This feature is built in, and not part of the configuration
Your TERM variable is not set
The TERM (terminal type) environment variable must be set to a valid terminal type so that the screen management routines can function properly. Set it to the appropriate terminal type. Linux consoles typically use a value called "linux".
Received TERM signal
Not related to the previous message. The TERM signal is normally used to gracefully shut down a program. This message simply indicates that the TERM signal was caught and IPTraf is attempting to shut down as gracefully as possible.
Invalid option or missing parameter
The -d or -s options were specified but no interface was specified on the command line. The -d and -s parameters require a valid interface name.
This message can also appear if an unknown option is passed to the iptraf command.
Duplicate port entered
You entered a port number that was added to the list of additional ports to be monitored by the TCP/UDP service monitor
Unknown port value
You tried to delete a port number that wasn't previously entered.
Can't start rvnamed; lookups will block
IPTraf cannot start the rvnamed daemon; probably due to a bad installation. IPTraf will fall back to blocking lookups.
Can't start new process; lookups will block
IPTraf cannot start a new process. This may be due to memory shortage. IPTraf will fall back to blocking lookups.

Technical Appendices

Recompiling the Program
With both the downloaded and floppy distributions, you can recompile the program immediately before you do the make install. Perform the following steps to recompile:

Change to the src directory and clear out the supplied binaries by entering

make clean

Recompile by entering

make
at the prompt. You may want to recompile force the program to use your libraries and/or kernel sources, or to simply generate smaller executable files.

The distribution executable file is dynamically-linked ELF. It uses the shared C library, but the ncurses and panels libraries are linked in. With most systems, this program should work immediately after installation.
If you have the appropriate libraries and facilities, you can recompile the program to use the shared versions of the ncurses and panels libraries.
Recompiling requires:

Linux 2.0.0 or later

gcc-2.7.0 or later (2.7.2.3 or later for glibc2)

ncurses-1.9.9e or later (earlier versions have problems with the Backspace key and updates of overlapping windows)

GNU make

Makefile Options
The Makefile has several options you can change. You probably don't need to change most of them, probably with the exception of LDOPTS

CC specifies the C compiler to use. On Linux systems, you will not need to change this LIBS specifies additional libraries to use. IPTraf uses the panels extensions to ncurses, and therefore must specify -lpanels -lncurses in that order. Again, most people have no need to change this. DEBUG the -g option to GCC. Specifying this option causes GCC to generate debug information for use with gdb. Also bloats the executable. Leave it commented unless you intend to trace or debug the executable program. OPTIONS standard options to the GCC compiler. -O2 for optimization, -m486 for 486-specific optimizations, -Wall for generation of all warnings. No need to change this LDOPTS set this to -static to force a statically-linked binary. Comment out to have it use the shared C library. INCLUDEDIR by default contains a -I/usr/include/ncurses tag to tell GCC the location of the ncurses header files. If your ncurses header files are located somewhere else, change this path appropriately. BSSETTING if set to -DDISABLEBS will disable the Backspace key in text entry fields. If commented out, IPTraf will recognize the Backspace key. You may want to disable this on earlier ncurses versions, as the Backspace key was unpredictable then. EXECPERM If set to -DALLOWUSERS, the resulting program will work for non-root users if its setuid bit is on. Use with extreme caution, since this program was not written with non-administrators in mind, and no guarantees are given regarding security holes. Leave commented out if not necessary. TARGET The destination directory. Just let this point to anywhere you want to place the resulting binary during the make install.
The dirs.h header file also contains the default locations for the working directory and the names and locations of the configuration and log files. You do not need to change these, but you may do so if you'd rather place these files somewhere else.
When compilation is complete, enter
make install
to install the resulting executable module in the proper directory.
Technical Notes
(also in the README file)
Kernel
IPTraf is untested on Linux kernels prior to the 2.0.x series. The raw socket interface in the 2.0 series kernels is known to be stable. IPTraf may still work on earlier kernels, but no guarantee is actually given. As is always the case, development series kernels may or may not work.
Kernels prior to 2.0.24 had a serious bug that allowed oversized IP datagrams to crash the system (Ping o' Death), while kernels prior to 2.0.32 crashed whenever certain badly fragmented IP packets were received (the so-called "teardrop" attack). It is recommended that you upgrade to at least version 2.0.32 or apply kernel patches to fix these problems.
Security
The raw socket interface requires the program to run with root permission. This program is intended for system and network administrators. However, should you want to allow non-root users to use the program you can edit the Makefile and enable the -DALLOWUSERS option, then install the program setuid root. This is not recommended though. While effort has been exerted to avoid things like buffer overruns, this program is not declared to be secure for non- root users to use.
The new rvnamed daemon communicates with IPTraf with the UNIX domain socket mechanism. Being a background daemon, it may present a possible security issue if it turns out to be broken. Please report any discovered problems immediately.
Terminal
This program was designed to run on the Linux console. It should work on 80x25 xterms and rxvt windows. Run this program from the console (text or xterm) or a high-speed terminal for best results. Resize xterms to the appropriate size before you run the program.
User Interface
Reverse DNS lookups will block if the rvnamed daemon is not running when the traffic monitor is active. This will cause severe packet loss and keyboard control close to impossible. Normally rvnamed should start with no problems whenever the traffic monitor is started with reverse lookups enabled.
There is also a little concern regarding the Backspace key. Apparently the backspace key mapping (KEY_BACKSPACE) is considered unreliable, and is marked as such in ncurses versions as late as 1.9.9e, although tests on this version already worked. Tests for 1.9.4 failed; pressing the Backspace key yielded ^?. The Delete key works with no problem though. If you want the program to not recognize the Backspace key, you can enable the -DDISABLEBS directive in the Makefile.
Earlier versions of ncurses also did not properly define the behavior of overlapping windows. This has been fixed in 1.9.9e.
Network Interfaces
IPTraf currently includes support for Ethernet, loopback, and SLIP/PPP interfaces.
For Ethernet, IPTraf can receive packets in promiscuous mode (i.e. all packets on the LAN, regardless of their destination). Promiscuous mode is pointless on SLIP/PPP interfaces, since these things are point-to-point links.
IPTraf imposes no additional load on the network (except for DNS traffic if reverse name lookup is enabled).

License and Copyright for IPTraf
IPTraf 1.1 Copyright (c) Gerard Paul Java, 1997, 1998
The software and accompanying documentation are distributed under the terms of the GNU General Public License, Version 2 or any later version, as published by the Free Software Foundation, Inc. Permission is granted to distribute and/or modify the software and the documentation under the terms of the license.
The software and accompanying documentation are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR ANY PARTICULAR PURPOSE. For more details, see the GNU General Public License, in the COPYING file included in the distribution. IPTraf uses header files that are part of the GNU C library and the Linux kernel distribution.
Additional structures were extracted from software copyrighted by the Regents of the University of California.

IPTraf User's Manual, HTML Version 1.1.0
Copyright (c) Gerard Paul Java 1997, 1998