Analyzing IPtraf output

T. Nifty Hat Mitchell mitch48 at sbcglobal.net
Mon Jun 28 21:24:09 UTC 2004 

On Thu, Jun 24, 2004 at 12:37:18PM -0400, Kevin Old wrote:
> 
> I'm trying to capture and analyze *all* traffic (not just web traffic,
> which I can use Wusage for) coming to and from my server.  I've
> recently been introduced to iptraf and am wondering about how I'm to
> use it's statistics.
...
> In the Perl script I write to analyze this data, I'm going to separate
> the traffic by TCP and UDP, but I was confused at what "bytes" I'm
> suppose to add and subtract?
...
> You'll notice that the 52 bytes is in both lines.  Should I only "add
> up" the traffic on the "FIN sent" lines to avoid reporting a higher
> amount of traffic that is actually coming through?
> 
> Any help is appreciated,

Hmm... iptraf is presenting summary information and presenting the summary of
like packets on a summary line in some cases.

If you really want to understand what it is doing look at the output of
tcpdump or tethereal for the same five seconds that you let iptraf do
a summary.  Since tcpdump and tethereal will give you one line per packet
it will be moderately easy to understand the internals of iptraf.

Since TCP is a statefull connection the "FIN sent" state makes it possible
to collect the total bytes transfered via the connection.  

HOWEVER without full understanding all is not perfect here.  For
example, if you watch a ssh connection to a box it begins with
something like:

  Mon Jun 28 13:58:27 2004; TCP; eth0; 60 bytes; from 192.168.0.53:22 to \
  192.168.0.51:44935; first packet (SYN)

it is interesting that if you powerdown that box from that ssh
connection there is no "FIN sent" packet to trigger the summary line
from iptraf.

The same is true for lots of other TCP connections.

Depending on the ultimate purpose behind your logging you could perl out
any visibility of a class of problems.  

Also a very long standing connection can put the first packet in a log
separated by days from the teardown and summary packets.


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

More information about the fedora-list mailing list