Networking

Real time network topology and traffic flow with Etherape

Jack Wallen shows you how to use the Etherape network monitoring tool for UNIX and UNIX-like OSs.

There are numerous reasons why you would want to watch your network topology or the flow of traffic on your network. Say you are experiencing a bandwidth bottleneck. What is causing that bottleneck? Is it a particular user? A machine gone awry? How do you find out what is happening without having to walk around to every single machine on your network? Easy. The Etherape network monitor gives you a real-time graphical display of your network and the flow of traffic. Using this tool you can easily pinpoint suspect machines. Let's take a look at exactly how you can use this tool to troubleshoot networking issues.

Installation

Etherape is only available for UNIX and UNIX-like OSs (such as Linux and even OS X). In order to use Etherape you will need:

  • libpcap
  • GTK+
  • Libglade 2
  • GNOME
  • Standard resolver library (name depends upon OS)

If you are using a modern Linux distribution, installation is quite simple. Just open up your package manager, search for etherape, mark Etherape for installation, and click Apply to install.

To install on OS X take a look at the Darwinports Page for Etherape for downloads and instructions for installation.

Once it is installed you will find Etherape in Applications | System Tools (in the GNOME desktop). You will find, however, that running from the menu will not work as Etherape needs admin privileges in order to make use of the network connection. So instead of running Etherape from the menu, open up a terminal window and issue the command etherape with admin privileges. NOTE: If you are using Ubuntu, that command will be sudo etherape. If you are using a distribution that does not make use of sudo you will first need to su to the root user and then issue the command etherape.

Usage

When Etherape starts up you will instantly see traffic flow in a graphic window (see Figure A). As traffic flows across your network, the real-time image will update. Figure A

As you can see, last.fm is using up quite a bit of bandwidth.
As your network traffic patterns ebb and flow, Etherape will instantly update those patterns in the windows shown in Figure A. But let's say you want to get a clearer picture of what an individual machine is doing. To do that, click View | Nodes (in the Etherape main window), which will open up the Nodes window (see Figure B).

Figure B

Here you see statistics for individual nodes on the network.

The machine that was shown using the last.fm traffic appears as jack-ubuntu in the Nodes listing. This window shows the current traffic, accumulated traffic, last heard packet, how many packets have been exchanged, as well as the name and address of the node.

If you need to check to see what protocols are sucking up the most of your bandwidth, click View | Protocols. This window (see Figure C) allows you to see if one particular protocol is killing your network.

Figure C

The protocol listing also shows the associated port.

Now that you have collected all of the necessary information on any network issues you are having, you can easily act accordingly. Without the help of a tool like Etherape, this task would be far more challenging.

Final thoughts

The only thing that Etherape is missing is the ability to save and review dumps for later examination. Otherwise, Etherape is one of the best (and most user-friendly) network monitoring tools you will find. Have you tried Etherape? If so, what was your experience? Did this monitoring tool help you resolve a network issuing that was previously plaguing you? If it did not help what did? Share your thoughts with your fellow TechRepublic readers.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

26 comments
cer4
cer4

I heard ProteMac Meter ( www.protemac.com ) is a good app, anybody used this program?

mb.techrepublic
mb.techrepublic

Okay, so ntop doesn't have (or not last time I looked) the pretty graphics, but the detail is similar. Also, a Netflow / SFLOW "solution" would allow for more distributed data gathering (so would suit medium / larger networks).

ramnaddy
ramnaddy

Dear sir, I couldn't find any option which says NODES under the View option which is present on Main menu of the Etherape tool. Does the version makes any change..? how to find out the version which I am using right now...... Thanks, Ram

jithinkcs
jithinkcs

Is there any open source network monitoring tool for Windows ?

reggaethecat
reggaethecat

Rivalling 'Splunk' as the software product most likely to raise eyebrows when you mention it to the uninitiated!

Neon Samurai
Neon Samurai

Etherape does not give you a dump file but it does read standard dump files. I believe you can use Tcpdump, Wireshark or similar to dump the .pcap. Eherape will open and re-play the .pcap or read the active file while the sniffer is dumping too it. With my lab wifi; use airodump to get traffic dump, related tool decrypts it, Etherape replays it; I get traffic history and nodes graphically displayed. Fun fun. My only issue with Etherape is a memory leak or some such thing; leave it running for a few hours and my system grinds to a halt.

pgit
pgit

Same limitations as etherape but with a lot more options. Just no pretty graphic representation.

Neon Samurai
Neon Samurai

It's pronounced "Ehter-Ape".. not the alternative seporation of sylables. The icon being a big picture of an Ape helps to clarify. Splunking is the proper name for "cave diving" or "cave exploring" so "splunk" refers to digging in and exploring the insides of your running OS. But, make sure you pronounce the "l".

dslam24
dslam24

I can just imagine the look on my peers face when i bring up etherape at my next meeting. I already got dinged for going to experts-exchange.com too often, as it shows up on the logs a bit differently w/out the dash.

pgit
pgit

Yeah, seeing the name at first is a bit of a shocker. Being it's a command there is no break in the 'word.' But for the title bar, about page and etc they should separate the two to make it clear we're talking about an "ape" here.

#1klutz
#1klutz

I have a Network that is mixed. some computers run Windows and some run Linux. When I install etherape on the linux machine will it also see the Windows machines on the same network using etherape? Topology of this network is that all computers are connected to a router and then the router is connected to the Internet VIA a modem. Question: Can etherape see all the computers in the above example? If etherape will not see the whole network then is there a program that will make it happen? The article seems like the linux computer must be the server for etherape to see all the computers on the network.

pgit
pgit

I was going to say the same thing; etherape has no file saving capacity. Bummer. You are correct tho, it'll read a number of the tcpdump-like tools.

Neon Samurai
Neon Samurai

Grab the portableapp version from the Wireshark download page and run it from any convenient directory or flashdrive.

jeffkeni
jeffkeni

I've raised eyebrows in similar fashion by trying to go to sharkeyextreme.com. I don't know how many times I misspelled it sharkeySextreme.com LOL!

delphi9_1971
delphi9_1971

Build a linux server with 2 NICs and set it up with IP forwarding. the Linux server will act as a router and then all traffic from the LAN to the outside of the network would be monitored. Cable Modem---Linux Server/Router---LAN In this scenario the only traffic you wouldn't see is the host to host traffic on the LAN. For a home network that is minimal. BTW your Linux server would also become your DHCP server and Firewall (IpTables). There are a number of How To's on the web for this configuration.

Neon Samurai
Neon Samurai

It cares only about network traffic, not what OS happens to be behind that network traffic. You'll see the host name, IP address, possibly the MAC and an indication of the volume of traffic between machines. It's not a server type situation; this is just a standard network sniffer application on a standard workstation. In terms of your setup; the router is probably acting as a switch. In the old days, a network "hub" would send traffic to all connected computers so one machine can see traffic from any of them too any of them. A switch sends the traffic from one machine too the destination machine only. If I'm just mapping a directory, I'll usually start Etherape then do a ping sweep, nmap or whatever makes my machine send at least one piece of network traffic to all other local machines. Other ways to see all network traffic on a "switched" or "smart hub" network exist starting with messing about with ARP tables, but they can become complex.

pgit
pgit

You will only see all the traffic into and out of the computer it's running on, and all broadcast/multicast traffic on the LAN. So you will see netbios, ipp or whatever print protocol, services discovery, arp and the like. You will not see, for instance, traffic on port 80 to and from another machine. A switch has it's own routing table and unless you have something that will allow you to bridge a port (eg cisco) that receives a "copy" of all the traffic on the LAN, things originating from a single machine to another single machine on the LAN or to/from the internet will not be visible from the one client running etherape. Or wireshark or any sniffer, for that matter. etherape is a good quick visual indicator of potential trouble, but it's real value to me is showing LAN traffic to SMB owners in order to convince them it's worth my time to shut off UPnP, friggin' media servers and other ridiculous default windows behavior...

robo_dev
robo_dev

as well as Etherape and loads of similar apps.

robo_dev
robo_dev

It's much simpler to plug in a hub than to track down the switch port and setup mirroring. Plus, in many cases, such as the router-to-modem connection, there's no other way to do it. An ethernet tap used for testing and analysis purposes can run at full line speed. That would be the solution for a permanent install where port mirroring is not an option. http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4

delphi9_1971
delphi9_1971

Because a hub can only run in Half Duplex mode.

robo_dev
robo_dev

I have a shiny blue Netgear hub that I keep with my sniffer laptop. You plug it in series with whatever you're sniffing, and you go.

Neon Samurai
Neon Samurai

I'd actually like to see dd-wrt include a monitoring port option. Maybe a checkbox that enabled a noise port 1 (of the usual 4 on soho).

delphi9_1971
delphi9_1971

In a large scale environment, I would use port mirroring, but the original poster specifically said SOHO office. In that case, I'm assuming he's using a dumb switch as most home offices would have and I'm assuming that we're only talking about 1 to 5 users. In that scenario, using a spare computer that you may have lying around would be cheap, would allow him to get the results he's looking for and wouldn't impact performance. As a matter of fact, I've run this very scenario for many years in my home without any down time (ya gotta love Linux). Also, even an "old" computer, say a 800mhz P3 with 256 Mb of RAM has way more processing power than your standard SOHO router. Most of the Linksys WRT54G series routers (which are out there in droves) only have 200 Mhz processors with 16 Mb of RAM. Lastly most people are putting DD-WRT, Tomato, OpenWRT and one or two other linux variants on their SOHO routers (Linksys, D-Link, etc...) That is exactly the same thing as putting a multi-homed server in place with a Linux kernel, Iptables and IP forwarding enabled. So yes I would agree with you in an enterprise case, but for a SOHO solution, I think mine is valid.

mb.techrepublic
mb.techrepublic

I'm always a bit wary of making a server behave as a network switch / hub / router. A halfway house solution to seeing everything is, again, install 2 NICs, but attach the second one to a mirrored port on a backbone (or sole, if you only have one) switch. Unmanaged switches won't allow this, but even the cheapish Cisco SMB / Linksys Smart switches do, so now I carry a 5 port 10/100/1000 one in my kit bag pre-configured with port mirroring. You'll still only see multicasts / broadcasts (in the whole network) plus all traffic directly on that switch, but for a single switch installation, that IS everything.

Editor's Picks