If you’re looking for a very simple, reliable network monitoring tool that can be installed on minimal hardware and configured with custom display filters, and you don’t have the budget for products such as Sniffer ($2,869 for Sniffer Basic), then the free, open source application, IPTraf, can be just the ticket.

In this Daily Feature, I’m going to tell you where to get this open source solution, how to install it, and how to use it to create custom display filters for network traffic information.

What it takes
The full list of requirements looks like this:

Hardware requirements

  • ·        16 MB of physical RAM (more is recommended—at least 64 MB for very busy networks)
  • ·        2 MB of free disk space for installation (more will be needed if you log high amounts of traffic over time)
  • ·        Pentium-class processor or higher (Pentium II 200 MHz or higher recommended) or equivalent
  • ·        One or more of the supported network interfaces

Operating system requirements

  • ·        Linux kernel 2.2.0 or higher
  • ·        GNU C library 2.1 or later
  • ·        ncurses 4.2 or later with the complete terminfo database in /usr/share/terminfo. Support for Linux > 2.2.x, vt100, xterm, xterm-color is recommended.

Compilation requirements (required when building from the source code)

  • ·        gcc or later
  • ·        GNU C (glibc) development library 2.1 or later
  • ·        ncurses development libraries 4.2 or later

All of these requirements are met on the newer (i.e., since Red Hat 7.0) distributions. (I tested the installation of IPTraf with Red Hat 7.2.)

Getting and installing IPTraf
The source for IPTraf is available from its Web site. Download the latest tarball (as of this writing, it’s 2.5.0) and save it as root to the /usr/local directory. Change to the /usr/local directory with cd /usr/local and run the following commands to install the software:
tar xvzf iptraf-2.5.0.tar.gz
cd iptraf-2.5.0

Once the installation is complete, the resulting iptraf binary will be in /usr/local/bin and must be run as root.

Running IPTraf
After you open a console (that must be sized at 80 columns x 24 lines, the only size at which IPTraf will display), su to root (only root can run IPTraf) and run the command iptraf. You’ll be greeted with a splash screen that details product information including version, author’s name, copyright information, and license information. Press any key to continue. The next screen (see Figure A) will give you a number of options.

Figure A
The light blue letters are the keys assigned to the corresponding menu entry.

From this main menu, scroll down to Configure (or press the o key). In the Configure menu, you can configure a number of options, from Reverse DNS Lookup to Closed/Idle Persist. For example, I’m going to set Logging to On. To do this, I’ll scroll down with the cursor keys to the Logging entry and press [Enter]. I can then see the Logging entry on the right change from Off to On.

Once I have Logging set to On, I press the x key or scroll down to Exit and press [Enter], press the m key or scroll up to IP Traffic Monitor and press [Enter], select the eth0 interface, define the log file or accept the default of /var/log/iptraf/ip_traffic-1.log, and press [Enter] again. I’ll see network traffic information scrolling by far too fast to make heads or tails of it. Fortunately, I turned on Logging. Now if I open my favorite text editor (Pico) to the log file, I’ll see entries like this.

If I take apart each entry, I see that they each contain the following:

  • ·        Time stamp: month, day, time, year
  • ·        Protocol: ARP, OSPF, TCP, UDP, etc.
  • ·        Interface: eth0, eth1, localhost, etc.
  • ·        Packet size in bytes
  • ·        Addresses: Addresses following the for keyword are destination addresses, and those following the from keyword are source addresses. They can be either IP or MAC addresses.

Creating filters
One of the best features of IPTraf is the ability to define your own display filter to monitor specific network traffic. For example, I can create a TCP filter that will monitor SMTP traffic on the network. To do this, I first open iptraf and select TCP Display Filters. In this new menu, I select Define New Filter and enter the name SMTP Traffic. After I’ve named the filter, I see a window like the one in Figure B.

Figure B
The [Tab] key lets you navigate around the edit screen.

As you can see in Figure B, two sets of data must be entered. The first set, on the left side, is for the destination address; the second set is for the source address. If you leave either with 0s (as shown in the second set), IPTraf will assume that you’re monitoring all addresses.

My SMTP traffic filter will look like the one in Figure C. As you can see, I’ve defined a range of addresses by entering for the host name and a wildcard of, which is the equivalent of the subnet mask on my network. The final bit of information I entered is 25 for the port number. The preceding information is my destination address. For the source address (the second set of data), I entered for the host address, for the wildcard mask, and 25 for the port.

Figure C
You can include or exclude matching packets from the display by tabbing to Include/Exclude and entering either an I or an E, respectively.

Once my information is entered, all I have to do is press [Enter] and then [Ctrl]X to get out of the Define New Filter screen. Then, I need to apply the filter by scrolling to Apply Filter, pressing [Enter], selecting the SMTP Traffic filter I just created, pressing [Enter] again, and then going back to IP Traffic Monitor. Once I start the monitor, I’ll see all the traffic zipping by on the bottom part of the screen, and any traffic matching my filter will show up in the upper portion of the screen.

This article should serve to help you get IPTraf up and running. To further explain IPTraf, in my upcoming article on working with filters and IPTraf, I’ll show you the ins and outs of defining various network filters.

By now, you should see how useful and flexible this open-source utility can be. Whether you’re the network administrator of a large corporation or solely responsible for a small SOHO operation, you can benefit from IPTraf’s ability to monitor and log any amount of network traffic that you deem necessary.

Need more?

Do you use Linux to monitor your network traffic? Would you like to see more Linux network monitoring tools on TechProGuild? Drop Jack Wallen, Jr. a line and let him know.