Commercial network monitors can cost £2000. Here's a free open source alternative

If you're looking for a simple, reliable network monitoring tool that can be installed on minimal hardware, the free, open source application IPTraf may be just the ticket. IPTraf takes it easy on your budget--commercial alternatives such as Sniffer can run about £2,000--and still offers several handy features, such as custom display filters.

In this article, I'm going to tell you where to get this open source solution, how to install it, and how to use it to create custom display filters for network traffic information.

What it takes

The full list of IPTraf's requirements looks like this:

Hardware minimum requirements

• 16 Megabyte of physical RAM (At least 64MB is recommended for very busy networks).
• 2 MB of free disk space for installation (more will be needed if you log high amounts of traffic over time).
• Pentium-class processor or higher (Pentium II 200 MHz or higher recommended) or equivalent
• One or more of the commonly supported network interface cards (such as cards from 3Com or Intel)

Operating system requirements

• Linux kernel 2.2.0 or higher
• GNU C library 2.1 or later
• ncurses 4.2 or later with the complete terminfo database in /usr/share/terminfo. (Support for Linux > 2.2.x, vt100, xterm, xterm-color is recommended.)

Compilation requirements for building from the source code

• gcc 2.7.2.3 or later
• GNU C (glibc) development library 2.1 or later
• ncurses development libraries 4.2 or later

All of these requirements are met on the newer distributions, dating roughly from the release of Red Hat 7.0. For this article, I tested IPTraf installation with Red Hat 7.2.

Getting and installing IPTraf

The source for IPTraf is available from its Web site. Download the latest tar file (as of this writing, it's 2.5.0) and save it as root to the /usr/local directory. Change to the /usr/local directory with cd /usr/local and install the software by running the following commands:

tar xvzf iptraf-2.5.0.tar.gz

cd iptraf-2.5.0

./Setup

Once the installation is complete, the resulting iptraf binary will be in /usr/local/bin and must be run as root.

Running IPTraf

Open a console sized at 80 columns x 24 lines--the only size at which IPTraf will display. Next, su to root (only root can run IPTraf) and run the command iptraf. You'll be greeted with a splash screen that details product information, including version, author's name, copyright information, and license information. Press any key to continue. The next screen, shown in Figure A, will present a number of options.

Figure A

IPTraf's menu highlights action keys in light blue.

From this main menu, scroll down to Configure, or press the o key (highlighted in light blue). In the Configure menu, you can adjust a number of options, from Reverse DNS Lookup to Closed/Idle Persist. For example, I'm going to set Logging to On. To do this, scroll down with the cursor keys to the Logging entry and press [Enter]. You'll see the Logging entry on the right change from Off to On.

How to use it

With Logging activated, press the x key or scroll down to Exit and press [Enter], press the m key or scroll up to IP Traffic Monitor, and press [Enter] to open that menu. Next, select the eth0 interface, define the log file or accept the default of /var/log/iptraf/ip_traffic-1.log, and press [Enter] again. You'll see network traffic information scrolling by far too fast to make heads or tails of it. Fortunately, you turned on Logging. Now if you open your favorite text editor (mine is Pico) to the log file, you'll see entries like the one shown in this listing.

If you dissect each entry, you'll see that they each contain the following:

• Time stamp: month, day, time, year
• Protocol: ARP, OSPF, TCP, UDP, etc.
• Interface: eth0, eth1, localhost, etc.
• Packet size in bytes
• Addresses: Addresses following the for keyword are destination addresses, and those following the from keyword are source addresses. They can be either IP or MAC addresses.

Creating filters

One of the best features of IPTraf is the ability to define your own display filter to monitor specific network traffic. For example, you can create a TCP filter that will monitor SMTP traffic on the network. To do this, first open iptraf and select TCP Display Filters. In this new menu, select Define New Filter and enter the name SMTP Traffic. After you've named the filter, you'll see a window like the one shown in Figure B.

Figure B

The [Tab] key lets you navigate around the edit screen.

The SMTP traffic filter I've created from this example will look like the one in Figure C. As you can see, I've defined a range of addresses by entering 10.16.58.190 for the host name and a wildcard of 255.255.248.0, which is the equivalent of the subnet mask on my network. The final bit of information I entered is 25 for the port number. The preceding information is my destination address. For the source address (the second set of data), I entered 10.16.56.13 for the host address, 255.255.248.0 for the wildcard mask, and 25 for the port.

Figure C

You can include or exclude matching packets from the display by tabbing to Include/Exclude and entering either the letter I or the letter E, respectively.

Once you enter all your information, all you have to do is press [Enter] and then [Ctrl]X to get out of the Define New Filter screen. Then, you need to apply the filter by scrolling to Apply Filter, pressing [Enter], selecting the SMTP Traffic filter I just created, pressing [Enter] again, and then going back to IP Traffic Monitor. Once you start the monitor, you'll see all the traffic zipping by on the bottom part of the screen, and any traffic matching your filter will show up in the upper portion of the screen.

Summary

This quick walk-through of IPTraf should give you an idea of how useful and flexible this open source utility can be. Whether you're the network administrator of a large corporation or solely responsible for a small operation, you can benefit from IPTraf's ability to monitor and log any amount of network traffic.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.