Network real-time monitoring tool IFTOP

What can Iftop do?

Iftop is a free network real-time traffic monitoring tools, Iftop can monitor the specified network real-time traffic, port connection information, reverse DNS IP, etc., can also be accurately display the native network traffic and network within the host and the flow of the machine to communicate with each other, is very suitable for monitoring the proxy server or router network traffic. At the same time, IFTOP is very effective for detecting abnormal traffic on hosts. The output of IFTOP can quickly locate the source of abnormal traffic on hosts, which is very useful for network fault diagnosis and network security detection.

The installation of Iftop

1. Install dependency packages#mkdir /usr/local/src/iftop
#cd /usr/local/src/iftop
#yum install gcc flex byacc libpcap ncurses ncurses-devel libpcap-devel2. Download the ifTOP source package, compile and install itWget # http://www.ex-parrot.com/~pdw/iftop/download/iftop-0.17.tar.gz
# tar - ZXVF iftop 0.17. Tar. Gz
# CD iftop - 0.17
#./configure --prefix /usr/local/iftop/
#make
#make install
#ln -s /usr/local/iftop/sbin/iftop /usr/local/bin/ 
Copy the code

Use IFTOP to monitor the real-time traffic of network adapters

After the iftop tool is installed, you can run the iftop command to display the real-time traffic information of the NETWORK adapter. By default, ifTOP displays the traffic information of the first nic in the system. To display the information about the specified NIC, run the -i parameter.

Run the “iftop -p -I ENS37 (NIC number)” command to get a typical OUTPUT interface of IFTOP as shown in the figure:

The output of Iftop can be divided into three parts as a whole.

The first part is the top line of ifTOP output. This line of information is the traffic scale, which is used to display the network card bandwidth traffic.

The second section is the largest section of ifTOP output. This section is divided into left, middle, right columns, left column, and middle column to record which IP or host is connecting to the local network. Where, “=>” in the column stands for sending data, “<=” stands for receiving data. Through this indicating arrow, you can clearly know the average traffic value between two IP addresses connected to the local machine within 2S, 10S and 40S. In addition, this part also has a flow graph bar, the flow graph bar is a dynamic display of the flow size, based on the flow scale in the first part. Through the traffic graph bar, you can easily find out which IP address has the largest traffic, and then quickly locate traffic problems that may occur on the network.

# The third section is at the bottom of the ifTOP output and can be divided into three lines, where “TX” represents sent data, “RX” represents received data, and “TOTAL” represents all traffic sent and received. There are three columns corresponding to these three rows. The “cum” column represents the sent, received, and total data traffic since ifTOP was run. The “peak” column indicates the total traffic peak value. The “rates” column represents the average flow value over the past 2S, 10S, and 40S.

(2) IfTOP Usage Parameter Description IfTOP has many additional parameters and functions. You can run the iftop -h command to view all parameters of iftop.

(3) Interactive operation of IFTOP

On the real-time monitoring interface of IFTOP, you can also perform interactive operations on the output information to sort out and filter the output information. Press h to enter the interactive options interface.

Press n to switch the IP address or host name of the host.

Press S to switch whether the host information of the host is displayed.

Press D to switch whether the host information of the remote target host is displayed.

Press T to switch the display format to 2 lines /1 line/display only the sent traffic/display only the received traffic.

Press N to display the port number or port service name.

Press S to switch whether the port information of the host is displayed.

Press D to switch whether the port information of the remote target host is displayed.

Press P to switch whether the port information is displayed.

Press P to pause/continue display;

Press B to switch whether to display the graph bar of average traffic.

Calculate the average flow in 2 seconds, 10 seconds or 40 seconds according to B switch;

Press T to switch whether to display the total traffic of each connection;

Press L to enable the screen filtering function, enter the character to be filtered, such as IP, and press Enter to display only traffic information related to this IP address.

Press L to switch the scale above the display screen; The scale is different, the flow graph bar will change;

Press J or K to scroll up or down the connection record displayed on the screen;

Press 1, 2 or 3 to sort traffic data according to the three columns displayed on the right.

Sort by native name or IP on the left;

Press > to sort by the host name or IP address of the remote target host.

Press O to switch whether only the current connection is displayed.

Press f to edit the filter code;

According to the! You can use shell commands;

Press Q to exit monitoring.

Iftop is powerful in that it can display the network traffic status in real time, monitor the source IP and target address of network card traffic, which is very useful for detecting server network faults, traffic anomalies, just through a command can quickly locate the cause of traffic anomalies or network faults.