Do it with pkgsrc

Hello, I'm a humble netBSD user, and I like to discover new packages to do more and more things with my computer. Here I'll post how I do things with pkgsrc. Feel free to make suggestions and comments about it.

2006-06-15

Monitor your network activity with...

net/bmon: Bmon is an interface bandwidth monitor
net/slurm: Realtime traffic statistics
net/wmnet: Dockable network monitor
sysutils/pftop: Utility for real-time display of statistics for PF
wip/tcptrack: Watch TCP connections
sysutils/pfstat: Utility to render graphical statistics for PF

I like to always have an eye on my network activity. When I detect a strange behaviour, I also like to be able to track it down, to know who the hell is trying to hack my box! Most of the time it's actually just a cron job I forgot :)

Here are the tools I use to feed my madness:

bmon is a text based application, which gives you a lot of information about traffic on each of your network interfaces, including some kind of graph. Very useful when you're not at home.

slurm serves the same purpose than bmon, to chose one or another is a matter of taste. You can only track one interface at a time, but ergonomics may seem cleaner... (though I prefer bmon)

wmnet is a dockapp I use when I'm at home. I tried a lot of dockapps but this one is definitely the best, because you can use a logarithmic scale and thus see little traffic as well as bandwidth tsunamis. You can also customize the colours to adapt it to your desktop's style.

I use it like that :
wmnet --logscale --maxrate=10000000 -t grey -r green -w --device vr0 &


Now let's see the tools I use to have a deeper understanding of what's happening.

If like me you use pf as firewall, you may try
pftop. It gives you a very detailed view on every connections currently used on your computer. You can sort connection by address, port, rate, age, number of packets. Not an easy to read interface, but there's really a lot of information.

tcptrack is also very handy. The interface looks like top's one, and allows you to easily spot the most active connections. I prefer pftop but if you don't use pf (though I don't understand why, since it's so great), I guess tcptrack is a good tool.

pfstat, for pf users once again, allows you to generate graphs from your network activity. The man page explains pretty well how to set it up, but I will summarize it here.

  • Add the following line to your pf.conf (of course, replace vr0 by the name of the interface you wanna log) and restart pf.

set loginterface vr0

  • Add a cron task as root (crontab -e) to feed your log file

* * * * * /usr/pkg/bin/pfstat -q >>/var/log/pfstat

  • You should consider setting up another cron task to occasionally truncate the log file

1 1 * * 1 tail -n 50000 /var/log/pfstat >/tmp/pfstat && mv /tmp/pfstat /var/log/pfstat

  • Write a pfstat.conf file and save it in /etc for example. Here's the one I use, see man page to write your own :

image "/home2/stats/pfstat-week.png" {
from 1 weeks to now
width 960 height 300
left
graph bytes_v4_in label "incoming" color 0 192 0 filled,
graph bytes_v4_out label "outgoing" color 0 0 255
right
graph states_searches label "states searches" color 192 192 0
}
image "/home2/stats/pfstat-day.png" {
from 1 days to now
width 960 height 300
left
graph bytes_v4_in label "incoming" color 0 192 0 filled,
graph bytes_v4_out label "outgoing" color 0 0 255
right
graph states_entries label "states" color 255 0 0
}
image "/home2/stats/pfstat-hour.png" {
from 1 hours to now
width 960 height 300
left
graph bytes_v4_in label "incoming" color 0 192 0 filled,
graph bytes_v4_out label "outgoing" color 0 0 255
right
graph states_entries label "states" color 255 0 0
}

  • Now add a cron task to refresh your graphs every five minutes for example
*/5 * * * * /usr/pkg/bin/pfstat -c /etc/pfstat.conf -d /var/log/pfstat > /dev/null

You can do whatever you want with those graphs, but printing them on a web page hosted on your computer may be a good idea.

Here's the kind of graphs you can obtain:




Of course, I didn't mention netstat because it's not a pkgsrc package, but it's the most useful tool when it comes to monitor your network activity.

0 Comments:

Post a Comment

<< Home