Linux Network Monitoring Tools

Network communication is one of the most basic functions in Linux. Many times we need to obtain Linux network information. There are many network monitoring tools in Linux. This article will introduce to you the common network monitoring tools in Linux.

[[352502]]

Netstat

Netstat is a versatile network monitoring tool under Linux. It is a command line tool that can monitor the statistics of host network packets and network card information. It can display the current network connection, routing table and many network interface and network protocol statistics. Netstat is installed by default in many distributions, such as CentOS 6. In CentOS 7 and 8, it is replaced by iptraf2's ss by default. It is not installed by default. But it can be installed.

Ubuntu and Debian users can install it using the default apt package manager. Netstat is a part of the net-tools package. And can be installed by running the following command in a shell or terminal:

 sudo apt-get install net-tools

CentOS, Fedora, and RHEL users can use the yum package manager:

 yum install net-tools

Once installed, you can use Netstat to monitor network packet statistics by running the following command:

netstat

The most commonly used methods of netstat:

 netstat -nt(u)lp

Used to view the monitoring information of the local application, including the monitored network, port, program name and its Pid

To view the network connection status of the local machine in real time, you need to use the parameter -a

You can list the local IP and port of the current network connection, as well as the remote IP and port, and the network connection status. This can be used to count the link status of each state, so as to analyze the health of the service, perform network tuning (configure kernel network parameters), troubleshoot, etc. With a single-line command, you can list the number of current TCP connection states:

 netstat -natlp|perl -lane 'print $F[5]'|sort|uniq -c
 2 CLOSE_WAIT
 1 established)
 29 ESTABLISHED
 1 Foreign
 23 LISTEN
 5 TIME_WAIT

A more common method of using netstat is to view the local network (card) configuration status, which has the same effect as ifconfig:

 netstat -ie

For more usage of netstat, we can directly view the manual (this applies to all Linux commands) by typing man netstat in the shell or terminal:

 man netstat

SS

The SS command provided by iproute2 is a new generation of network tools used by many distributions to replace netstat. It obtains information faster. Using ss on a machine with a large amount of network access can obtain link status faster.

iproute2 is available in many default distributions and can also be easily installed using the package manager using the following command:

 sudo apt-get install iproute2
 yum install iproute2

How to use SS, man ss can get information

• -l displays all locally opened ports
• -pl displays socket processes and ports, etc. and netstat -nutlp

• -tpl and -upl display the TCP and UDP connections monitored locally

• -ta shows all TCP connections. -ua shows all UDP connections. To count the network connection statistics for each connection, you can use:
• ss -a|perl -lane 'print $F[1]'|sort|uniq -c

When the number of host connections is large, ss statistics are very fast compared to netstat. The main reason is that ss uses the tcp_diag module in the TCP protocol stack in its implementation, which can directly obtain relevant network information from the kernel. Netstat reads /proc/net/tcp information and then calculates statistics, which is slower.

ss supports filtering syntax, such as the following:

• ss -o state established '( dport = :ssh or sport = :ssh )' displays all established SSH (default port 22) connections
• ss -o state established '( dport = :http or sport = :http )' displays all established HTTP connections

You can filter by other fields, such as listing the connections of this machine (127.0.0.1), you can use

 ss src 127.0.0.1

Network traffic statistics

1. iftop

If you want to know the network bandwidth usage by host, you can usually use iftop. iftop displays all network traffic and the current bandwidth usage table by host when the network interface is specified. If the interface is not specified, iftop displays all network traffic and the current bandwidth usage table by host.

In the statistics window, press h to get help information:

Iftop can be installed through the distribution's package manager:

 sudo apt-get install iftop

Install iftop on your machine using yum using the following command

 yum install iftop

2. Nethogs

nethogs is a free network statistics tool. nethogs can count network traffic based on process PID because it groups bandwidth by process, rather than by protocol or subnet like most tools. nethogs is feature-rich and supports both IPv4 and IPv6, making it the best utility when it comes to counting bandwidth usage information on Linux hosts. nethogs can also be installed directly using the distribution package installation.

Linux users can use nethogs to display the TCP download and upload speed of each process by using the command

3. nload

nload is a console application that can be used to monitor network traffic and bandwidth usage in real-time, and it visualizes the traffic by providing two easy to understand graphs.

nload is very simple to use. You can start it directly with nload without any additional command line options. It also provides shortcut keys for switching between network cards during monitoring. You can display traffic statistics of different network ports by pressing the left and right arrow keys.

The graphs provided by the nload tool are very easy to understand, providing the most useful statistics and other information, such as the total amount of data transferred and the minimum/maximum network usage.

4. lurm

slurm has a very nice network load monitoring tool, it displays the results very concisely and supports many interactive shortcuts, such as c to switch to classic mode, s to switch to split view mode, r to redraw the screen, L to enable TX/RX leds, m to switch between classic split view and large view, and q to quit.

slurm is available in the official repository of Ubuntu and Debian. Users can easily download it using apt install command as shown below.

 apt install slurm

5. collectl

collectl can be used to collect data describing the current system state, and supports both record mode and playback mode.

• Recording mode allows data to be acquired from a live system and displayed on a terminal or written to one or more files or sockets.
• The playback mode can read and display the information in one or more data files generated in the recording mode.

collectl can be started directly and run, and can display system CPU, disk and network statistics:

You can use the -s option to specify the information you want to count:

For example, to collect detailed network information, you can use collectl -sN

collectl is a very comprehensive and powerful tool. Due to space limitations, this article will not expand on it. I will introduce it in detail when I have the chance.

6. Speedometer

Speedometer is a small and simple tool that simply plots the downstream and upstream traffic through a given network port. Speedometer can be easily installed using the distribution manager with the following command:

 sudo apt-get install speedometer or
 yum install speedometer

Speedometer is very easy to use and can be started directly from the command line or terminal.

 speedometer -r eth0 -t eth0

7. tcptrack

tcptrack displays the status of TCP connections seen on a given network interface. tcptrack monitors their status and displays information such as state, source/destination addresses, and bandwidth usage in a sorted, updated list.

Tcptrack needs to be run as root or superuser and needs to be executed with the name of the network port whose TCP connection you want to monitor:

 sudo tcptrack -i eth0

If you want a specific port, you can use port in the network card name to specify the specific port:

 tcptrack -i wlan2 port 80

tcptrack also supports reading packets in .pcap format and performing statistics, either directly displaying them or saving them as files.

3. Network packet capture

1. tcpdump

TCPDump is a network monitoring and packet capture tool. Use tcpdump to debug network or server related issues by capturing packets.

tcpdump is available in Ubuntu, the default repository of Debian, so, we can simply use apt manager to install it with sudo privileges. To do this, we need to run the following command in the shell or terminal.

Tcpdump needs to be run with root privileges or superuser privileges. If you want to monitor the TCP connection network eth0:

 sudo tcpdump

You can specify a specific network port through -i, or you can specify a port through port (such as web 80)

 tcpdump -i eth0 'port 80'

TCP packet capture can save the packet capture results as a pcap file, and then use other tools for subsequent analysis, such as Wireshark:

 tcpdump -i eth0 -w aaa.pcap

 wireshark aaa.pcap

2. tcpflow

Tcpflow is also a command-line network packet capture program that captures data transmitted as part of a TCP connection (stream) and stores the data in a way that is convenient for protocol analysis or debugging. It reconstructs the actual data flow and stores each flow in a separate file for later analysis. It understands TCP sequence numbers and will correctly reconstruct the data flow regardless of retransmissions or out-of-order delivery. Like tcpdump, tcpflow displays data content in units of streams, while tcpdump displays data in units of packets. It is more convenient to use tcpflow for analysis. By default, tcpflow does not print information in the terminal, but creates a file in the current folder with the source ip.port-destination ip.port as the file name to display information. You can use -cp to print packet information directly to the terminal.

 tcpflow -cp

You can use -i to specify a specific network port, for example:

 sudo tcpflow -i eth0 port 80

3. Wireshark and Tshark

Many students are probably familiar with the wireshark graphical interface tool. Due to space limitations, we will not introduce it here. Instead, we will introduce tshark, the command line brother of wireshark:

Tshark can be installed using the distribution package manager:

 sudo apt install tshark
 yum install wireshark

Tshark is very easy to use, just start it with the command:

Tshark has powerful functions and various filtering options just like tcpdump. This article will not introduce them in detail. Here are two commonly used examples for your reference:

Capture the http protocol stream:

 tshark -s 512 -i eth0 -n -f 'tcp dst port 80' -R 'http.host and http.request.uri' -T fields -e http.host -e http.request.uri

explain:

• -s: capture the first 512 bytes of information;
• -i: capture eth0 network card;
• -n: Do not interpret network objects;
• -f: Set the capture protocol as tcp and the target port as 80;
• -R: filter http.host and http.request.uri fields;
• -e: print these two fields;

Capture sql query statements on the database server, which can be used for database auditing:

 tshark -s 512 -i eth0 -n -f 'tcp dst port 3306' -R 'mysql.query' -T fields -e mysql.query

explain:

• -R 'mysql.query': Filter out the mysql.query fields
• -T fields -e mysql.query : Print the fields

Nagios Network Monitoring

Nagios is a leading open source powerful monitoring and alarm system that allows network/system administrators to identify and resolve server-related issues before they affect major business processes. Using the Nagios system, administrators can monitor remote Linux, Windows, switches, routers, and printers in one window. According to the set thresholds, alarms are issued for hosts and monitoring items that exceed the standard, and then specific problems are investigated. .

Nagios has a web interface where there is a graphical monitor of activity. interface. If you are on a remote machine, replace localhost with your IP address. Then enter the username and pass, then, we will see the information as shown below.

in conclusion

In this article, Chongchong introduces the network monitoring tools under Linux. Each tool has its specific functions and options. To understand network information, system configuration and network connection status, you can use Netstat and SS. To understand which process is consuming network bandwidth, you can use nethogs, and iftop can display the bandwidth of each socket connection. Tools such as nload can count the overall bandwidth usage. tcpdump, tcpflow and tshark can be used to capture packets for analysis.