Home > Articles > Networking > Network Administration & Management

Monitoring Tools

Using Linux? You need tools. Lots of really good tools. Two of the best tools for monitoring your network[md]free for the downloading[md]are Ethereal and mon, covered in detail in this article by Pat Eyler.
Pat Eyler is the author of Networking Linux: A Practical Guide to TCP/IP (New Riders, 2001, ISBN 0-7357-1031-7).
Like this article? We recommend

Ethereal and mon are two great tools for monitoring your networks. Ethereal is the source of all the network traces and packet decodes in Part I of Networking Linux: A Practical Guide to TCP/IP (New Riders, 2001, ISBN 0-7357-1031-7). It also provides some of the functions that you'll want to use when baselining your network. mon also provides functionality to help bolster your baselining.

Although neither of these tools is part of the Red Hat Linux distribution, they should both be installed on your Linux system as quickly as possible.

Ethereal

Ethereal is a very functional protocol analyzer.1 It has both a GUI (Ethereal) and a command-line interface (Tethereal). Both provide very easy means of finding and watching network traffic.

Listing 1 shows cherry ARPing for a nonexistent host. Figure 1 shows Ethereal having captured some Ethernet traffic.

Listing 1Using Tethereal

[root@cherry /root]# tethereal
Kernel filter, protocol ALL, raw packet socket
Capturing on eth0
00:e0:98:7c:95:21 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?
 Tell 192.168.1.10
00:e0:98:7c:95:21 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?
 Tell 192.168.1.10
00:e0:98:7c:95:21 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?
 Tell 192.168.1.10

[root@cherry /root]#

Figure 1 Ethereal screen shot.

Ethereal can give you a great deal of insight into the way things are really working on your network, but only in conjunction with a good understanding of the protocols themselves. In this section we'll look at the following topics:

  • Getting and installing Ethereal

  • Using Ethereal to capture packets

  • Using Ethereal to view packets

  • Filtering packets during both capture and display to make network diagnostics a bit simpler

  • Dealing with bugs in Ethereal

Getting and Installing Ethereal

Ethereal is available for a wide range of platforms, including Linux, Windows, and several UNIX platforms. Although Ethereal has a command-line interface, it requires that GTK+ be installed on the system on which it is being built. Ethereal also relies on libpcap. I'll build it from source on Linux in this section. However, when you install it, it is important to ensure that you have Ethereal and the two software packages that it relies on. It should also be mentioned that although there are binary distributions of Ethereal available for many platforms, they are not always the most recent. You might want to take the extra time to build your own.

Downloading Binary Packages

Certainly the easiest way to install Ethereal is with the package-management system of your Linux distribution. The most recent binary packages for Ethereal are available at http://ethereal.zing.org/download.html. In addition to the Ethereal packages themselves, you'll also need to get packages for libpcap and perhaps for ucd-snmp (this will depend on what is installed on your system). After you've located the requisite packages, you're ready to go.

Downloading and Building Source

Building Ethereal is a bit more involved, but not too much. The following build instructions are based on a stock GNOME Workstation install of a Red Hat 6.2 box.

Don't forget that you'll need to install libpcap before you can build Ethereal. You can do this either with RPMs or by building it from source. Building from source isn't too hard, but you'll need to deal with a couple gotchas when building libpcap on Red Hat 6.2. First you'll need to make the /usr/local/include and /usr/local/include/net directories. You also must remember to do a make install-incl as well as the make install. The proper installation of libpcap is shown in Listing 2.

Listing 2 Installing libpcap

[root@phred src] tar xzvf libpcap-0.5.2.tar.gz
[root@phred src] cd libpcap-0.5
[root@phred libpcap-0.5] ./configure
[root@phred libpcap-0.5] make
[root@phred libpcap-0.5] make install
[root@phred libpcap-0.5] mkdir -p /usr/local/lib/net
[root@phred libpcap-0.5] make install-incl

After libpcap is built, you've got smooth sailing in front of you. Ethereal is a three-step build. Building Ethereal is shown in Listing 3.

Listing 3 Building Ethereal

[root@phred src] tar xzvf ethereal-0.8.14.tar.gz
[root@phred src] cd ethereal-0.8.14
[root@phred ethereal-0.8.14] ./configure
[root@phred ethereal-0.8.14] make
[root@phred ethereal-0.8.14] make install

Using Ethereal to Capture Packets

Because the primary use of a protocol analyzer is to capture packets, that's just what we'll do. I'll start off with a simple example, move to some startup options for Ethereal and Tethereal, and wrap up with a more advanced example.

A Simple Example

Using Ethereal can be quite simple; typing Ethereal at the command line (as someone with permission to set the NIC into promiscuous mode) will start the GUI. When the GUI has started, you can select Capture, Start, which brings up the Capture Preferences window. This should have valid defaults set, but I like to click the Update List of Packets in Real Time and Automatic Scrolling in Live Capture buttons. Now press the Start button and watch your capture run.

While the capture is running, it displays the total number of packets captured in the Ethereal: Capture/Playback window. It also updates the main Ethereal window with each new packet that it grabs. After you've captured what you needed, you can stop the capture by hitting the Stop button in the Ethereal: Capture/Playback window. While the capture is running, you should see something similar to the display shown in Figure 2.

Figure 2 Ethereal capturing packets.

Starting Ethereal

A number of command-line options exist to help make starting Ethereal more pleasant. Table 1 shows some of the more likely candidates.

Table 1 Command Line Options for Ethereal

Option

Meaning

-i <interface>

This option sets the interface from which Ethereal will capture.

-k

This option causes Ethereal to begin capturing packets immediately upon startup. It must be used with the xs-i option.

-S

This option causes Ethereal to display packets as they are captured.

-c <count>

This option causes Ethereal to capture only count packets before stopping. It is useful only with the -k option.

-D

This option causes Ethereal to treat the TOS field of IP as the original TOS, not like Differentiated Services.

-f <capture filter>

This option enables you to set a libpcap-style capture filter. libpcap filter syntax is covered in the "ngrep" section of my previous article, "Troubleshooting Tools."

-n

This option disables name resolution; all packets will be displayed with numeric IP addresses, TCP ports, and UDP ports.

-r <infile>

This option causes Ethereal to read packets from a saved file instead of an interface. Using previous captures is covered in the upcoming section "Viewing Saved Captures."

-R <read filter>

This option enables you to set a read filter. Read filters are discussed in the upcoming section "Filtering Packets to Be Displayed."

-t <time stamp format>

This option changes the format of the packet timestamps. The three possible formats are as follows:

r—Relative to the first packet (the default)

a—Actual date and time of the packet

d—Relative to the previous packet

-w <savefile>

This option sets the name of the file to which the capture will be saved. Working with saved captures is covered in the upcoming section "Viewing Saved Captures."

A useful startup command for Ethereal might look like this:

[root@cherry /root]# ethereal -i eth0 -c 100 -D -t a -k -S &

This starts Ethereal, begins capturing from eth0 immediately, displays packets as they're captured using the original IPv4 TOS meaning for the TOS field, displays actual times for each packet, and stops capturing after 100 packets have been captured.

Starting Tethereal

Tethereal can be run in instances in which you have no good way to display the GUI for Ethereal or you don't need its extra weight to accomplish the task at hand (for example, you're just doing a file capture). Tethereal can be run like the session shown in Listing 4.

Listing 4 Starting Tethereal

[root@cherry /root]# tethereal
Kernel filter, protocol ALL, raw packet socket
Capturing on eth0
skull.eventloop.com -> 192.168.1.10 IRC Response
192.168.1.10 -> resolver1.level3.net DNS Standard query PTR
 225.211.98.209.in-addr.arpa
192.168.1.10 -> skull.eventloop.com TCP 1096 > ircd [ACK]
 Seq=984303403 Ack=994498041 Win=31856 Len=0
resolver1.level3.net -> 192.168.1.10 DNS Standard query response PTR
 skull.eventloop.com
192.168.1.10 -> resolver1.level3.net DNS Standard query PTR
 10.1.168.192.in-addr.arpa
resolver1.level3.net -> 192.168.1.10 DNS Standard query response,
 Name error
192.168.1.10 -> resolver1.level3.net DNS Standard query PTR
 3.0.244.209.in-addr.arpa
resolver1.level3.net -> 192.168.1.10 DNS Standard query response
 PTR resolver1.level3.net

[root@cherry /root]#

Like Ethereal, however, Tethereal is often better used with the command-line options listed in Table 1. Some of the options either make no sense in the context of the Tethereal interface (for instance, -t because there is no time display in Tethereal2) or are not allowed (for instance, -S). A good example of a more useful Tethereal command might be this:

[root@cherry /root]# tethereal -i eth0 -c 10 -n -w quickcapture

This command captures the next 10 packets received on eth0 in the file quickcapture without doing a name resolution.

Viewing Packets with Ethereal

The main window for Ethereal is divided into three sections, called panes. The top pane is the packet list pane, which shows a summary of each packet captured. The middle pane is the tree view pane, which shows a more detailed view of any packet selected in the packet list pane. The bottom pane is the data view pane, which shows a hex breakout and ASCII representation of any packet selected in the packet list pane. There are also menu options of interest when viewing packets; we'll look at these in more detail in the following sections.

A Simple Session Revisited

The simple Ethereal session described previously results in the final capture shown in Figure 3.

Figure 3 A simple Ethereal capture.

After the data is captured, you can look at it several ways, with a variety of tools.3 One way to look at the data is to review the Ethereal summary data, as shown in Figure 4.

Figure 4 Ethereal summary data.

This summary shows the following:

  • Information about the file (which we'll ignore)

  • Information about the data (which we'll cover shortly)

  • Information about the capture (which we'll cover right after the information about the data)

You can bring up the summary window by selecting Tools, Summary. The information about the data provides some good information about the traffic in the capture. It tells us how long it took for the traffic to be sent, how many packets were sent, how much data was sent, how much data per packet (average), and how much data per second (average). This information can be made much more useful when combined with filters (see the upcoming section "Filtering Packets with Ethereal" for more information about writing filters). For example, if you want to determine the load that connecting to an IRC server will put on your network, you can capture a 15-minute IRC session while filtering for just IRC traffic. Then you can see the average amount of data that IRC transferred over those 15 minutes.4 Bear in mind that you probably will want to check this at several points during the day, just to get a more realistic picture of the traffic load.

The capture information provides the context needed to make sense of the capture. It shows what interface the capture is from, what capture filter was used, and what display filter is in use. In the IRC example described in the previous paragraph, the data would be misleading if it also contained HTTP traffic. Looking at the capture information can help ensure that we're looking at just the data we want.

Another way of looking at the packets is to look at only those packets matching certain criteria. To be really effective at this, you'll need to write a display filter, but Ethereal provides a quick mechanism to create a simple filter for you. If you select a field in tree view pane, for example, selecting an Ethernet II Type field containing ARP, then clicking Display, Match Selected creates a display filter matching all packets with an Ethernet II type of ARP. This is shown in Figures 5 and 6.

Figure 5 Selecting content to match.

Figure 6 Ethereal matching selected packets.

Because captured traffic is spread over several packets, it can be difficult to see just what traffic is being pushed around the network. Ethereal provides a way to do this, following a TCP stream. In Figure 7, you can see a TCP stream containing an HTTP session. You can follow a TCP session by selecting a TCP packet in the packet list pane and then clicking Tools, Follow TCP Stream.

Figure 7 A TCP stream.

In this example, the first block of data is an HTTP request sent by the client. The second block of data is an HTTP error message returned by the server.

Saving a Capture File

Having captured a pile of network traffic, you'll probably want to look at it again later. Ethereal enables you to save your capture to a file. This can be done from the command line (the only way to do it with Tethereal), from the Capture Preferences screen, or after you've stopped a capture by selecting File, Save (which is also accessible from the keyboard shortcut Ctrl+S). This brings up the Save Capture File As window.

This window enables you to save your capture in a number of formats; it also enables you to save only the currently displayed packets (using the Save Only Packets Currently Being Displayed button).

Viewing Saved Captures

Sometimes you'll want to look at traffic that's no longer moving on the network (either for diagnostics or to review or learn more about a protocol). For these cases, Ethereal provides a convenient method for saving and viewing captured files. In fact, Ethereal even provides the capability to view captures saved from other applications.

To view a saved capture, select File, Open, which brings up the Open Capture File interface. This window presents a common file selection tool with which you should select the name of the capture file that you want to view. You can also select the file on startup, using ethereal -r capturefile.

Filtering Packets with Ethereal

Even a small network can have a lot of data running over it. Filters help you cut through the chaff to see just the data you are interested in. Two kinds of filters exist for Ethereal, capture filters and display filters. Capture filters are applied as the data is being read from the network. If traffic doesn't match the filter, it isn't read into Ethereal. Display filters are applied against traffic that Ethereal has already captured. Both styles of filters, with some pros and cons, are covered in the next two sections.

Filtering Packets to Be Captured

Capture filters are written in the libpcap syntax, which is covered in more detail in the section "ngrep" in my previous article, "Troubleshooting Tools." A quick overview is provided here as well. Capture filters are nice because they are very fast and because they operate on the raw traffic as it is being captured. This can be a huge benefit on a busy LAN; you'll get only the traffic you're interested in, not the other 8MB of traffic that you'd otherwise have to wade through. Capture filters are not a panacea, though; they may get you only 50% of the way to your goal. That's where display filters come in.

libpcap-style filters use the <not>[type]<direction>[id] (such as host src 192.168.1.10). These filters can be combined with the conjunctions and and or. If you want to see all traffic between 192.168.1.1 and 192.168.1.10, you can use a filter such as host 192.168.1.1 and host 192.168.1.10. To look at traffic going from 192.168.1.1 to host 192.168.1.10 and not the return traffic, you can do host src 192.168.1.1 and host dst 192.168.1.10.

Filtering Packets to Be Displayed

The display filter syntax is much more expressive (and capable) than the capture filters described previously. Although capture filters are entered at the start of the capture (either on the command line or in the Capture Preferences window), display filters are entered after the capture is complete. With a capture buffer loaded, you can define a display filter in the filter section of the status bar at the bottom of the Main window. You can clear your active display filter by clicking the Reset button.

Display filters have an expressive syntax but can be quite basic. A simple filter to look at all the traffic from 192.168.1.1 to 192.168.1.10 would look like ip.src == 192.168.1.1 && ip.dst == 192.168.1.10.

A much cooler example would be to look at all traffic from 192.168.1.20 or 192.168.1.21 that has the TCP SYN bit set; this would be written as (ip.src==192.168.1.21 or 192.168.1.20) and tcp.flags.syn. If you want to extend the previous section to exclude HTTPS traffic, you could write ((ip.src==192.168.1.21 or 192.168.1.20) and tcp.flags.syn) ! tcp.port==443.

Ethereal provides additional filter comparison operators as well. ==, !=, >, <, >=, and <= are all available in this C-style format or with English-style names. Beyond this, you can use a substring operator to match fields within a value. For example, you might want to match on the first three octets of an Ethernet source address; you could do that with eth.src [0:3] == 00:a0:d2.

Reporting Bugs

If you happen to find a bug in Ethereal, please report it. If you're a C hacker and think you know how to fix it, don't hesitate to send in a patch as well. (Your patch might not be used, but it will likely help the developers see where things are going wrong.)

Bug reports can be directed to the ethereal-dev mailing list (you can subscribe through http://ethereal.zing.org/; click the Mailing Lists link on the left side). Your bug report should include the following three things (at a minimum):

  • The version of Ethereal that you are using and the versions of software that it is linked against. This can be grabbed from ethereal -v, like so:

  • [pate@cherry sgml]$ ethereal -v
    ethereal 0.8.7, with GTK+1.2.7, with libpcap 0.4,
     with libz 1.1.3, with UCD SNMP 4.1.1
    [pate@cherry sgml]$
  • A traceback of Ethereal, if it crashed. To get a core file, look for a core file in your current working directory, run file core against it to ensure that it is the Ethereal core file (you also might want to verify the date of the core file, just to be safe), and then run the following commands:

  • [pate@cherry pate]$ gdb /usr/bin/ethereal core >
       & backtrace.txt
      backtrace
      [pate@cherry pate]$

    This will create a file called backtrace.txt, which you can mail in with your bug report.

  • A description of what you were doing when Ethereal exhibited the bug. The more detail you can add here, the better.

Creating a good bug report is an art form, but it's something that should be taken seriously. The developers of Ethereal can't help fix problems if they don't know what is broken.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020