|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[ More Info ]
An RPM file that can be used to install the software on Linux systems is available from http://www.stearns.org/pktstat/. As of December 13, 2006, the current version is 1.7.2q. I installed the software from the RPM file.
# wget http://www.stearns.org/pktstat/pktstat-1.7.2q-0.i386.rpm
# rpm -qip pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Name : pktstat Relocations: (not relocateable)
Version : 1.7.2q Vendor: David Leonard
Release : 0 Build Date: Thu 10 Jul 2003 12:38:40 AM EDT
Install Date: (not installed) Build Host: sparrow
Group : Applications/Internet Source RPM: pktstat-1.7.2q-0.src.rpmSize : 145837 License: Public Domain
Signature : RSA/MD5, Thu 10 Jul 2003 12:38:40 AM EDT, Key ID 012334cbf322929d
Packager : William Stearns <wstearns@pobox.com>
URL : http://www.itee.uq.edu.au/~leonard/personal/software/#pktstat
Summary : Displays a live list of active connections and what files are being transferred.
Description :
Display a real-time list of active connections seen on a network
interface, and how much bandwidth is being used by what. Partially
decodes HTTP and FTP protocols to show what filename is being
transferred. X11 application names are also shown. Entries hang around
on the screen for a few seconds so you can see what just happened. Also
accepts filter expressions a la tcpdump.
# rpm --install pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Once installed the software can be run with the pktstat
command. If you need to install from the source code rather from the RPM
package, the steps to install the software are fairly straightforward
and can be found at Bandwidth
Monitoring Tools, which also lists a number of other free bandwidth
monitoring tools.
The software can show you what files people are accessing on your web server in realtime as shown below:
interface: eth0
load averages: 6.3k 3.2k 1.4k bps
bps % desc
779.9 2% icmp unreach port frostdragon -> ns2
tcp adsl-68-126-206-36:2039 <-> frostdragon:http
- GET /notebook/encyclopedia/s/slr_chibimoon.htm
tcp adsl-68-126-206-36:2041 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon.htm
tcp adsl-68-126-206-36:2042 <-> frostdragon:http
- 304 GET /graphics/notepad.gif
tcp adsl-68-126-206-36:2043 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-title.jpg
tcp adsl-68-126-206-36:2044 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-002.jpg
tcp adsl-68-126-206-36:2045 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-001.jpg
tcp adsl-68-126-206-36:2046 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-lunapball.gif
278.1 0% tcp adsl-68-126-206-36:2047 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-ckey2.gif
1.6k 5% tcp adsl-68-126-206-36:2048 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-compact.gif
You can use tcpdump style filter expressions to limit the displayed information
to just traffic you are interested in at the moment. For instance, if I just
want to monitor email traffic, i.e.
SMTP traffic on
port 25, I can use the command pktstat port 25 when I start
the program.
interface: eth0
load averages: 5.6k 1.2k 421.1 bps
filter: port 25
bps % desc
tcp 245:29801 <-> frostdragon:smtp
tcp bny92-4-82-228-126-176:1672 <-> frostdragon:smtp
19.0k 51% tcp frostdragon:53388 <-> mx01:smtp
55.6 0% tcp frostdragon:smtp <-> mail:22421
18.0k 48% tcp frostdragon:smtp <-> pool-71-245-166-13:62216
By default, pktstat does not show the Fully Qualified Domain Name (FQDN)
of systems. But you can change that behavior with the -F
option.
-F Show full hostnames. Normally, hostnames are truncated to
the first component of their domain name before display.
For instance I could have it show the full name for systems that are exchanging
email with my server with pktstat -F port 25
interface: eth0
load averages: 98.9 21.9 7.4 bps
filter: port 25
bps % desc
tcp frostdragon.com:smtp <-> gateway.blackspider.com:43181
If you would prefer to see IP addresses and port numbers rather than names, you
can use the -n option. E.g. I could use pktstat -n port
25 to again monitor only SMTP traffic, but this time display IP
addresses rather than the host names and the port number, 25, rather than
its description, which is smtp.
-n Do not try and resolve hostnames or service port numbers.
interface: eth0 load averages: 55.2 11.4 3.8 bps filter: port 25 bps % desc 587.1 85% tcp 66.104.202.96:36199 <-> 66.22.186.53:25 98.4 14% tcp 66.22.186.53:25 <-> 67.172.4.27:4681
References:
