If you wish to monitor the top bandwidth consuming processes on a Linux system, you can use the nethogs program, which displays bandwidth usage by process. It will display the process id (PID) of the processes consuming the most bandwidth. E.g.:

NetHogs version 0.8.5

    PID USER     PROGRAM                    DEV        SENT      RECEIVED       
  19355 jim      sshd: jim@pts/0            enp1s4      0.188       0.082 KB/sec
  15022 apache   /usr/sbin/httpd            enp1s4      0.000       0.000 KB/sec
      ? root     unknown TCP                            0.000       0.000 KB/sec

  TOTAL                                                 0.188       0.082 KB/sec

The above output shows me that the two processes consuming the most bandwidth at the time the program was run had PIDs of 19355 and 15022. I can get additional information on those processes using the ps command.

$ ps 19355
  PID TTY      STAT   TIME COMMAND
19355 ?        S      0:19 sshd: jim@pts/0
$ ps 15022
  PID TTY      STAT   TIME COMMAND
15022 ?        S      0:00 /usr/sbin/httpd -DFOREGROUND
$

[ More Info ]

[/os/unix/linux/network] permanent link

• Shows received, transmitted and total bandwidth of each interface
• Calculates and displays the combined value of all interfaces
• Diplays total data transferred per interface in KB/MB/GB
• Values can be displayed in Kbits/sec(Kbps) and/or KBytes/sec(KBps)
• Can show maximum bandwidth consumed on each interface since start of utility
• Can show average bandwidth consumption on each interface since start of utility
• The output with all features (max, avg and display in Kbps and KBps) easily fits on a 80x24 console or xterm
• Can interactively change its output display format depending on key pressed by user.

[ More Info ]

[/os/unix/linux/network] permanent link

An RPM file that can be used to install the software on Linux systems is available from http://www.stearns.org/pktstat/. As of December 13, 2006, the current version is 1.7.2q. I installed the software from the RPM file.

# wget http://www.stearns.org/pktstat/pktstat-1.7.2q-0.i386.rpm

# rpm -qip pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Name        : pktstat                      Relocations: (not relocateable)
Version     : 1.7.2q                            Vendor: David Leonard
Release     : 0                             Build Date: Thu 10 Jul 2003 12:38:40 AM EDT
Install Date: (not installed)               Build Host: sparrow
Group       : Applications/Internet         Source RPM: pktstat-1.7.2q-0.src.rpmSize        : 145837                           License: Public Domain
Signature   : RSA/MD5, Thu 10 Jul 2003 12:38:40 AM EDT, Key ID 012334cbf322929d
Packager    : William Stearns <wstearns@pobox.com>
URL         : http://www.itee.uq.edu.au/~leonard/personal/software/#pktstat
Summary     : Displays a live list of active connections and what files are being transferred.
Description :
Display a real-time list of active connections seen on a network
interface, and how much bandwidth is being used by what. Partially
decodes HTTP and FTP protocols to show what filename is being
transferred. X11 application names are also shown. Entries hang around
on the screen for a few seconds so you can see what just happened. Also
accepts filter expressions a la tcpdump.

# rpm --install pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d

Once installed the software can be run with the pktstat command. If you need to install from the source code rather from the RPM package, the steps to install the software are fairly straightforward and can be found at Bandwidth Monitoring Tools, which also lists a number of other free bandwidth monitoring tools.

The software can show you what files people are accessing on your web server in realtime as shown below:

interface: eth0
load averages: 6.3k 3.2k 1.4k bps

   bps    % desc
 779.9   2% icmp unreach port frostdragon -> ns2
            tcp adsl-68-126-206-36:2039 <-> frostdragon:http
            - GET /notebook/encyclopedia/s/slr_chibimoon.htm
            tcp adsl-68-126-206-36:2041 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon.htm
            tcp adsl-68-126-206-36:2042 <-> frostdragon:http
            - 304 GET /graphics/notepad.gif
            tcp adsl-68-126-206-36:2043 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-title.jpg
            tcp adsl-68-126-206-36:2044 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-002.jpg
            tcp adsl-68-126-206-36:2045 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-001.jpg
            tcp adsl-68-126-206-36:2046 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-lunapball.gif
 278.1   0% tcp adsl-68-126-206-36:2047 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-ckey2.gif
  1.6k   5% tcp adsl-68-126-206-36:2048 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-compact.gif

You can use tcpdump style filter expressions to limit the displayed information to just traffic you are interested in at the moment. For instance, if I just want to monitor email traffic, i.e. SMTP traffic on port 25, I can use the command pktstat port 25 when I start the program.

interface: eth0
load averages: 5.6k 1.2k 421.1 bps
filter: port 25
   bps    % desc
            tcp 245:29801 <-> frostdragon:smtp
            tcp bny92-4-82-228-126-176:1672 <-> frostdragon:smtp
 19.0k  51% tcp frostdragon:53388 <-> mx01:smtp
  55.6   0% tcp frostdragon:smtp <-> mail:22421
 18.0k  48% tcp frostdragon:smtp <-> pool-71-245-166-13:62216

By default, pktstat does not show the Fully Qualified Domain Name (FQDN) of systems. But you can change that behavior with the -F option.

         -F    Show full hostnames.  Normally, hostnames are truncated to
               the first component of their domain name before display.

For instance I could have it show the full name for systems that are exchanging email with my server with pktstat -F port 25

interface: eth0
load averages: 98.9 21.9 7.4 bps
filter: port 25
   bps    % desc
            tcp frostdragon.com:smtp <-> gateway.blackspider.com:43181

If you would prefer to see IP addresses and port numbers rather than names, you can use the -n option. E.g. I could use pktstat -n port 25 to again monitor only SMTP traffic, but this time display IP addresses rather than the host names and the port number, 25, rather than its description, which is smtp.

          -n    Do not try and resolve hostnames or service port numbers.

interface: eth0
load averages: 55.2 11.4 3.8 bps
filter: port 25
   bps    % desc
 587.1  85% tcp 66.104.202.96:36199 <-> 66.22.186.53:25
  98.4  14% tcp 66.22.186.53:25 <-> 67.172.4.27:4681

References:

1. Bandwidth Monitoring Tools
   Planet Malaysia Blog
2. pktstat
   By David Leonard
3. pktstat file listing
   By William Stearns
   Mary 13, 2006

[/os/unix/linux/network] permanent link

If you have an old PC, even a 386-based PC, with just 12 MB of memory and a floppy drive, you have enough to build a firewall for home use or for use by a small business. You can build your firewall with such minimal hardware requirements if you use floppyfw. In fact, you can get by with even less than 12 MB of memory if you use an older version of floppyfw, i.e. the 1.x series rather than the current 2.x software. And the old 1.x software is still maintained by the developer.

[ More Info ]

[/os/unix/linux/network/firewall] permanent link

IPTraf description from Red Hat's IPTraf package:

IPTraf is a console-based network monitoring utility. IPTraf gathers data like TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. IPTraf features include an IP traffic monitor which shows TCP flag information, packet and byte counts, ICMP details, OSPF packet types, and oversized IP packet warnings; interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity and packet size counts; a TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports, a LAN statistics module that discovers active hosts and displays statistics about their activity; TCP, UDP and other protocol display filters so you can view just the traffic you want; logging; support for Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interfaces; and utilization of the built-in raw socket interface of the Linux kernel, so it can be used on a wide variety of supported network cards.

A ZDNet article, Police your network traffic with IPTraf explains how to use IPTraf to log and monitor IP traffic on your system.

You can download IPTraf from the developer's website or you may already have it with your distribution of Linux. An RPM is available from Red Hat or from this site.

The options when running bwmon are shown below:

Linux Network Bandwidth Monitor $Revision: 1.3 $
by Kimmo Nupponen (kimmoon@users.sourceforge.net)
$Date: 2002/05/08 06:33:09 $

usage: bwmon [-b] [-h] [-a] [-m] [-u seconds]
        -a Print bandwidth utiliasation in Kbytes rather than Kbits. The default
           is to use Kbits
        -a Print also average bandwidth since last boot per interface
        -m Print maximum bandwidth since launch of this utility
        -h Print this help message
        -u Update timeout (integer value)

        Use <space-bar> to refresh the screen before update timeout expires
        Use 'q' or 'Q' to exit this utility

Note that you have to have proc mounted to allow this software
to work!

bwmon Screenshot
IPTraf Screenshots

[/os/unix/linux/network] permanent link

PC and workstation clocks are not highly accurate and will tend to drift from the correct time over time. To keep the system's clock accurate, one can use the Network Time Protocol (NTP). The fact that a system's clock is off by a few minutes may not seem important at first, but if you have to troubleshoot problems involving multiple systems, you will realize that it can take much longer to troubleshoot if the clocks on the systems vary and you must mentally adjust the times to determine the order of events.

NTP software will provide the capability for a system to contact a time server, which provides an accurate time source. In the United States time servers may be tied back to the time source provided by the National Institutes of Standards and Technololgy (NIST).

On RedHat Linux systems, you can use the ntp package to set up your system to obtain time from a time server using NTP.

Installing and configuring the ntp package on RedHat Linux is detailed below. The example below uses ntp-4.0.99k-15.i386.rpm, which is version 4.0.99k release 15 of the ntp client. If you are using a later version of RedHat Linux, a newer version of ntp may be available for your version of Linux. Except for the RPM file name, the installation and configuration process should be similar.

1. Install the package, e.g. rpm --install ntp-4.0.99k-15.i386.rpm.
   
   
2. Edit /etc/ntp.conf file. Add a server line to point to a publicly accessible time server, e.g. server 198.82.162.213 to use the time server lennier.cc.vt.edu. You then should have lines similar to the following in the ntp.conf file:
   
   server 198.82.162.213
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

   
   
3. Use chkconfig to configure the service to start when the sysem boots
   
   chkconfig ntpd on
   
   
4. Start the service.
   
   /etc/init.d/ntpd start
   
   
5. If you wish to immediately update the time to match that on the time server, you can use the ntpdate command, e.g. ntpdate -b lennier.cc.vt.edu .

You can check that the service is functioning with the ntpq command.

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 lennier.cc.vt.e Tick.UH.EDU      2 u   34   64    1   28.516    0.340   0.000
 LOCAL(0)        LOCAL(0)        10 l    9   64    1    0.000    0.000   0.000

You can check to see whether your system is functioning as an NTP server, which means it will be listening on NTP UDP port 123 by using the netstat command.

netstat -a | grep "ntp"
udp        0      0 gna.somewhere.com:ntp    *:*
udp        0      0 localhost.localdoma:ntp *:*
udp        0      0 *:ntp                   *:*

If you are blocking access to the system with a firewall, you will need to provide a rule for UDP connections to port 123, if you want to allow other systems the capability of obtaining the time from your NTP server.

If you wish to trace the path back through a sequence of time servers to find the master time source, you can use the ntptrace command.

ntptrace
localhost.localdomain: stratum 3, offset 0.000100, synch distance 0.22896
lennier.cc.vt.edu: stratum 2, offset -0.016537, synch distance 0.04396
time-b.nist.gov: stratum 1, offset -0.012730, synch distance 0.00000, refid 'ACTS'

The example above shows that the system gets its time from lenier.cc.vt.edu, a stratum 2 server, which in turn gets the time from time-b.nist.gov, a stratum 1 server.

References

1. Decibels Linux NTP Tutorial
2. NIST Internet Time Service
3. NTP - The Network Time Protocol
4. ntpq - standard NTP query program
5. ntptrace - trace a chain of NTP servers back to the primary source
6. US Naval Observatory NTP Network Time Servers
7. Using the Network Time Protocol to Sync Your Network
8. Keeping Time on Windows Machines

[/os/unix/linux/network] permanent link