Basic network activity monitoring

Table of Contents

Monitoring network activity can sometimes be a vital skill even at a basic level when troubleshooting issues or detecting abuse.

There are a couple of tools in almost every Linux distribution that can help you with that, iptraf (also known as iptraf-ng) and iftop, and these should both be installable using the built-in package manager of your OS, apt, yum etc.

iftop #

Simply running iftop will show you all incoming and outgoing connections on your primary network interface, including source and destination IP’s. The default view is somewhat limited as it attempts to resolve IP’s to hostnames and does not show port information.

To tidy up the view a little, you can run:

iftop -nNP

This will stop trying to resolve the IP’s to hostnames and show you port information for the traffic.

If you want to run iftop on a specific interface, you can use the -i flag, for example:

iftop -nNP -i eth0

This is the same as the previous example but will only show traffic on that specific port, and this also works for virtual interfaces created in KVM virtualised environments so you can, for instance on a host node with virtualisation running use -i kvm1234.0 as the port name to view only traffic hitting the virtual machine’s interface.

If you want to only view traffic on a specific port which can be great for detecting bulk email activity you can with the following -f (filter) command:

iftop -nNP -f 'port 25'

This shows all active connections on port 25 including source and destination IP addresses.

iptraf / iptraf-ng #

Iptraf is a great monitoring tool on single-tenant servers for analysing data, it is still useful in virtualised environments as it will show traffic per virtual interface however the volume of data can be quite overwhelming.

After running iptraf you will get the following options in the cli menu system:

  • IP traffic monitor – Show all traffic at a transactional level, it can be sorted by packet count or bytes in/out
  • General interface statistics – Shows combined stats such as total packets in/out, and traffic rates in kbps and separates ip4 and 6 traffic
  • Detailed interface statistics – This will give you a per-interface (including virtual machine interfaces) and breaks down traffic by protocol, rates in/out, and packet type.
  • Statistical breakdowns… – This is for looking at packet size/counts per interface.
  • LAN station monitor – This shows the transfer rate in kbps and packets in/pit per interface with mac address info and interface separation.