TRAFSHOW(1) | General Commands Manual | TRAFSHOW(1) |
trafshow - full screen show network traffic
trafshow [-vpnb] [-a len] [-c conf] [-i name] [-s str] [-u port] [-R refresh] [-P purge] [-F file | expr]
TrafShow is a simple interactive program that gather the
network traffic from all libpcap-capable interfaces to accumulate it
in memory cache, and then separately display it on appropriated curses
window in line-narrowed manner as a list of network flows sorted by
throughput. Display updates occurs nearly in real time, asynchronously from
the data collecting. It look like a live show of traffic flows. Any
kind of network traffic are mixed together in the one live-show screen, an
Ethernet, IP, etc.
Hint: Please press `H' key inside a show to get brief help!
The IP traffic can be aggregated by netmask prefix bits and
service ports to reorganize a heap of trivial flows into the treelike
hierarchies suitable for human perception. The user can glance over the list
of resulting flows and select at their to browse detail. So you can deepen
into the traffic inheritance hierarchy and inspect the packets of each
trivial flow in variety of presentations: raw-hex, ascii, time-stamp.
The program make aggregation automatically when number of flows will exceed
some reasonable amount. Just a few seconds after launch may be required for
adaptation to your volume of traffic. Use -a len option (see
below) to overwrite the default behaviour.
TrafShow also listens on UDP port (9995 by default) for diverse feeders of Cisco Netflow and then separately display the collected data in the same manner as described above. The following versions of Netflow are currently supported: V1, V5, V7. Use -u port option (see below) to overwrite the default behaviour.
This program may be found wonderful at lest to locate suspicious traffic on the net very quickly on demand, or to evaluate real time traffic bandwidth utilization, in a simplest and convenient environment. But it is not intended for collecting and analysis of the network traffic for a long period of time, nor for billing!
The program pretend to be IPv6 compatible and ready to using, but it is not tested enough. You can define INET6 to do so.
If TrafShow has been compiled with modern curses libraries such as Slang or Ncurses it been able to show colored traffic on the color-capable terminal. Hopefully, no special actions required to install them because your system has it by default (leastwise last years).
The syntax of TrafShow color configuration file as follow:
The tokens *, any, or all matchs ANY
in the pattern. Where fcolor is foreground color and bcolor is
background color.
The fcolor and bcolor may be one of the following:
The upper-case Fcolor mean bright on. The upper-case Bcolor mean blink on.
Thanks to Van Jacobson <van(at)helios.ee.lbl.gov> and Steven McCanne <mccanne(at)helios.ee.lbl.gov>, all of Lawrence Berkeley Laboratory, University of California, Berkeley. Special thank to Jun-ichiro itojun Hagino <itojun(at)iijlab.net> for IPv6 patches.
Vladimir Vorobyev <bob(at)turbo.nsk.su>.
Depending of traffic volume, TrafShow can take a lot of CPU
cycles and memory.
It is impossible to use packet matching expressions in the NetFlow
mode.
May 2004 |