Wednesday December 09, 2009 at 05:04
Subject: iptstate -- "top" for network connections
Keywords:
Linux, Network, Top
Posted by: Sean Reifschneider
A few weeks ago at our favorite coffee shop, the net went just right
into the toilet... Jamie had recently put Tomato on their WRT54G router,
so I was able to get in and see what the problem was. Someone was
hammering the network, saturating both the incoming and outgoing, and had
been for an hour. But how to tell who it was?
The solution I ended up with was to read /proc/net/ip_conntrack and
look at the local machines with lots of remote connections, indicating
file-sharing. Seconds later, the network was usable again and the owner
was thanking us because they could run credit cards again.
But newer kernels don't have this file any more. They do have
similar functionality though, available through the "iptstate" tool. Read
below for more information.
I was doing an update of my system today and I saw the "iptstate"
package was being updated. I wasn't familiar with it, so I did some
digging. It uses the iptables state information to show a top-like output
for connections on or going through your system.
To use it, run "iptstate" as root. If you press "C", and your display
is wide enough, it will also show counters of bytes and packets exchanged
on the connection. Pressing "b" will change the sort column, and "r" will
reverse the sort order: so "Crbbbbbbb" will give you a nice view or the top
heaviest traffic connections. Or you can start it with the command-line:
"iptstate -Crb b" to get that as the default view.
Another nice feature is that you can run it in "report" mode where
instead of doing the updating display it simply runs a single report and
you can then save that off to a file for later analysis.
The "iftop" package is a different way of looking at similar
information, and I probably like it better as far as "What is using traffic
on this connection". But, that's not really what iptstate is meant for
(hence it not being the default view you get, I would imagine).
The primary use of iptstate is seeing the status of connections in
conntrack on your system, including TTL and connection states. Neither of
these are available in "iftop".
(Post Reply)
To use it, run "iptstate" as root. If you press "C", and your display
is wide enough, it will also show counters of bytes and packets exchanged
on the connection. Pressing "b" will change the sort column, and "r" will
reverse the sort order: so "Crbbbbbbb" will give you a nice view or the top
heaviest traffic connections. Or you can start it with the command-line:
"iptstate -Crb b" to get that as the default view.
Another nice feature is that you can run it in "report" mode where
instead of doing the updating display it simply runs a single report and
you can then save that off to a file for later analysis.
The "iftop" package is a different way of looking at similar
information, and I probably like it better as far as "What is using traffic
on this connection". But, that's not really what iptstate is meant for
(hence it not being the default view you get, I would imagine).
The primary use of iptstate is seeing the status of connections in
conntrack on your system, including TTL and connection states. Neither of
these are available in "iftop".
(Post Reply)
| Comment |
alex dekker Subject: x it out |
The 'x' feature is handy as well. I used this to delete a NAT table entry for a machine that had changed IP address. I couldn't reconnect with a VPN through my linux router until the NAT entry had expired. Instead of waiting for the TTL to expire I was able to erase the connection entry with iptstate.