A few weeks ago at our favorite coffee shop, the net went just right into the toilet… Jamie had recently put Tomato on their WRT54G router, so I was able to get in and see what the problem was. Someone was hammering the network, saturating both the incoming and outgoing, and had been for an hour. But how to tell who it was?
The solution I ended up with was to read /proc/net/ip_conntrack and look at the local machines with lots of remote connections, indicating file-sharing. Seconds later, the network was usable again and the owner was thanking us because they could run credit cards again.
But newer kernels don't have this file any more. They do have similar functionality though, available through the “iptstate” tool. Read below for more information.
I was doing an update of my system today and I saw the “iptstate” package was being updated. I wasn't familiar with it, so I did some digging. It uses the iptables state information to show a top-like output for connections on or going through your system.
To use it, run “iptstate” as root. If you press “C”, and your display is wide enough, it will also show counters of bytes and packets exchanged on the connection. Pressing “b” will change the sort column, and “r” will reverse the sort order: so “Crbbbbbbb” will give you a nice view or the top heaviest traffic connections. Or you can start it with the command-line: “iptstate -Crb b” to get that as the default view.
Another nice feature is that you can run it in “report” mode where instead of doing the updating display it simply runs a single report and you can then save that off to a file for later analysis.
The “iftop” package is a different way of looking at similar information, and I probably like it better as far as “What is using traffic on this connection”. But, that's not really what iptstate is meant for (hence it not being the default view you get, I would imagine).
The primary use of iptstate is seeing the status of connections in conntrack on your system, including TTL and connection states. Neither of these are available in “iftop”.comments powered by Disqus