mark/iftop
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
e2cec4707c1dca1e487a8f80b0903a696f025e53
iftop/iftop.8
chris 306d8fcefa ""
2002-04-02 11:27:47 +00:00

148 lines
5.5 KiB
Groff
Raw Blame History

.TH IFTOP 8
.\"
.\" iftop.8:
.\" Manual page for iftop.
.\"
.\" $Id$
.\"
.SH NAME
iftop - display bandwidth usage on an interface by host
.SH SYNOPSIS
\fBiftop\fP \fB-h\fP |
[\fB-d\fP] [\fB-p\fP] [\fB-i\fP \fIinterface\fP] [\fB-f\fP \fIfilter code\fP] [\fB-n\fP \fInet\fP/\fImask\fP]
.SH DESCRIPTION
\fBiftop\fP listens to network traffic on a named \fIinterface\fP, or \fBeth0\fP
if none is specified, and displays a table of current bandwidth usage by pairs
of hosts. \fBiftop\fP must be run with sufficient permissions to monitor all
network traffic on the \fIinterface\fP; see \fBpcap\fP(3) for more information,
but on most systems this means that it must be run as root.
By default, \fBiftop\fP will look up the hostnames associated with addresses it
finds in packets. This can cause substantial traffic of itself, and may result
in a confusing display. You may wish to suppress display of DNS traffic by
using filter code such as \fBnot port domain\fP, or switch it off entirely,
by using the \fB-d\fP option or by pressing \fBR\fP when the program is running.
By default, \fBiftop\fP counts all IP packets that pass through the filter, and
the direction of the packet is determined according to the direction the packet
is moving across the interface. Using the \fB-n\fP option it is possible to
get \fBiftop\fP to show packets entering and leaving a given network. For
example, \fBiftop -n 10.0.0.0/255.0.0.0\fP will analyse packets flowing in and
out of the 10.* network.
Some other filter ideas:
.TP
\fBnot ether host ff:ff:ff:ff:ff:ff\fP
Ignore ethernet broadcast packets.
.TP
\fBport http and not host \fP\fIwebcache.example.com\fP
Count web traffic only, unless it is being directed through a local web cache.
.TP
\fBicmp\fP
How much bandwith are users wasting trying to figure out why the network is
slow?
.SH OPTIONS
.TP
\fB-h\fP
Print a summary of usage.
.TP
\fB-d\fP
Don't do hostname lookups. This setting may be altered at run time.
.TP
\fB-p\fP
Run in promiscuous mode, so that traffic which does not pass directly through
the specified interface is also counted.
.TP
\fB-i\fP \fIinterface\fP
Listen to packets on \fIinterface\fP.
.TP
\fB-f\fP \fIfilter code\fP
Use \fIfilter code\fP to select the packets to count. Only IP packets are ever
counted, so the specified code is evaluated as \fB(\fP\fIfilter code\fP\fB) and ip\fP.
.TP
\fB-n\fP \fInet\fP/\fImask\fP
Specifies a network for traffic analysis. If specified, iftop will only
include packets flowing in to or out of the given network, and packet direction
is determined relative to the network boundary, rather than to the interface.
You may specify \fImask\fP as a dotted quad, such as /255.255.255.0, or as a
single number specifying the number of bits set in the netmask, such as /24.
.SH DISPLAY
When running, \fBiftop\fP uses the whole screen to display network usage. At
the top of the display is a reminder of keys which control \fBiftop\fP in
operation. Below that is a logarithmic scale for the bar graph which gives a
visual indication of traffic.
The main part of the display lists, for each pair of hosts, the rate at which
data has been sent and received over the preceding 2, 10 and 40 second
intervals. The direction of data flow is indicated by arrows, <= and =>. For
instance,
.nf
foo.example.com => bar.example.com 1K 500b 100b
<= 2M 2M 2M
.Sp
.fi
shows, on the first line, traffic from \fBfoo.example.com\fP to
\fBbar.example.com\fP; in the preceding 2 seconds, this averaged 1Kbit/s,
around half that amount over the preceding 10s, and a fifth of that over the
whole of the last 40s. During each of those intervals, the data sent in the
other direction was about 2Mbit/s. On the actual display, part of each line
is inverted to give a visual indication of the 10s average of traffic.
You might expect to see something like this where host \fBfoo\fP is making
repeated HTTP requests to \fBbar\fP, which is sending data back which saturates
a 2Mbit/s link.
All rates are displayed in bits per second and multiples thereof. The pairs of
hosts responsible for the most traffic are displayed at the top of the list.
At the bottom of the display, various totals are shown, for instance:
.nf
total: 3.1K TX: 0.3M peaks: 64b totals: 64b 30b 10b
peak: 4.5K RX: 8M 4.5K 4.5K 0.1M 5K
.Sp
.fi
The first column of numbers shows the total rate of received plus transmitted
traffic over the last 2s, and its peak value over the past 40s. The next column
shows the total amount of traffic observed during this session,
\fIin bytes, not bits\fP. The next column shows the peaks in received and
transmitted traffic, and the remaining colums show the 2, 10 and 40 second
averages. As with the per-host displays, the top line shows transmitted and the
bottom line received traffic.
.SH SEE ALSO
.BR tcpdump (8),
.BR pcap (3),
.BR driftnet (1).
.SH AUTHOR
Paul Warren <pdw@ex-parrot.com>
.SH VERSION
$Id$
.SH COPYING
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Reference in New Issue View Git Blame Copy Permalink