Friday, March 02, 2007

NSM: Trafshow vs Iftop

While we have many choices in Open Source world, it is tricky to choose a right one, everything down to the feet of what you want to do with it. There are many tools I like when monitoring network flow statistic in real time that are considered non-web based but cursed. However here I would like to make a comparison between two interesting tools which are trafshow and iftop.

Trafshow offers few unique functions that is are available via other tools, it has the features below -

- Colorization
- flow aggregation based on netmask length -a|A
- string tracing /|Ctrl-/
- bpf filter expression on the fly -f|F
- import cisco netflow data -u 9995
- hex data view on the fly

To learn how trafshow works, when we run trafshow without any arguments, it will monitor all the network interfaces available to you, you need to choose one to monitor.

shell>trafshow

Interface Address Description

em0 0:11:22:33:44:55 Ethernet
rl0 0:22:33:44:55:66 Ethernet
sk0 0:33:44:55:66:77 Ethernet
lo0 127.0.0.1 Loopback

By default it will aggregate the traffics based on guessed network id, here's the screenshot -


Thus if you want the exact ip address shown in trafshow, you need to run with netmask length of 32 -

shell>trafshow -a 32

The flexibilities of flow aggregation based on netmask length allows you to monitor the traffic from networks to networks and nodes to nodes, this creates very powerful capabilities when combining with the bpf filter expression, you can specify bpf filter expression by reading it from a file using -F, the good thing about it is that you can also directly inject the bpf filter expression by pressing f key when you are in trafshow monitor console.

Filter expression:port 80

Trafshow stores its color attributes in either /usr/local/etc/trafshow or ~/.trafshow. You can tune them easily, I always like to tune it for better view of the traffic, for example if I would like to watch the outgoing traffic from my DMZ network(172.16.1.0/24) for possible extrusion, I can just add this few lines to the configuration file -

# Private IP Addresses will be alarmed by Red foreground.
# Source Destination Color

172.16.1.0/24 any Red
any 172.168.1.0 Blue


With this kind of setup, all incoming traffics will be in blue colour and outgoing traffics will be in red, other useful color tuning will be based on port, if you want to monitor your network in case they are connecting to the irc bot network, you can specify -

6667 cyan # irc
6668 cyan # irc


Again you can easily combine features in trafshow to make more sense in monitoring, just specify this filter in trafshow monitor helps a lot -

Filter expression: src net 172.168.1.0/24 and dst portrange 6660-6670


Another useful function is string tracing, you can specify string that found in the traffic flow and keep watching it, just press / key and specify it, for example -

/yahoo

If yahoo string is shown in trafshow monitor, it will be highlighted all the while and you can easily keep your eye on it. You can disable it by pressing Control /.

I have actually inteprete Cisco Netflow using -u option before, it works pretty well though. Since I didn't take a screenshot previously, thus I can't show it here. There are many functions in trafshow that you can easily enable and disable using toggle key such as name/port resolution can be enabled or disabled via n key, changing netmask length via A key and so forth.

The last feature that I found really powerful is the traffic hex view, this gives you the feeling of MATRIX movies especially when you catch traffics that are considered malicious, here's the screenshot I have, you just need to press enter after choosing the traffic flow in order to access the network stream -


Iftop on the other hand offers the functions below -

- src|dst aggregation s|d
- logarithmic traffic bar -b
- bits|bytes per how many seconds cycle -B
- net filter(bpf filter expression) -f|f
- screen filter(regex expression) l

The main configuration of iftop is ~/.iftoprc, if you have multiple network interfaces in the same host that monitoring different networks, I suggest you put all the configurations in .iftoprc except interface and net-filter variable, you can learn more about it by reading the man page of iftop. Then putting iftop commands in different scripts for different network interfaces, for example -

shell>echo 'iftop -i eth0 -F 172.16.1.0/24' > iftop-eth0

shell>echo 'iftop -i eth1 -F 172.16.2.0/24' > iftop-eth1

shell>chmod +x iftop-eth*

Now you just run the script for the interface you want to monitor. All other attributes are better to be stored in ~/iftoprc, you can easily tune it for your network environment.

There's one feature I like about iftop, the traffic bar(white color) where it shows the logarithmic scale, you can easily identify which host are consuming more bandwidths in current time. Here's the screenshot -


If you just want to view the aggregated traffics from either source or destionation, trigger s or d in iftop monitor console will do. This allows you to monitor total bandwidths of certain source/destination IP per any port. The dns resolution can be turn on or off by pressing n key. You can also change to show the bits/bytes per how many seconds, it offers 2s, 10s and 40s cycle.

Similar to trafshow, it has net filter where you can either specify it using -f in command line option or pressing f key to enter the bpf filter expressions, for example -

Net filter > port 53

Now you can just monitor dns traffic. For the screen filter which allows you to use regular expressions, it works similarly to trafshow strings search too, you just need to press l key in iftop monitor and it will show -

Screen filter> smtp

This will allows you to look at the smtp traffic if you have mail traffics flowing around.

Sometimes you prefer to run iftop with proper options in command line instead of changing its behaviour in the iftop monitor, you can do so. For example you want to apply bpf filter for ftp traffic.

shell>iftop -i rl0 -f port 20 or 21 -F 192.168.5.0/24
iftop: found arguments following options
*** some options have changed names since v0.9 ***
iftop: display bandwidth usage on an interface by host

Synopsis: iftop -h | [-npbBP] [-i interface] [-f filter code] [-N net/mask]

-h display this message
-n don't do hostname lookups
-N don't convert port numbers to services
-p run in promiscuous mode (show traffic between other
hosts on the same network segment)
-b don't display a bar graph of traffic
-B Display bandwidth in bytes
-i interface listen on named interface
-f filter code use filter code to select packets to count
(default: none, but only IP packets are counted)
-F net/mask show traffic flows in/out of network
-P show ports as well as hosts
-m limit sets the upper limit for the bandwidth scale
-c config file specifies an alternative configuration file

iftop, version 0.17

It seems doesn't work and show all the command options instead, thus I tried to enclose it with single quote -

shell>iftop -i rl0 -f 'port 20 or 21' -F 192.168.5.0/24

Here's it goes, it works properly and check out the screenshot -


Overall trafshow has almost all the features that are available in iftop, I prefer trafshow as it has the colorization feature and the capability to read netflow data, this is making reactive network security monitoring can be done without much delays, the hex data view of network stream also makes it terrific in performing real time incident response(You are not watching flow statistic only but full content data in real time). The only advantage of using iftop over trafshow should be the traffic direction that shown in the monitor, this makes a lot of sense when you want to monitor the traffic and it is more bidirectional oriented.

Both tools are incredibly useful and have their pros and cons. At the end, it is about preference sometimes.

Peace (;])

No comments: