trafshow(1)

1TRAFSHOW(1)                 General Commands Manual                TRAFSHOW(1)
2
3
4

NAME

6       trafshow - full screen show network traffic
7

SYNOPSIS

9       trafshow  [-vpnb]  [-a  len] [-c conf] [-i name] [-s str] [-u port] [-R
10       refresh] [-P purge] [-F file | expr]
11

DESCRIPTION

13       TrafShow is a simple interactive program that gather the network  traf‐
14       fic  from  all  libpcap-capable  interfaces  to accumulate it in memory
15       cache, and then separately display it on appropriated curses window  in
16       line-narrowed  manner  as a list of network flows sorted by throughput.
17       Display updates occurs nearly in real  time,  asynchronously  from  the
18       data collecting. It look like a live show of traffic flows. Any kind of
19       network traffic are mixed together in the one live-show screen, an Eth‐
20       ernet, IP, etc.
21       Hint: Please press `H' key inside a show to get brief help!
22
23       The  IP  traffic  can  be aggregated by netmask prefix bits and service
24       ports to reorganize a heap of trivial flows into the  treelike  hierar‐
25       chies  suitable for human perception. The user can glance over the list
26       of resulting flows and select at their to browse  detail.  So  you  can
27       deepen  into  the traffic inheritance hierarchy and inspect the packets
28       of each trivial flow in variety of presentations: raw-hex, ascii, time-
29       stamp.
30       The  program  make  aggregation automatically when number of flows will
31       exceed some reasonable amount. Just a few seconds after launch  may  be
32       required  for  adaptation to your volume of traffic.  Use -a len option
33       (see below) to overwrite the default behaviour.
34
35       TrafShow also listens on UDP port (9995 by default) for diverse feeders
36       of  Cisco Netflow and then separately display the collected data in the
37       same manner as described above. The following versions of  Netflow  are
38       currently  supported:  V1,  V5,  V7.  Use -u port option (see below) to
39       overwrite the default behaviour.
40
41       This program may be found wonderful at lest to locate suspicious  traf‐
42       fic on the net very quickly on demand, or to evaluate real time traffic
43       bandwidth utilization, in a simplest and convenient environment. But it
44       is  not intended for collecting and analysis of the network traffic for
45       a long period of time, nor for billing!
46
47       The program pretend to be IPv6 compatible and ready to using, but it is
48       not tested enough. You can define INET6 to do so.
49

OPTIONS

51       -v     Print detailed version information and exit.
52
53       -p     Do not put interface(s) into promiscuous mode.
54
55       -n     Do  not  convert  numeric  values to names (host addresses, port
56              numbers, etc.).  The mode can be toggled On/Off during a show by
57              pressing the `N' key.
58
59       -b     To  place  a  backflow  entries  near to the main streams in the
60              sorted list of traffic flows.
61              Note: this mode can  raise  the  system  load  dangerously  high
62              because it take a lot of CPU cycles!
63
64       -a len To  aggregate  traffic  flows  using IP netmask prefix len. This
65              option also turn on service ports aggregation. The len  expected
66              as  number  of bits in the network portion of IP addresses (like
67              CIDR).  The aggragation len can be  changed  during  a  show  by
68              pressing the `A' key, and turned Off by empty string.
69              Hint: Please use 0 to reduce output just for network services.
70
71       -c conf
72              Use  alternate  color  config file instead of default /etc/traf‐
73              show.
74
75       -i name
76              Listen on the specified network interface name.  If unspecified,
77              TrafShow collect data from all network interfaces, configured UP
78              in the system. In the last case the system  must  supply  enough
79              number of packet capture devices (like /dev/bpf#).
80
81       -s str To search and follow for list item matched by string, moving the
82              cursor bar. The found item try to stay highlighted. The mode can
83              be  turned Off by `Ctrl-/' key press or [re]entered again by `/'
84              key directly in the live show.
85
86       -u port
87              Listen on the specified UDP port number for  the  Cisco  Netflow
88              feed.  The default port number is 9995.
89              Hint: Please use 0 to disable this functionality.
90
91       -R refresh
92              Set  the  refresh  period  of data show to seconds, 2 seconds by
93              default. This option can be changed during a  show  by  pressing
94              the `R' key.
95
96       -P purge
97              Set  the  expired  data  purge  period to seconds, 10 seconds by
98              default. This option can be changed during a  show  by  pressing
99              the `P' key.
100
101       -F file
102              Use file as input for the filter expression.
103
104       expr   Select  which  packets  will  be  displayed. If no expression is
105              given, all packets on the net will be displayed. Otherwise, only
106              packets for which expression is `true' will be displayed.
107              The  filter  expression can be changed during a show by pressing
108              the `F' key, and turned Off by empty string.
109              Please see tcpdump(1) man page for syntax of filter expression.
110

FILES

112       /etc/trafshow
113              The default colors configuration file if any.
114
115       $HOME/.trafshow
116              The personal file with the user defined colors.
117

COLORS

119       If TrafShow has been compiled with  modern  curses  libraries  such  as
120       Slang  or  Ncurses  it  been able to show colored traffic on the color-
121       capable terminal. Hopefully, no special  actions  required  to  install
122       them because your system has it by default (leastwise last years).
123
124       The syntax of TrafShow color configuration file as follow:
125
126       default fcolor:bcolor
127              Set the default screen background color-pair
128
129       port[/proto] fcolor:bcolor
130              Set color pattern by service port
131
132       [proto] src[/mask][,port] dst[/mask][,port] fcolor:bcolor
133              Set color pattern by pair of source and destination addresses
134
135       The  tokens  *, any, or all matchs ANY in the pattern.  Where fcolor is
136       foreground color and bcolor is background color.
137       The fcolor and bcolor may be one of the following:
138
139       black red green yellow blue magenta cyan white
140              It posible to indicate color as number from 0 to 7.
141
142       The upper-case Fcolor mean bright on.  The upper-case Bcolor mean blink
143       on.
144

ACKNOWLEDGEMENTS

149       Thanks  to  Van  Jacobson <van(at)helios.ee.lbl.gov> and Steven McCanne
150       <mccanne(at)helios.ee.lbl.gov>, all of  Lawrence  Berkeley  Laboratory,
151       University of California, Berkeley.  Special thank to Jun-ichiro itojun
152       Hagino <itojun(at)iijlab.net> for IPv6 patches.
153

AUTHOR

155       Vladimir Vorobyev <bob(at)turbo.nsk.su>.
156

BUGS

158       Depending of traffic volume, TrafShow can take a lot of CPU cycles  and
159       memory.
160       It  is  impossible  to  use  packet matching expressions in the NetFlow
161       mode.
162
163
164
165
166                                   May 2004                        TRAFSHOW(1)