1FLOWTOP(8)                    netsniff-ng toolkit                   FLOWTOP(8)
2
3
4

NAME

6       flowtop - top-like netfilter TCP/UDP/SCTP/DCCP/ICMP(v6) flow tracking
7

SYNOPSIS

9       flowtop { [options] }
10

DESCRIPTION

12       flowtop  is  a top-like connection tracking tool that can run on an end
13       host or small home router. It is able  to  present  TCP,  UDP/UDP-lite,
14       SCTP, DCCP, and ICMP(v6) flows that have been collected by the kernel's
15       netfilter connection tracking framework, thus no  packet  capturing  in
16       user space needs to be done.
17
18       flowtop  is able to give you a quick overview of current connections on
19       your local system, e.g. for debugging purposes or to  answer  questions
20       like:
21
22           *  If you access website X, what other connections are being opened
23       in
24             the background that I'm not aware of?
25           * What connections are active that pass one's router?
26           * I have this proprietary binary Y, to where does it connect?
27           * To which countries am I sending data?
28           * Are there any suspicious background connections on my machine?
29           * How many active connections does binary Y have?
30           * How long are connections active already?
31           * At which rate am I sending/receiving data?
32
33       The following information will be presented in flowtop's output:
34
35           * Application name and PID when run on local machine
36           * Reverse DNS for source and destination
37           * Geo-location information (country, city)
38           * Used protocols (IPv4, IPv6, TCP, UDP, SCTP, ICMP, ...)
39           * Flow port's service name heuristic
40           * Transport protocol state machine information
41           * Byte/packet counters (if they are enabled)
42           * Connection duration (if timestamping is enabled)
43           * Flow send/receive rate (if byte/packet counters are enabled)
44
45       In order for flowtop to work, netfilter must be active and  running  on
46       your  machine,  thus kernel-side connection tracking is active. If net‐
47       filter is not running, you can activate it with iptables(8):
48
49           iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
50
51           iptables -A OUTPUT -p  tcp  -m  state  --state  NEW,ESTABLISHED  -j
52           ACCEPT
53
54       or by loading the following kernel modules:
55
56           modprobe nf_conntrack_ipv4
57
58           modprobe nf_conntrack_ipv6
59
60       To  dump  byte/packet  counters flowtop enables the sysctl(8) parameter
61       net.netfilter.nf_conntrack_acct via:
62
63           echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct
64
65       and resets it to the previously set value on exit. These counters  will
66       only  be  active on connections which were created after accounting was
67       enabled. Thus, to have these counters be active all the time the param‐
68       eter  should be enabled after the system is up. To automatically enable
69       it, sysctl.conf(8) or sysctl.d(8) might be used.
70
71       To calculate the connection  duration  flowtop  enables  the  sysctl(8)
72       parameter net.netfilter.nf_conntrack_timestamp via:
73
74           echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
75
76       and resets it to the previously set value on exit.
77
78       flowtop's  intention  is just to get a quick look over your active con‐
79       nections.  If you want logging support, have a look at netfilter's con‐
80       ntrack(8) tools instead.
81

OPTIONS

83       -4, --ipv4
84              Display  IPv4 flows. That is the default when flowtop is started
85              without any arguments.
86
87       -6, --ipv6
88              Display IPv6 flows. That is the default when flowtop is  started
89              without any arguments.
90
91       -T, --tcp
92              Display  TCP  flows. That is the default when flowtop is started
93              without any arguments.
94
95       -U, --udp
96              Display UDP and UDP-lite flows.
97
98       -D, --dccp
99              Display DCCP flows.
100
101       -I, --icmp
102              Display ICMP version 4 and version 6 flows.
103
104       -S, --sctp
105              Display SCTP flows.
106
107       -n, --no-dns
108              Don't perform hostname lookup. Only numeric  addresses  will  be
109              shown for flow endpoints.
110
111       -G, --no-geoip
112              Don't  perform GeoIP lookup. No geographical information will be
113              shown for flow endpoints.
114
115       -s, --show-src
116              Also show source information of the flow, not  only  destination
117              information.
118
119       -b, --bits
120              Show flow rates in bits per second instead of bytes per second.
121
122       -u, --update
123              The  built-in  database  update mechanism will be invoked to get
124              Maxmind's latest database. To  configure  search  locations  for
125              databases,  the file /etc/netsniff-ng/geoip.conf contains possi‐
126              ble addresses. Thus, to save bandwidth  or  for  mirroring  Max‐
127              mind's databases (to bypass their traffic limit policy), differ‐
128              ent hosts or IP addresses can be placed into  geoip.conf,  sepa‐
129              rated by a newline.
130
131       -t <time>, --interval <time>
132              Flow info refresh interval in seconds, default is 1s.
133
134       -v, --version
135              Show version information and exit.
136
137       -h, --help
138              Show user help and exit.
139

USAGE EXAMPLE

141       flowtop
142              Default  ncurses output for flowtop that tracks IPv4, IPv6 flows
143              for TCP.
144
145       flowtop -46UTDISs
146              This example enables the maximum display options for flowtop.
147

CONFIG FILES

149       Files under /etc/netsniff-ng/ can be modified to extend flowtop's  ser‐
150       vice resolution and lookup information.
151
152           * tcp.conf - TCP port/services map
153           * udp.conf - UDP port/services map
154           * geoip.conf - GeoIP database mirrors
155

BUGS

157       With  a  fairly  high  rate of connection tracking updates, flowtop can
158       become unresponsive for short periods  of  time  while  scrolling.  The
159       right  fix  would be to replace flowtop's connection management backend
160       with a better design with respect to  the  locking  approach.  This  is
161       still on the "todo" list.
162
164       flowtop is licensed under the GNU GPL version 2.0.
165

HISTORY

167       flowtop  was  originally  written for the netsniff-ng toolkit by Daniel
168       Borkmann. It is currently maintained by Tobias  Klauser  <tklauser@dis‐
169       tanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
170

SEE ALSO

172       netsniff-ng(8),  trafgen(8), mausezahn(8), ifpps(8), bpfc(8), astracer‐
173       oute(8),   curvetun(8),   iptables(8),    sysctl(8),    sysctl.conf(8),
174       sysctl.d(8)
175

AUTHOR

177       Manpage was written by Daniel Borkmann.
178

COLOPHON

180       This  page is part of the Linux netsniff-ng toolkit project. A descrip‐
181       tion of the project, and information about reporting bugs, can be found
182       at http://netsniff-ng.org/.
183
184
185
186Linux                            03 March 2013                      FLOWTOP(8)
Impressum