1FLOWTOP(8) netsniff-ng toolkit FLOWTOP(8)
2
6 flowtop - top-like netfilter TCP/UDP/SCTP/DCCP/ICMP(v6) flow tracking
7
9 flowtop { [options] }
10
12 flowtop is a top-like connection tracking tool that can run on an end
13 host or small home router. It is able to present TCP, UDP/UDP-lite,
14 SCTP, DCCP, and ICMP(v6) flows that have been collected by the kernel's
15 netfilter connection tracking framework, thus no packet capturing in
16 user space needs to be done.
17 flowtop is able to give you a quick overview of current connections on
19 your local system, e.g. for debugging purposes or to answer questions
20 like:
21 * If you access website X, what other connections are being opened
23 in
24 the background that I'm not aware of?
25 * What connections are active that pass one's router?
26 * I have this proprietary binary Y, to where does it connect?
27 * To which countries am I sending data?
28 * Are there any suspicious background connections on my machine?
29 * How many active connections does binary Y have?
30 * How long are connections active already?
31 * At which rate am I sending/receiving data?
32 The following information will be presented in flowtop's output:
34 * Application name and PID when run on local machine
36 * Reverse DNS for source and destination
37 * Geo-location information (country, city)
38 * Used protocols (IPv4, IPv6, TCP, UDP, SCTP, ICMP, ...)
39 * Flow port's service name heuristic
40 * Transport protocol state machine information
41 * Byte/packet counters (if they are enabled)
42 * Connection duration (if timestamping is enabled)
43 * Flow send/receive rate (if byte/packet counters are enabled)
44 In order for flowtop to work, netfilter must be active and running on
46 your machine, thus kernel-side connection tracking is active. If net‐
47 filter is not running, you can activate it with iptables(8):
48 iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
50 iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j
52 ACCEPT
53 or by loading the following kernel modules:
55 modprobe nf_conntrack_ipv4
57 modprobe nf_conntrack_ipv6
59 To dump byte/packet counters flowtop enables the sysctl(8) parameter
61 net.netfilter.nf_conntrack_acct via:
62 echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct
64 and resets it to the previously set value on exit. These counters will
66 only be active on connections which were created after accounting was
67 enabled. Thus, to have these counters be active all the time the param‐
68 eter should be enabled after the system is up. To automatically enable
69 it, sysctl.conf(8) or sysctl.d(8) might be used.
70 To calculate the connection duration flowtop enables the sysctl(8)
72 parameter net.netfilter.nf_conntrack_timestamp via:
73 echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
75 and resets it to the previously set value on exit.
77 flowtop's intention is just to get a quick look over your active con‐
79 nections. If you want logging support, have a look at netfilter's con‐
80 ntrack(8) tools instead.
81
83 -4, --ipv4
84 Display IPv4 flows. That is the default when flowtop is started
85 without any arguments.
86 -6, --ipv6
88 Display IPv6 flows. That is the default when flowtop is started
89 without any arguments.
90 -T, --tcp
92 Display TCP flows. That is the default when flowtop is started
93 without any arguments.
94 -U, --udp
96 Display UDP and UDP-lite flows.
97 -D, --dccp
99 Display DCCP flows.
100 -I, --icmp
102 Display ICMP version 4 and version 6 flows.
103 -S, --sctp
105 Display SCTP flows.
106 -n, --no-dns
108 Don't perform hostname lookup. Only numeric addresses will be
109 shown for flow endpoints.
110 -G, --no-geoip
112 Don't perform GeoIP lookup. No geographical information will be
113 shown for flow endpoints.
114 -s, --show-src
116 Also show source information of the flow, not only destination
117 information.
118 -b, --bits
120 Show flow rates in bits per second instead of bytes per second.
121 -u, --update
123 The built-in database update mechanism will be invoked to get
124 Maxmind's latest database. To configure search locations for
125 databases, the file /etc/netsniff-ng/geoip.conf contains possi‐
126 ble addresses. Thus, to save bandwidth or for mirroring Max‐
127 mind's databases (to bypass their traffic limit policy), differ‐
128 ent hosts or IP addresses can be placed into geoip.conf, sepa‐
129 rated by a newline.
130 -t <time>, --interval <time>
132 Flow info refresh interval in seconds, default is 1s.
133 -v, --version
135 Show version information and exit.
136 -h, --help
138 Show user help and exit.
139
141 flowtop
142 Default ncurses output for flowtop that tracks IPv4, IPv6 flows
143 for TCP.
144 flowtop -46UTDISs
146 This example enables the maximum display options for flowtop.
147
149 Files under /etc/netsniff-ng/ can be modified to extend flowtop's ser‐
150 vice resolution and lookup information.
151 * tcp.conf - TCP port/services map
153 * udp.conf - UDP port/services map
154 * geoip.conf - GeoIP database mirrors
155
157 With a fairly high rate of connection tracking updates, flowtop can
158 become unresponsive for short periods of time while scrolling. The
159 right fix would be to replace flowtop's connection management backend
160 with a better design with respect to the locking approach. This is
161 still on the "todo" list.
162
164 flowtop is licensed under the GNU GPL version 2.0.
165
167 flowtop was originally written for the netsniff-ng toolkit by Daniel
168 Borkmann. It is currently maintained by Tobias Klauser <tklauser@dis‐
169 tanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
170
172 netsniff-ng(8), trafgen(8), mausezahn(8), ifpps(8), bpfc(8), astracer‐
173 oute(8), curvetun(8), iptables(8), sysctl(8), sysctl.conf(8),
174 sysctl.d(8)
175
177 Manpage was written by Daniel Borkmann.
178
180 This page is part of the Linux netsniff-ng toolkit project. A descrip‐
181 tion of the project, and information about reporting bugs, can be found
182 at http://netsniff-ng.org/.
183Linux 03 March 2013 FLOWTOP(8)