Etherape the graphical network monitoring tool February 24, 2011Posted by Tournas Dimitrios in Linux admin tools.
Every Linux administrator needs a good network monitor for network management. But with so many to choose from it’s hard to know which one is best. For example a quick search at Freshmeat.net returned 215 entries for open source network analyzers and network tools.My blog has already present some command line tools , and future articles will present even more , but it’s time to introduce a graphical alternative . It’s just a matter of taste , some admins prefer the terminal tools (myself included ) and some others , the graphical alternatives .
The EtherApe network monitor is a midrange option for monitoring your network’s data traffic. It can monitor your network cart directly , or read from a pcap file that was created from other utilities (tcpdump , wireshark , ettercap … ) . As an open source network monitor, EtherApe offers a dynamic graphical interface; features IP and TCP modes; supports Ethernet, FDDI, PPP, and slip devices; filters traffic; and reads traffic from both a tcpdump file and live from the network.
Installing etherape :
As always on Linux there are two forms of installing an application . The first way is to install from the source code, which requires the source tarball file and compiling to built the binary file (./configure . make. make install ) .
The second installation method, from rpm, requires the RPM file from a trusted repository where the installation is totally automated . Usualy the second method is the prefered , so let demonstrate how to do that . For CentOs 5.x the rpm package is provided by rpmforge , and yum makes the installation : yum install etherape .
etherape requires of cource an graphical environment (GNOME , KDE ) and the libpcap library .Once you’ve installed the application, run EtherApe by typing etherape at the command prompt (monitor the nic) or with the ” -r filename.pcap” option (from a pre-recorded file ).
When you start EtherApe, you may or may not see traffic depending on whether there is traffic actively passing through your network. You’ll notice that the display immediately becomes dynamic. As traffic comes in, the amount of traffic is represented by the size of the lines representing the connection. This display tells you not only the type and relative size of traffic, but also the source of the traffic. If you need to know more about the traffic passing on your network, you should open the Protocols window(from the View drop-down menu, select Protocols to open the Protocols window) .
The Protocols window is a great tool to use for troubleshooting your network. Suppose your network becomes extremely slow, and you have no idea why. You can use EtherApe to check on the traffic that’s moving through your network. When you fire up EtherApe, you see a Web of traffic. You open the Protocols window and confirm that WWW is racking up an enormous amount of traffic. When you return to the Main window, you see that the vast amount of WWW traffic is hitting one of your backup Web servers and that traffic is coming from one specific domain. You can end this problem by blocking the domain from entering your internal network.
Configuring EtherApe :
To configure EtherApe, click the Stop button on the main window and then click the Pref (preferences) button to open the Configuration window .
The Diagram tab, can be used to configure some of the monitor’s protocol specifics. With the Protocol Stack Level configuration, you can specify the level of packet you want to monitor. There are five levels of the stack to watch:
- the Topmost Recognized Protocol (Level 1, physical medium) ,more specific information about the packets traversing your network
- Level 2 (eth_II) , the only protocols visible are ARP
- Level 3 (IP) , the only protocols visible are IP
- Level 4 (TCP and UDP) , TCP and UDP related protocols
- Level 5 (HTTP) , application level protocols (HTTP , FTP , SMTP ,…)
Node Size Variable allows you to dictate the direction in which EtherApe is monitoring. There are two types of traffic, instant and accumulative, and each type has three different directional patterns (in+out, inbound, and outbound).
The Colors tab , modify the color presentation of each protocol , you can also add more colors on the list
On the Timings tab , you can alter the Diagram Refresh Rate. This rate count is in milliseconds, so don’t let the default 800 fool you. One thing I noticed with this particular configuration is the faster the refresh rate, the harder it is to follow the traffic. By setting the Diagram Refresh Rate at the fastest possible setting (50 milliseconds), the monitor became useless. Because of the high refresh rate, the size of the traffic and the host addresses were moving around so quickly, it looked as if I were playing an old Atari video game. However, at a much slower rate (2,000 milliseconds, for example), too much traffic is missed. On a larger network, I find it much easier to work somewhere between 500 and 700 milliseconds.
As with all network monitors, the most important aspect of EtherApe is the filters. In a network monitor, a filter utility allows you to monitor the traffic patterns at a granular level. For example, suppose you have a large network that is bogged down because of excessive Domain traffic. Because of your network’s size, you are unable to figure out where the bottleneck iscoming from. Specifying which machines you want EtherApe to monitor can help you to more quickly troubleshoot the problem.
To configure EtherApe to watch only one particular group of addresses, you would first open the Preferences window and select the Capture tab. The top right drop-down list (labeled Capture Filter) is where you will enter the filter syntax, which for EtherApe is src net IP_ADDRESS dst net IP_ADDRESS (where IP_ADDRESS is the actual IP address of the machine, or machines, you wish to monitor). So if you want to monitor trafic from subnet whose IP addresses use the range 192.168.1, you would enter src net 192.168.1 dst net 192.168.1 to create this filter. Notice that there is no trailing dot at the end of the unfinished dotted quad address. The unfinished addresses tell EtherApe that it must watch a range of addresses and not a single address. You can enter a single address, or you can enter either a source (src) or destination (dst) only.
Once you enter the filter, you will save and then click OK. The filter will then begin running. One very nice touch is that as you create new filters, they will all appear in the Capture Filter drop-down list. This allows you to switch between filters quickly, without having to reenter them.
Reading from files and remote networks :
EtherApe’s ability to read from a tcpdump file is good, because it allows an administrator to capture network traffic to a file and analyze that traffic either off-line or at a more convenient time.
The tcpdump command , which will generate the file for EtherApe to read , must be employed with the -n -w switches. The -n switch tells tcpdump not to resolve IP addresses, and the -w switch instructs tcpdump to write packets to a specified file instead of stdout. First, you have to capture the network traffic by dumping it to a file. To dump network traffic to a file, open a terminal window, su to root, and run the command ” tcpdump -n -w dump_file ” . Instead of getting your Bash prompt returned, you will see tcpdump: listening on eth0. Once you feel you have sufficient traffic saved to your file (running this command for five minutes will provide you with more than enough traffic), press “Ctrl + c” , and the Bash prompt will return. Next, you’ll open EtherApe and have it read the dump file. From the Bash prompt, enter the command “etherape -r dump_file “, and EtherApe will begin displaying the traffic listed in the file as if it were being captured in real time.
Another really handy little trick takes advantage of secure shell. You can pipe the output of a tcpdump run through an ssh session. This allows you to actually monitor a remote network with EtherApe. To do this, you must connect with ssh to the remote host/network and run the tcpdump utility remotely as follows :
ssh root@remotehost tcpdump -n -w – | etherape -m ip -r –
EtherApe will open , displaying the remote network traffic localy .