I needed away to in real time watch my network traffic.
jnettop is ok but if you want to filter or do some more advance things ngrep is a nice tool.
Installation:ngrep is a piece of software which is designed to mirror the standard pattern matching utility grep, although instead of matching patterns against text files it matches traffic passing over a network interface.
In terminal or SSHCode:/etc/apt/sources.list (uncomment or add) deb http://security.debian.org lenny/updates main contrib non-free deb http://ftp.debian.org/debian lenny main contrib non-free
wait until the update is done. then runCode:apt-get update
After the installation is done.Code:apt-get install ngrep
Remove or add # infront of:Code:/etc/apt/sources.list
Then runCode:deb http://security.debian.org lenny/updates main contrib non-free deb http://ftp.debian.org/debian lenny main contrib non-free
(verify that it only goes to updates.untangle.com)Code:apt-get update
Now you have ngrep installd.
What can you do then?
Sample.usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file> <match expression> <bpf filter>
-h is help/usage
-V is version information
-q is be quiet (don't print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don't do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don't go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-M is don't do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device instead of the pcap default
-K is kill matching TCP connections
Match only requests going to port 80
Match only requests going to the destination 'untangle.com'Code:ngrep -q '^GET .* HTTP/1.' 'port 80'
Match only ping requestsCode:ngrep -q '^GET .* HTTP/1.' 'host untangle.com'
Monitor all activity crossing source or destination port 25 (SMTP).Code:ngrep -q '.' 'icmp'
Monitor any network-based syslog traffic for the occurrence of the word ``error''. ngrep knows how to convert service port names (on UNIX, located in ``/etc/services'') to port numbers.Code:ngrep -d any port 25
Monitor any traffic crossing source or destination port 21 (FTP), looking case-insensitively for the words ``user'' or ``pass'', matched as word-expressions (the match term(s) must have non-alphanumeric, delimiting characters surrounding them).Code:ngrep -d any 'error' port syslog
As you can see, all headers and aspects of the HTTP transmission are exposed in their gory detail. It's a little hard to parse though, so let's see what happens when ``-W byline'' mode is used:Code:ngrep -wi -d any 'user|pass' port 21
Play NiceCode:ngrep -W byline port 80
If you have nice Sample post them here and we can build a archive.
- NG Firewall
- Solutions by Industry
- Solutions by Issue