Chapter 1 ■ real time Network StatiStiCS with iftop
5
On the right side, you can see three columns. The excellent iftop refers to this as its display order and
the columns deal with different time-delay averages. By default, this appears (at least) to be two-second,
ten-second, and forty-second averages. These values can be configured separately, so don’t let that confuse
you too much initially. In addition, it’s easy to change the overall display using those columns by pressing
the 1, 2, or 3 keys to respectively filter by the aforementioned 2s, 10s, or 40s averages.
As an aside, a two-second average is really short; I love it having come from a background filled with
what felt like lengthy five-minute SNMP averages. I can see very quickly what’s just changed on the network
and although two seconds isn’t real-time, it’s very close to it and certainly has its place on today’s busy
Internet. I find that it’s just long enough for you to be able to spot something without worrying about freezing
the screen in case you missed it.
When you’re running the default config without specifying any options, iftop outputs the busiest hosts
in the last ten seconds (in other words, by using a ten-second average). It also groups hosts in pairs to choose
the busiest pair of combined inbound and outbound traffic.
Finally, at the end of the output, you are presented with a number of totals. These include useful
statistics, such as the amount of data transferred in megabytes (MB) as well as forty-second averages of
traffic, usually in megabits (Mb), but also sometimes in kb for kilobytes.
Controlling iftop from the Keyboard
In addition to providing a slick graphical display, even through an SSH terminal, iftop lets you modify
your configuration at the press of a key. For example, in the course of a sysadmin’s work day, you could be
checking all sorts of bad networking habits: from monitoring the misconfiguration of a network interface to
mitigating a hideously hazardous ARP storm. With iftop, you can cycle through a number of options and
confidently choose a config parameter to suit your current scenario instantly.
Here are some examples of how iftop can make your sysadmin life easier at the press of key:
• To change the source and destination displays, press the s key or the d key while
iftop is running. This helps isolate who is sending what, especially if iftop is being
run on a Linux router (which I’ll touch in “Using iftop on Busy Routers” later in this
chapter) and forwarding traffic.
• To quickly see which ports are in use, press the p key. You can also use the Shift+S
and Shift+D keys to expose source and destination ports, respectively. Figure1-4
demonstrates how friendly iftop is with its options and how it dutifully reports, in
the top-left of the screen, the result of the keypress that it has just received.
• To cycle through several different displays (similar to horizontal bar graphs), press
the t key.
www.allitebooks.com