On Thu, Jun 24, 2004 at 12:37:18PM -0400, Kevin Old wrote: > > I'm trying to capture and analyze *all* traffic (not just web traffic, > which I can use Wusage for) coming to and from my server. I've > recently been introduced to iptraf and am wondering about how I'm to > use it's statistics. ... > In the Perl script I write to analyze this data, I'm going to separate > the traffic by TCP and UDP, but I was confused at what "bytes" I'm > suppose to add and subtract? ... > You'll notice that the 52 bytes is in both lines. Should I only "add > up" the traffic on the "FIN sent" lines to avoid reporting a higher > amount of traffic that is actually coming through? > > Any help is appreciated, Hmm... iptraf is presenting summary information and presenting the summary of like packets on a summary line in some cases. If you really want to understand what it is doing look at the output of tcpdump or tethereal for the same five seconds that you let iptraf do a summary. Since tcpdump and tethereal will give you one line per packet it will be moderately easy to understand the internals of iptraf. Since TCP is a statefull connection the "FIN sent" state makes it possible to collect the total bytes transfered via the connection. HOWEVER without full understanding all is not perfect here. For example, if you watch a ssh connection to a box it begins with something like: Mon Jun 28 13:58:27 2004; TCP; eth0; 60 bytes; from 192.168.0.53:22 to \ 192.168.0.51:44935; first packet (SYN) it is interesting that if you powerdown that box from that ssh connection there is no "FIN sent" packet to trigger the summary line from iptraf. The same is true for lots of other TCP connections. Depending on the ultimate purpose behind your logging you could perl out any visibility of a class of problems. Also a very long standing connection can put the first packet in a log separated by days from the teardown and summary packets. -- T o m M i t c h e l l /dev/null the ultimate in secure storage.
