Coming off a series of articles on installing and configuring IPCop (Part 1, Part 2, Part 3), my attention now turns to actually monitoring and managing the network. One of the issues that will come up is 'Where did all my bandwidth go?' IPCop, as well as other *nix distros, include a program called iftop, which displays the bandwidth being used on an interface. While on individual machines this can be useful, it really shines on a router or gateway machine.
To install iftop, look no further than your distro's Package Management system. If you cannot find it there, you can download it from iftop's homepage at http://ex-parrot.com/~pdw/iftop/. You will need libpcap and ncurses installed if you download it straight from the website.
For basic usage, you can fire up iftop by simpling running the command 'iftop'. A screen will appear that displays the DNS-resolved addresses that are pushing traffic, the direction that the traffic is flowing, and the rates at which they are going. Most of the time this should suffice, but iftop takes a few command line switches as well:
Don't do DNS lookups
Don't resolve port numbers to names
Run in promiscuous mode to see all traffic, not just what is directed at the interface
Don't display bargraphs on the screen
Display in bytes, not bits
Watch the specified interface
Don't do DNS lookups
While iftop is running, the following commands are available:
Aggregate all the source or destination traffic together
Toggle port display for source or destinations
Cycle through different display modes
Pause the display
Freeze the current display order (note, new flows will not be displayed)
Page through the hosts (useful when the order is frozen)
Hopefully this will give you a small insight into what traffic is actually moving in and out of your network and at what rate. Some of the previous tools that we've shown for IPCop are helpful to see where traffic is going, but now how fast on a connection-by-connection basis. iftop can easily fill in that information for you.