Network monitor for Linux.
netmon
processes IP packets coming either from a network interface or from a PCAP file and generates six kind of events:
-
ICMP: containing the following information:
- Timestamp
- Source address
- Destination address
- Number of bytes transferred
- ICMP type
- ICMP code
-
UDP: containing the following information:
- Timestamp
- Source address
- Source port
- Destination address
- Destination port
- Number of bytes transferred
-
DNS (request and response): containing the following information:
- Timestamp
- Source address
- Source port
- Destination address
- Destination port
- Number of bytes transferred
- Domain queried
- For responses: list of IP addresses
-
Begin TCP connection: containing the following information:
- Timestamp
- Source address
- Source port
- Destination address
- Destination port
-
TCP data: containing the following information:
- Timestamp
- Source address
- Source port
- Destination address
- Destination port
- Creation timestamp
- Number of bytes of payload
-
End TCP connection: containing the following information:
- Timestamp
- Source address
- Source port
- Destination address
- Destination port
- Creation timestamp
- Number of bytes transferred by the client
- Number of bytes transferred by the server
These events are written to a file in binary format, one file per worker thread.
The event files can be merged using evmerger
, which takes two or more event files and generates an output file containing all the events.
The event files can be viewed using evreader
, which can dump the events in the following formats:
- Human readable
- JSON
- Javascript
- CSV
- SQLite database
evreader
has a DNS cache for IPv4 and a DNS cache for IPv6 and can provide (when possible) the source hostname and the destination hostname.
Takes as input an event file and generates as output an event file with the "End TCP connection" events. The events can be sorted by:
- Duration
- Transferred client
- Transferred server
- Transferred
./netmon OPTIONS
OPTIONS:
Capture configuration:
--capture-method <method>
<method> ::= "pcap" | "ring-buffer" | "socket"
Mandatory.
--capture-device <device>
<device>: either a PCAP filename for the capture method "pcap" or
the name of a network interface.
Mandatory.
--rcvbuf-size <size>
<size>: size of the socket receive buffer.
Greater or equal than: 2048, default: not set.
Optional.
--promiscuous-mode
Enable interface's promiscuous mode.
Default: no.
Optional.
Ring buffer configuration:
--ring-buffer-block-size <size>
<size>: size of the ring buffer block.
Range: 128 .. 18446744073709551615, default: 4096.
Optional.
--ring-buffer-frame-size <size>
<size>: size of the ring buffer frame.
Range: 128 .. 18446744073709551615, default: 2048.
Optional.
--ring-buffer-frame-count <number>
<number>: number of frames in the ring buffer.
Range: 8 .. 18446744073709551615, default: 512.
Optional.
TCP/IPv4 hash table configuration:
--tcp-ipv4-hash-size <number>
<number>: size of the hash table.
Range: 256 .. 4294967296, default: 4096.
Optional.
--tcp-ipv4-max-connections <number>
<number>: maximum number of connections.
Range: 256 .. 4294967296, default: 1048576.
Optional.
--connection-timeout <number>
<number>: connection timeout (seconds).
Greater or equal than: 5, default: 7200.
Optional.
--tcp-time-wait <number>
<number>: TCP time wait (seconds).
Greater or equal than: 1, default: 120.
Optional.
TCP/IPv6 hash table configuration:
--tcp-ipv6-hash-size <number>
<number>: size of the hash table.
Range: 256 .. 4294967296, default: 4096.
Optional.
--tcp-ipv6-max-connections <number>
<number>: maximum number of connections.
Range: 256 .. 4294967296, default: 1048576.
Optional.
--connection-timeout <number>
<number>: connection timeout (seconds).
Greater or equal than: 5, default: 7200.
Optional.
--tcp-time-wait <number>
<number>: TCP time wait (seconds).
Greater or equal than: 1, default: 120.
Optional.
Workers configuration:
--number-workers <number>
<number>: number of worker threads.
Range: 1 .. 1024, default: 4.
Optional.
--processors "all" | "even" | "odd" | <processor-list>
<processor-list> ::= <processor>[,<processor>]*
<processor> ::= 0 .. 7
Optional.
--events-directory <directory>
<directory>: directory where to save the event files.
Default: ".".
Optional.
--file-allocation-size <size>
<size>: file allocation size.
Default: 1073741824.
Optional.
--event-writer-buffer-size <size>
<size>: size of the event writer buffer.
Greater or equal than: 1024, default: 32768.
Optional.
<number> ::= <digit>+
<size> ::= <number>[KMG]
Optional suffixes: K (KiB), M (MiB), G (GiB)
Usage: ./evmerger <input-event-file> ... <input-event-file> <output-event-file>
Usage: ./evreader [OPTIONS] --input-filename <filename>
Options:
--help
--output-filename <filename>
<filename>: Name of the file where to save the output.
Default: standard output.
--output <output>
<output> ::= "header" | "human-readable" | "json" | "javascript" | "csv" | "sqlite"
Default: "human-readable"
--format <format>
<format> ::= "pretty-print" | "compact"
Default: "pretty-print"
--csv-separator <character>
<character>: CSV character separator.
Default: ','
--filter <expression>
<expression> ::= (<expression>)
<expression> ::= <expression> <logical-operator> <expression>
<expression> ::= <identifier> <relational-operator> <value>
<logical-operator> ::= "&&" | "||"
<relational-operator> ::= "==" | "!=" | "<" | ">" | "<=" | ">="
<identifier> ::= "date" |
"event_type" |
"source_ip" |
"source_hostname" |
"source_port" |
"destination_ip" |
"destination_hostname" |
"destination_port" |
"ip" |
"hostname" |
"port" |
"icmp_type" |
"icmp_code" |
"transferred" |
"query_type" |
"domain" |
"number_dns_responses" |
"dns_response" |
"payload" |
"creation" |
"duration" |
"transferred_client" |
"transferred_server"
<value> ::= <event-type> |
<number> |
<string> |
<timestamp> |
<hostname> |
<duration> |
<network-mask>
<event-type> ::= "icmp" |
"udp" |
"dns" |
"tcp-begin" |
"tcp-data" |
"tcp-end"
<string> ::= "<character>*"
<timestamp> ::= timestamp with the format YYYY/MM/DD hh:mm:ss[.uuuuuu]
<duration> ::= connection duration in seconds
<network-mask> ::= network address in CIDR notation
Usage: ./evconnections [OPTIONS] --input-filename <filename> --output-filename <filename>
Options:
--help
--compare <compare-function>
<compare-function> ::= "duration" | "transferred-client" | "transferred-server" | "transferred"
--order <sort-order>
<sort-order> ::= "ascending" | "descending"
Default: "ascending"
Qt program which displays the TCP connections from a JSON file containing events.