Friday, December 23, 2005

Notes on Trafshow 5

Trafshow is a ncurses-based program that shows a snapshot of active network sessions in near real time. I like to use it with OpenSSH sessions on sensors to get a quick look at hosts that might be hogging bandwidth. Recently Trafshow 5 became available in the FreeBSD ports tree (net/trafshow), so I have started using it.

When I showed it in class last week, I realized I did not recognize the color scheme depicted in the screen shot above. I learned that the configuration file /usr/local/etc/trafshow controls these colors:

# The colors are:
# black red green yellow blue magenta cyan white
#
# The upper-case Fcolor mean bright *on* and Bcolor blink *on*.
#

#default white:blue

# following color settings looks nice under black-on-gray xterm (xterm-color)

# Private IP Addresses will be alarmed by Red foreground.
# Source Destination Color

10.0.0.0/8 any Red
any 10.0.0.0/8 Red
127.0.0.1/8 any Red
any 127.0.0.1/8 Red
172.16.0.0/16 any Red
any 172.16.0.0/16 Red
192.168.0.0/16 any Red
any 192.168.0.0/16 Red

# Network Services.
# Service Color Comments

135 Red # netbios
137 red # netbios
138 red # netbios
139 red # netbios

snmp white
smux white
162 White # snmp-trap
67 white # bootp/dhcp-server
68 white # bootp/dhcp-client
546 white # dhcpv6-client
547 white # dhcpv6-server
timed white
who white

domain cyan
389 cyan # ldap
636 cyan # ldaps
*/icmp Cyan

http blue
https blue
3128 Blue # http-proxy
8080 Blue # http-proxy

smtp Green
nntp Green
pop3 green
995 green # pop3s
143 green # imap2,4
220 green # imap3

ftp yellow
20 Yellow # ftp-data
tftp Yellow
nfs Yellow
6000 Yellow # X11

ssh magenta
telnet Magenta
sunrpc Magenta
513/tcp Magenta # rsh
514/tcp Magenta # rcmd

As you can see in the screen shot, we have SSH, WHOIS, ICMP, DNS, IRC, and NTP active.

You may notice records without port information. For example, the 7th record shows source 69.243.40.166 and destination 204.152.184.73 speaking protocol 6 (TCP). No ports are listed. However, the first two records list the two sides of a conversation between those two hosts. Similarly, the last two records show traffic involving 69.243.40.166 and 65.201.175.103, with no ports. If we look at the 9th record, however, we see those two IPs speaking on port 43 TCP (WHOIS).

A quick look at Argus data from yesterday (when I took this screenshot) reveals that the port 43 TCP traffic was the only conversation between those two hosts:

ra -nn -r argus2.arg -L0 -A - host 65.201.175.103

StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport
SrcPkt DstPkt SAppBytes DAppBytes State

22 Dec 05 17:11:52 tcp 69.243.40.166.49202 -> 65.201.175.103.43
6 6 16 2736 FIN

This indicates to me that the records without port data are related to those with port data, because in this second case only one session involved both IPs.

I will contract Trafshow's author to gain confirmation.

One aspect of the new Trafshow I do not like is the way it opens a port to listen for NetFlow records:

orr:/home/richard$ sockstat -4 | grep trafshow
root trafshow 1078 4 udp4 *:9995 *:*

To disable this NetFlow collector function, invoke Trafshow with the '-u 0' option.

One feature of Trafshow 5 that I like is the ability to listen on an interface that does not have an IP address assigned. Previous Trafshow versions would complain and fail if they were told to listen on an interface with no IP.

No comments: