When I showed it in class last week, I realized I did not recognize the color scheme depicted in the screen shot above. I learned that the configuration file /usr/local/etc/trafshow controls these colors:
# The colors are:
# black red green yellow blue magenta cyan white
# The upper-case Fcolor mean bright *on* and Bcolor blink *on*.
# following color settings looks nice under black-on-gray xterm (xterm-color)
# Private IP Addresses will be alarmed by Red foreground.
# Source Destination Color
10.0.0.0/8 any Red
any 10.0.0.0/8 Red
127.0.0.1/8 any Red
any 127.0.0.1/8 Red
172.16.0.0/16 any Red
any 172.16.0.0/16 Red
192.168.0.0/16 any Red
any 192.168.0.0/16 Red
# Network Services.
# Service Color Comments
135 Red # netbios
137 red # netbios
138 red # netbios
139 red # netbios
162 White # snmp-trap
67 white # bootp/dhcp-server
68 white # bootp/dhcp-client
546 white # dhcpv6-client
547 white # dhcpv6-server
389 cyan # ldap
636 cyan # ldaps
3128 Blue # http-proxy
8080 Blue # http-proxy
995 green # pop3s
143 green # imap2,4
220 green # imap3
20 Yellow # ftp-data
6000 Yellow # X11
513/tcp Magenta # rsh
514/tcp Magenta # rcmd
As you can see in the screen shot, we have SSH, WHOIS, ICMP, DNS, IRC, and NTP active.
You may notice records without port information. For example, the 7th record shows source 220.127.116.11 and destination 18.104.22.168 speaking protocol 6 (TCP). No ports are listed. However, the first two records list the two sides of a conversation between those two hosts. Similarly, the last two records show traffic involving 22.214.171.124 and 126.96.36.199, with no ports. If we look at the 9th record, however, we see those two IPs speaking on port 43 TCP (WHOIS).
A quick look at Argus data from yesterday (when I took this screenshot) reveals that the port 43 TCP traffic was the only conversation between those two hosts:
ra -nn -r argus2.arg -L0 -A - host 188.8.131.52
StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport
SrcPkt DstPkt SAppBytes DAppBytes State
22 Dec 05 17:11:52 tcp 184.108.40.206.49202 -> 220.127.116.11.43
6 6 16 2736 FIN
This indicates to me that the records without port data are related to those with port data, because in this second case only one session involved both IPs.
I will contract Trafshow's author to gain confirmation.
One aspect of the new Trafshow I do not like is the way it opens a port to listen for NetFlow records:
orr:/home/richard$ sockstat -4 | grep trafshow
root trafshow 1078 4 udp4 *:9995 *:*
To disable this NetFlow collector function, invoke Trafshow with the '-u 0' option.
One feature of Trafshow 5 that I like is the ability to listen on an interface that does not have an IP address assigned. Previous Trafshow versions would complain and fail if they were told to listen on an interface with no IP.