What command line tools for monitoring host network activity on linux do you use?

Solution 1:

I like and use pmacct

From their webpage:

OVERVIEW.
IP accounting is key activity underlying essential network management tasks like billing, graphing network resources usage, live or historical traffic trends analysis, steering BGP peerings, real-time alerting and certain SLA monitoring. Often SNMP counters do not help in these areas because of their coarse granularity; live traffic mirroring, NetFlow and sFlow break this barrier by offering data at a finer granularity. But current high-speed large-scale networks are able to produce, in very short times, high amounts of data that become quickly difficult to be processed. In this context, both spatial and temporal aggregation, flexible filtering and sampling capabilities become key requirements.

pmacct is a small set of passive network monitoring tools to measure, account, classify, aggregate and export IPv4 and IPv6 traffic; its main features are:

  • Suitable to ISP, IXP, CDN, IP carrier, data-centre and hot-spots enviroments
  • Runs on Linux, BSDs, Solaris and embedded systems
  • Support for both IPv4 and IPv6
  • Collects data through libpcap, Netlink/ULOG, NetFlow v1/v5/v7/v8/v9 and sFlow v2/v4/v5
  • Saves data to a number of backends including memory tables, MySQL, PostgreSQL and SQLite
  • Exports data to remote collectors through NetFlow v5/v9 and sFlow v5
  • Flexible architecture to tag, filter, redirect, aggregate and split captured data
  • Implements a BGP daemon to augment visibility into the network (from 0.12)
  • Traffic streams classification. Read more here
  • Support for packet and flow sampling and renormalization
  • Pluggable architecture for easy integration of new capturing environments and data backends
  • Careful SQL support: data pre-processing, triggers, dynamic table naming
  • It's free, open-source, developed and supported with passion and open mind

Either using memory or SQL tables as backend storage, pmacct can easily feed data into external tools including RRDtool, GNUPlot, Net-SNMP, MRTG and Cacti among the others. Little scripting abilities are required and a number of sample scripts, contributions, web frontends and some tutorials are already available.

Other tools I use include:

tcptrack is a sniffer which displays information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeps track of their state and displays a list of connections in a manner similar to the unix ‘top’ command. It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.

Pktstat Display a real-time list of active connections seen on a network interface, and how much bandwidth is being used by what. Partially decodes HTTP and FTP protocols to show what filename is being transferred. X11 application names are also shown. Entries hang around on the screen for a few seconds so you can see what just happened. Also accepts filter expressions á la tcpdump.

Iptraf

Iftop

tcpdump / wireshark

Solution 2:

Whenever someone tells me "Such and such is no good" as someone has done there, I always ask for specifics. A lot of the time you'll find it's hearsay, or based on some belief that because of a buggy version 5 years ago, someone has made a generalisation. Chinese whispers abound in IT!

When you say "monitoring network activity" I presume you mean counting the RX and TX bytes from ifconfig. I've not heard anything about it being unreliable. We export those values via SNMP and graph them. They're compared to switch activity that we're also graphing which is the other endpoint of those connections and I can see no disparity which would suggest they're unreliable.

You do need to know that:

  1. the counters reset after a reboot

  2. the counters reset after unloading/reloading the network driver associated with the interface

  3. the counters do wrap, and where they wrap at will possibly depend on you architecture and kernel version

Solution 3:

I can't live without my sar.