iperf and ntop can give you handy, readable information on where the traffic is flowing on your network.
Last week we learned how to use iperf to measure network throughput, jitter, and datagram loss. Today we're going to
learn more excellent ways to measure network performance using iperf and ntop, but first I have a couple of
corrections to make.
OpenWRT, Little Blue Boxes, and Heavy Loads
In Tips and Tricks for Linux Admins: The State
of the Tiny I said that those little Linksys boxes don't handle high loads well, especially peer protocols like Bittorrent. A
reader kindly noted that this is not necessarily a hardware problem:
"The stock Linksys firmware and many derivatives, does not properly configure the firewall and the kernel for P2P
traffic, specifically the connection tracking in iptables. It is not the fault of the router, but a configuration in the software...
the WRTSL54GS has a 266Mhz processor, and a separate Ethernet interface channel for the WAN port, and it is my belief that this
platform can handle P2P traffic without a problem, given the appropriate configuration."
Which is but one of many reasons why so many users are blowing away the stock firmware on these devices, and replacing it with
OpenWRT, DD-WRT, and so forth. This same excellent reader also notes that
"...the Linksys devices actually come with a
5-port switch, and use VLAN tagging to assign 4 ports to the LAN VLAN (plus the wireless), and one port to the WAN VLAN. You can
change the VLAN assignment easily with OpenWrt."
One more bit of clarification- in Part 1, I
neglected to mention that I was running all those nifty iperf commands from my main workstation via ssh. I'm so used
to running everything remotely from my main workstation I forget that not everyone does this. Thank you to "??puzzled reader??" for
asking about this.
iperf Over the Internet
You can run iperf over the Internet as well as over your LAN. It's invaluable for seeing what's happening over a WAN
link, whether it's a nice expensive dedicated link, or an OpenVPN tunnel over the Internet, or what-have-you. The best way is to
have iperf on your border router. iperf is included with Pyramid Linux, and if your Linux-based router doesn't have it
just copy the iperf binary to it. It doesn't need any special libraries, so any Linux system should already have what it
I must divert briefly to a fascinating tangent. Running ldd /usr/bin/iperf on a system where it is already installed
shows which libraries it depends on. The very first one listed is this:
linux-gate.so.1 => (0xffffe000)
If you search for this you won't find it, because it does not exist. Read What is linux-gate.so.1? to learn a bit of fascinating kernel
Now, getting back to running iperf over the Internet. Just use it in the usual way, except you'll be using Internet
admin@router1:~$ iperf -s user@remotepc:~$ iperf -c router1.yourdomain.com
IP addresses work too. You'll want to make sure that ports TCP/UDP 5001 are open in your firewall, or whatever ports you tell
iperf to use. Don't forget to consult /etc/services for available ports, and to keep track of any custom ports you're
ntop For Colorful Network Monitoring
ntop is a wonderful hybrid packet analyzer that generates nice clickable HTML reports that show you what's happening on
your network. It slices and dices network traffic all kinds of ways: by protocol, host, local or remote network, network load,
network flow, what Web sites your users are visiting, how much traffic is coming from or going to remote sites, and loads more. It
supports virtually all network protocols over both IP networks and Fibre Channel. ntop runs on any operating system that you
can successfully compile it on: Linux, Unix, and Win32. Binary packages are available for Debian, Fedora, and Windows.
You'll need some sort of HTTP server running to get the pretty Web graphs: Apache, Lighttpd, Thttpd, whatever you like.
ntop is in Ubuntu's Universe repository and Debian main. Fedora users can fetch it from RPMForge or Dag Wieers' Fedora
There are two ways to run ntop: to monitor traffic on any network host, such as your workstation or a server, or to
capture all LAN traffic. If you're still in the 20th century and using a hub, you can run ntop anywhere on your LAN and
On switched networks, and hopefully your network has at least made it into the 20th century by ditching hubs and replacing them
with switches, it's a little harder to grab all your LAN traffic. If your Ethernet switch has a monitoring port, you're golden. (You
can find Gigabit-E switches with port monitoring for under $200 these days, yay.) If it doesn't, ntop on a border router is
almost as good, but it won't capture packets traveling directly between LAN hosts. It will capture all traffic entering and leaving
your network. You can use arpspoof to capture traffic intended for other hosts, but that's a scary and potentially
network-borking thing to do, so use it with care.
Installation varies by Linux distribution. On Debian it's easy. Install it, then run the ntop command to create an
# apt-get install ntop # ntop
Open a second terminal, since ntop is now running in the foreground, and restart it:
/etc/init.d/ntop restart Now open a Web browser to http://localhost:3000, and there you are. If your ntop installation is on a headless box
like a router, then use the IP address or hostname of the router on a neighboring PC, like http://router1:3000. The ntop Web pages will automatically update themselves.
You can configure ntop and see its current configuration from the Web interface. Go to the Admin -> Configure tab to see
the configuration panel, and log in with the admin user, using the password you created. About -> Show Configurations shows
every detail of your current configuration, including build options.
Give ntop a few minutes to capture some data, then cruise the pages. You might find some surprises, like I did on IP ->
Local Ports -> Used, which showed that POP3/110 was in use. This meant I had at least one email account that was operating in the
clear, instead of over port 995 which is for encrypted mail transfer.
Summary -> Hosts can turn up some fascinating Web activity. Like a lot of traffic from www.google-analytics.com. The URL itself
generates a 404 page; why on Earth is Google Analytics showing up so much when I haven't visited Google.com? So I googled on
google-analytics, and found www.Google.com/analytics. Didn't learn much, other than
it's yet another data-collection tool.
Auditmypc.com is another chronic offender revealed by ntop. Why are these people
pestering me? Is someone using it to probe my firewall?
ntop gives enough information to write some iptables rules to block this stuff, if I feel like it. It reports the
originating domain, the MAC address, IP address, and has a handy WHOIS button.
Visit ntop.org for documentation, and check out man ntop for a lot of good help.
The next time you're feeling like your network performance is too slow, don't blame your users. Look outward- you might be
surprised at who is clogging your bandwidth with useless traffic.