More information about IPTraf can be found on their site located at http://cebu.mozcom.com/riker/iptraf/

So lets get the show on the road, start off by downloading the latest version. (2.7.0 at the time of this update). Once you have it downloaded, move it to /usr/local/src and untar it by running:

tar -zxvf iptraf-2.7.0.tar.gz

That will create a directory called iptraf-2.7.0, enter it and then go into the src directory. Here you will find the IPTraf source code aswell as a precompiled binary. You can just run:

make install

Or if you feel you must recompile the code, you can run:

make
make install

And that will recompile the source and install the binaries into /usr/local/bin so make sure that directory is in your PATH.

Once you have it installed, start it up by typing /usr/local/bin/iptraf as root. An ncurses based main menu will come up on your screen and you will have a list of options that you can select.

The first one you will probably want to go into is the "Configure" menu. Here you can turn on/off a bunch of featuers such as logging, Reverse DNS lookups and showing TCP/UDP service names. IPTraf logs to /var/log/iptraf and the logfiles can get real big real fast so make sure your partition has enough space or just disable the logs until you really need them, like in the case of an attack.

From the main menu, if you go into "Other protocol filters" it will present you with a list of protocols that you can enable or disable. I normally just have ICMP and UDP enabled here but your tastes may differ.

Let the fun begin, from the main menu, enter into "IP traffic monitor" and it will ask you to select your interface. Either select ALL or just whatever your network interface is, such as ppp0 for PPP connections and eth0 for cable/DSL connections.

Now as you see, the screen is broken up into two sections. All TCP connections are shown on the top part and all ICMP/UDP etc connections are listed on the bottom.

TCP Connections (Source Host:Port)                Packets Bytes Flags Iface
216.176.130.250:ircd                        >       2       108 --A-  eth0
24.114.19.126:3610                          >       1        67 -PA-  eth0

A simple breakdown of what this means is that my host, 24.114.19.126 was contacted by 216.176.130.250 (finger-for-port-scan-info-at-hebron.in.us.dal.net) from port 6667 (ircd) to port 3610.

The TCP Connections section is great for monitoring most attempts of people trying to access your machine. It will display pretty much everything, telnet, ftp, ssh attempts as well as port scans etc. The bottom half of the screen will display whichever protocols you selected in the "Other protocol filters" section. So if you selected ICMP and UDP, it will show all ICMP/UDP packets.

If you find yourself being attacked, first try to establish the IP of the attacker. Generally they normally use more then one IP and that IP is spoofed (not their real one). However, not all attackers are geniuses if you know what I mean. Once you have established if the IP is really theirs, turn on the logging and log the attack.

If you survive, you should probably email the log, as well as a description of what went down to their ISP. You don't know their email address? Sure you do, lets say the Host of the attacker was tspsl2-188.gate.net, you could probably get away with emailing abuse@gate.net since most ISP's have an abuse@isp.com email addresshave. Also, most ISP's have a zero tolerance attitude for denial of service attacks so the attackers account will probably be closed. You can also visit http://www.arin.net and perform a lookup on the IP. From this you should find out who their ISP and what thier abuse address is.

Also, don't install IPTraf and think that you're secure now because you are watching the network. You should consider setting up a firewall. As well, be sure to disable and delete any unused programs and services from running and be sure to read our Security Guide.

Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!