IPTraf is a program provides a graphical interface to what is happening with your internal network. It is easy to install and easy to use. IPTraf provides these aspects that will be useful.

1. Provides a graphical representation of network activity.
2. Show Who is connected to your network.
3. Show what services are active on your network.
4. Provide traffic stats

Here is a practical exercise with network monitoring tools.

Install iptraf Get it Here

Download the file and then untar the file as root.

tar zxvf iptraf-3.0.0.bin.i386.tar.gz

Now enter the directory and run setup.
cd iptraf-3.0.0.bin.i386
./Setup

You will be asked if you want to read the notes about iptraf. Choose N.

Or install an rpm, this example is for FC5.
rpm -ivh iptraf-3.0.0-1-3.FC5.i386.rpm

Open iptraf by typing this command as root
iptraf
After you've pressed a key to continue, you'll be presented with an options menu. On that menu, select "Configure"

On that menu, select "Logging". You will now see that the Current Setting for Logging changes to "On". From the same menu, select "Force Promiscuous Mode". The Current Setting for Promiscuous Mode will now change to "On". Now, press the "x" key to exit this menu.

On the main menu, select "IP traffic monitor". From that menu, select "eth0". When the dialog box for the log file pops up, write down its path and file name. Press "Enter" to accept the default setting.

Once the window opens you will see all network connections...the ports they are coming from and the ports they are connecting to your computer on. Here is an example of a Samba connection with a Windows machine. Notice the Windows machine is coming from port 1032 and connecting on port 445 on the Linux box. The packets, size and Interface (Iface) are also shown.

As you make more connections of course you see more information. Now you see port 80 for web browsing, each time the session is closed you see that indicated under the flags. The top represents TCP connections while the bottom shows UDP connections like to a DNS server.

Select Detailed interface statistics, choose eth0 and you will see this window. It shows the total amount of traffic that is flowing from each type of connection. It also shows the rate of connection. This information gives you a basic picture of what type of connection is eating up your bandwidth.

Choose Statistical breakdown by TCP/UDP port and you will get this screen. This lists how much traffic is coming from each port. Port 445 is samba, 53 is DNS, 80 is web browsing, 110 is POP3 mail and 138 is part of the Samba connection. This is a good way to see if you have ports connecting to other computers that you really do not want to be happening.