Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Parts of this article:

Intro to network analysis and Ethereal

Netwatch, and cautionary words on testing systems.

Linux in the Enterprise

Linux Tools For Network Analysis

by David HM Spector

In the first article in this series, I talked about how to make the case for Linux in your company's portfolio of computing technologies. A logical next step would be to find a nice, self-contained application where we can use Linux to make a good impression. A good candidate would be a place where Linux could show its value without a lot of support issues. In fact, the best place would be where we could use Linux to solve some support issues. For this discussion, we'll examine using Linux as a network diagnostic tool.

Network problems

Networks are funny places where all sort of things happen in a matter of microseconds. Domain Name System (DNS) lookups are answered, and data blocks traverse the network as part of file-sharing protocols (such as SMB and NFS) while packets make their way from the Internet to your web browser. At any moment a network printer could go haywire and start broadcasting an endless stream of address resolution requests, or an NFS client could send mangled data to its server wreaking havoc on your work.

If you've done any systems administration work, you have probably seen these problems and dozen of others. Debugging them requires experience, as well as the right tools to diagnose what has gone wrong and to help determine what to do about it.

Network analysis

One of the most valuable tools in diagnosing a network problem, besides the manuals that come with all of your networking gear, is a network protocol analyzer. A network protocol analyzer listens to the network, then displays the data in a way that lets you watch things such as

Commercial network analysis software packages can cost more than $1,000 for the software alone. Add a dedicated top-of-the-line laptop and a high-speed network controller, and the cost can easily exceed $5,000.

Fortunately, there are open source, Linux-based solutions that can give you all of the benefits of a commercial product (along with the ability to extend the software) at a fraction of the price.

Two packages that make network diagnostics and troubleshooting easier are Ethereal and Netwatch.


Ethereal, as shown in Figure 1, is a GUI-based program that displays packet traffic on a network. In this figure, Ethereal displays several packets on my home network, including DNS lookup packets, NFS transactions, and e-mail being delivered via the POP3 protocol. The packet highlighted in this example is a WHO packet that is part of a protocol that reports on machine uptimes, and records who is logged in to which machine.

Click for full size image

Figure 1. Ethereal displays packet traffic on a network. (Click on image for full-size view)

In this example, the middle panel of Ethereal shows the decomposition of the WHO packet that contains sub-fields which describe who is logged into the machine that broadcast the packet along with other relevant machine info such as load averages and uptimes.

The bottom panel of Ethereal shows the actual packet-data as a hexadecimal dump of bytes.

Taken as a whole, Ethereal is a complete network traffic analysis tool. A short list of features includes:

Next, we'll look at the network monitoring tool, Netwatch, and consider some of the prickly legal issues involved with monitoring and testing the systems of your company.

Next PageNext


Linux Tools For Network Analysis
by David HM Spector |


Gordon MacKay's Netwatch utility, which runs in a terminal window, is invaluable for watching network loads and for seeing, at a higher level than Ethereal, who is talking to whom on your network. As shown in Figure 2, Netwatch monitors network bandwidth in terms of which hosts are producing and consuming packets.

Click for full size image

Figure 2. Netwatch monitors network bandwidth. (Click on image for full-size view)

Another useful mode of Netwatch, seen in Figure 3, shows which ports are involved in the communications between hosts. This can be very useful in seeing if the client/server applications on your network are using the ports that you expect them to use.

It can also alert you to potential trouble if you see hosts using protocol slots that should never be seen on your network. For example, if you see a service (such as TCP or UDP port) that shouldn't be running, it could mean someone is running an unauthorized service on a machine (for example, a Quake game server) or that someone has broken in.

Click for full-size image

Figure 3. Netwatch monitors network bandwidth. (Click on image for full-size view)

Netwatch can also be used as a simple monitor to collect gross network statistics. I use Netwatch to gather statistics on my DSL connections to see how much bandwidth my virtual web-hosting clients are using.

What else is out there?

I mention Ethereal and Netwatch because I use them on my own systems and have found them quite useful. But they're just the beginning. There are an incredible number of tools and utilities out there. If these tools aren't right for troubleshooting your particular network problem, I would recommend looking at, a site dedicated to announcing what's new (and updated) in the Open Source universe.

Another good source is VA Linux's SourceForge, where large numbers of open source developers host their projects, including a number of network diagnosis and management tools. Enter a few choice keywords in the search boxes on these sites; you can get a good handle on what kinds of tools are available.

In addition to Ethereal and Netwatch, the GNOME project has announced a number of network tools, including tools such as Cheops by Mark Spencer. Cheops is a network discovery and mapping tool that can be invaluable for finding out what's on your network to begin with. Cheops builds a graphical network map that shows your network subnet by subnet, as shown in Figure 4.

Click for full size image

Figure 4. Cheops maps your network subnet by subnet. (Click on image for full-size view)

In this screenshot, my home network is shown from the perspective of the machine running Cheops (my main workstation, called THX1138). Cheops can also probe SNMP daemons of hosts it discovers, as well as run a limited set of port-scans which can be useful for determining what services a given network object supports.

On a totally different front, if you are more of a do-it-yourself type, the Comprehensive Perl Archive Network (CPAN) is a great resource for network utility modules for the Perl programming language. There are Perl modules for everything from IP accounting through TCP and IP packet assembly/disassembly routines, which can be used to construct almost any kind of network tool you can dream up. There is a lot of very heavyweight programming involved in using many of these packages, so you'll want to have an up-to-date copy of Perl installed on your system.

Some words of caution

Linux, as we have seen, can do some really nifty network tricks, but it isn't all wine and roses. In the "old days" (like, six months ago) it usually wasn't a big deal if you put a random machine on your company's network. If you were a system administrator, you could probably even put a network sniffer up on your LAN to diagnose a network problem without too much of a hassle.

Today, with increasing sensitivity to cracker-attacks on systems/networks and the spotlight on computer security issues, corporate management is very gun-shy and have lawyers primed to overreact to the slightest problem whether perceived or real.

Some of the fear about network security is well grounded: Few networks are encrypted, and there's an awful lot of valuable information that can be gleaned with a network sniffer. However, if you're thinking it would be a clever idea to try it on your company's network, read on.

Before putting a sniffer or any other piece of network analysis hardware or software on your network, make sure that you have approval to do so. If you are planning to use any other tools (such as the password-cracking tool "crack," or a port-scanner like nmap) to ferret out weak passwords or search for other security holes, make sure that you have buy-in from your firms' legal and audit groups.

Make sure that approval is in writing on letterhead and signed by someone high on the food-chain. What used to be common systems management techniques have become deadly serious security breaches in the eyes of many managers. In a well-documented case, a rather well-known Perl book author (no, not Larry Wall) found out the hard way what happens when your boss decides to make a legal test case out of your life. He's been fighting to overturn a felony conviction for illegal computer access for the last several years because of it.

Linux Networking Resources
Ethereal Network Analyzer
Source Forge

In an upcoming column I'll delve more deeply into the security issues and how you can use Linux systems -- with the appropriate approvals -- to make your systems and networks more secure.

Obviously it's impossible to do justice to the scope and breadth of the networking tools available for Linux in a short column. But hopefully this will give you a starting point in your own explorations of how Linux can make your network administration tasks a bit less taxing. In the sidebar, I've included links to the packages mentioned here, as well as starting points that will lead you to many more interesting network tools and projects available on the Internet.

What are your favorite Linux networking tools? Join the discussion in the O'Reilly Network Linux forum.


Copyright © 2009 O'Reilly Media, Inc.