GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  RATE (1)

NAME

rate - Swiss-Army-knife traffic analyzer

CONTENTS

Synopsis
Description
Usage
Generic Options
Mode Selecting Options
Rate Estimation Mode
Stream Analyzer Mode
String Extracting Mode
Examples
Bugs And Limitations
See Also
Author
License

SYNOPSIS


rate [generic options] <-R | -A | -T | -E> [mode-specific options]



rate -L <name>



rate [-h | -?]



rate [mode select option] [-h | -?]


DESCRIPTION

Rate helps an administrator to figure out what is happening in his network at the moment. Unlike tcpdump(1), rate uses statistical and stream-oriented traffic analysing methods, and it will never produce an output stream at a speed beyond human perception. The output is less accurate, however.

Rate features four different operating modes, designed to perform the following tasks: estimating overall traffic rates (the -R mode), determining nodes generating the highest traffic (the -A mode), determining connections and flows generating the highest traffic (the experimental -T mode) and extracting strings from packets (the bonus -E mode).

USAGE

Rate accepts parameters in a standard, short getopt(3) syntax. There are several options common for all operation modes - these options are described in the GENERIC OPTIONS section below. The operation mode itself is chosen by one of special mode-selection options: -R, -A, -T or -E. After a mode-selection option, no other generic options are allowed, the only valid options are the mode-specific ones. Each operation mode has its own set - see appropiate sections below.

After a successful startup, the application installs a packet capturing handler, and starts to generate reports. The default report generating policy is to dump a report to stdout every 1 second.

Always make sure rate has enough information on datalink layer protocol present on the interface it was ordered to bind to. Consult the -p option description for details.

GENERIC OPTIONS

-0 c Replace every NUL character (ASCII 0) with c before doing regular expression based filtering. Ignored if the -x option was not specified. The default is ’@’.
-c Color (ANSI-compatible) output in modes that support it (currently: stream analyzer and "abusers detection" mode).
-f f BPF filter expression to use. Using this option causes rate to ignore any packets NOT matching the specified BPF filter expression. For a detailed description of BPF filter expressions syntax, consult the tcpdump(1) manual page.
-g Signal-based report generation policy. The reports are dumped whenever rate receives a SIGUSR1 signal.
-h -? Print help. rate dumps a short help on available command-line options and quits, regardless of other options.
-i I Bind to interface I. The default is ’eth0’, which of course will cause a failure on systems other than Linux. Make sure you specify the datalink prefix (see -p) when you order rate to bind to an interface of an uncommon type.
-k Interactive report generation. The reports are dumped whenever data is available on the standard input, which usually means you’ll have to press RETURN in order to generate a report.
-l Make stdout line-buffered. This option is useful when reports are redirected (eg. using shell redirection) to a file.
-L N Loads a previously saved (using -S ) option set. No other options are allowed when -L is being used.
-n Turns off asynchronous reverse DNS lookups. Rate will print numeric IPs rather than fully qualified domain names.
-p N Datalink layer header prefix length. Every (or at least almost every) known datalink layer protocol prefixes a packet with its own header - which has to be stripped before the actual data essential for rate (the IP protocol header) can be read. Rate is able to determine automatically how many bytes to skip only for the most common datalink layer protocols (Ethernet, FDDI, TokenRing, loopback, PPP) - in other cases the prefix length must be specified using this option. It is EXTREMELY IMPORTANT to set the right value - otherwise rate might print completely irrevelant reports and output invalid IP addresses. The default is autosense, or if that fails - 14 bytes, which is the length of an Ethernet header.
-q N Orders rate to quit after outputting N reports.
-r N Time-based report generation policy. The reports will be dumped on stdout every N seconds. This is the default (with N = 1).
-s N Capture at least N bytes. For performance reasons, rate does not acquire the whole packet from network, it just reads and processes first N bytes. The default is 64 bytes, which might be not enough if you are using complicated BPF expressions or filtering the packets using a regular expression. In such cases, it is good to set the capture length to MTU on the interface. The value is automatically increased to at least 1500 (which is the default MTU for an Ethernet interface) if one of -x, -E or -T options is used. This option does NOT affect statistical data (amount of bytes, per-second byte rate) collected by rate - the accounted packet size is always the ’real’ one.

-S N Save the whole specified option set into a file in your home directory (~/.rate.modes) under the name N. The option set might then be recalled using the -L option.
-v Print exact values. Normally, rate uses SI prefixes (like k - kilo, M - mega, G - giga, T - tera) to make the printed numeric values more attractive for a human being. The -v option disables this feature, causing rate to print exact values.
-w Clear the screen before printing each report. This assumes your terminal is capable of understanding certain control sequences.
-x r Regular expression-based filtering. This option will cause rate to ignore packets that DO NOT match specified regular expression. Before any tests, NUL characters occuring in a packet are replaced with an other character, as specified in the -0 option (the default is ’@’). Consult regex(5) manual for a detailed description of POSIX regular expressions. In addition to standard regex syntax, you may use the \r (CR), \n (LF), \t (TAB), \\ (\) and \xNN (hex NN) special sequences.

MODE SELECTING OPTIONS

These options are used to choose between one of the four operation modes. It is necessary to specify exactly one of them. After specyfing a mode selecting option, you may pass the mode-specific options described below, depending on the selected mode. No generic options are allowed though - all the generic ones have to be passed BEFORE the mode selecting option.
-R Enable the rate estimation mode. See the RATE ESTIMATION MODE section for details.

-A Enable the "abusers detecion" mode. See the ABUSERS DETECTION MODE section.

-T Enable the stream analyzer mode. See the STREAM ANALYZER MODE section.

-E Enable the regular expression extractor mode. See the STRING EXTRACTING MODE section.

RATE ESTIMATION MODE

rate [...] -R -h

rate [...] -R [-b] [bpf filter expression]

In this mode, rate just shows overall traffic generated by packets matching the specified (generic) filtering options (-f, -x). The reports in this mode are just one-line long:

=> Currently XXX Bps/YYY pps, Average: ZZZ Bps/TTT pps

Where of course, XXX and YYY are the byte and packet per second values, measured since the last report, while ZZZ and TTT are the rates measured since the application started.

Available options:
-b Use bit units. The output is to be presented in bits (b) rather than bytes (B).
-h Help. Dumps a short hint on mode-specific options available for this mode, and forces rate to quit.

ABUSERS DETECTION MODE

rate [...] -A -h

rate [...] -A [-a n] [-b] <-c c/p [-c c/p [-c c/p ...]]> [-dflt] [-O | -M] [-P | -B] [-T | -R] [bpf filter expression]

This mode is designed for hunting network nodes that generate highest traffic. An independent set of counters is allocated for every host from every specified IP subnet. On a report event, a list of hosts is composed, sorted by one of the counters (depending on OMPBTR sorting options), and top entries (and values of their counters) are displayed on stdout. Available options:
-a N Print N top nodes.
-b Use bit units. The output is to be presented in bits (b) rather than bytes (B).
-c C/P Consider nodes from this IP subnet. The network mask has to be specified in ’short’, CIDR notation, eg. 10.0.0.0/8.
-d Alternative ("dump") output format. Instead of showing top N nodes, rate will dump the whole host list in a form that can be easily parsed by automated tools. The output format is:
<host IP>:<overall input bytes #>:<overall output bytes #>:<momentary input bytes #>:<momentary output bytes #>:<overall packet input #>:<overall packet output #>:<momentary packet input #>:<momentary packet output #>
-f Print spaces instead of "pipes" (|) as column separators. Normally, rate will use characters imitating a vertical line (’|’) to separate columns in order to improve readability. This option disables this feature.
-l Account local transfers too. Rate will also account ’local’ transfers, ie. transfers between two hosts in IP classes specified with -c option. By default, such transfers are ignored.
-t Print total amount of transferred data instead of overall speed.
-O Consider overall transfer rates while sorting the host list.
-M Consider momentary transfer rates while sorting the host list (default).
-P Consider packet counters while sorting the host list.
-B Consider byte counters while sorting the list (default).
-T Consider output (TX) counters while sorting the list.
-R Consider input (RX) counters while sorting the list (default).

STREAM ANALYZER MODE

rate [...] -T -h

rate [...] -T [-m <memlimit> [-f <free>]] [-rtv] [-n <n> | -s <n> | -p <n>] [-R | -S] [-M | -O] [-B | -P] [-A | -D] [-b]

In this mode, rate will try to keep track of every TCP connection and UDP or ICMP stream present on the interface. Every detected conversation is allocated its own set of traffic counters; besides, rate attempts to identify common protocols (like HTTP or FTP). The feature is still experimental, and consumes HUGE amounts of system resources. Do not trust the -m and -f options, avoid leaving rate -T somewhere in the background and without supervision.

The reports might be generated in three different ways:
host-oriented reports
  a list of most active (or least active, depending on sorting options) hosts is printed, with an optional list of conversations below every entry.
stream-oriented reports
  rate print an overall list of most/least active streams.
protocol-oriented reports
  show the mostly utilized protocols, with an optional list of conversations classified as a specific protocol below every entry.
Available options:
-m M Limit memory used by the conversation engine to M kilobytes. When the amount of allocated memory gets beyond the set limit, a number of least active conversation is dropped. DO NOT trust this option.
-f F Drop F conversations after a memory overlimit. Default: 4000.
-r Output resource usage statistics (CPU, memory) before every report.
-t Use tabs instead of spaces to separate columns.
-v Increase verbosity level. This will print the guessed conversation protocol below every printed conversation entry. Again, please keep on mind that the stream analyzer feature is highly experimental, and it still lacks ability to recognize many common protocols. Only the basic ones (HTTP, FTP, FTP Data, POP3, SMTP) are supported for now. The remaining streams are classified as "Unknown" and "Unidentified".
-n N Node-driven reports. Print a list of N most/least active nodes (and, optionally, conversations associated with them)
-s N Stream-driven reports. Print a list of N most/least active streams.
-p N Protocol-driven reports. Output a list of N top protocols.
-b Brief output. Supress the conversation lists - valid only for node and protocol driven reports.
Sorting options:
-R Consider received data counters. Makes sense only for node-driven reports. This is the default.
-S Consider sent data counters. As above, only for node-driven reports.
-M Consider momentary counters (default).
-O Consider overall counters.
-B Consider byte counters (default).
-P Consider packet counters.
-D Descending sort - the most active hosts/nodes/protocols first. This is the default.
-A Ascending sort - the least active hosts/nodes/protocols first.

STRING EXTRACTING MODE

rate [...] -E -h

rate [...] -E [-o <output format string>] [-i] [-e] <pattern>

This is a "bonus" mode - it has nothing to do with traffic analysis. Unlike other operation modes, this one does not generate reports. It is designed for extracting strings from packets - whenever a matching packet occurs, the extracted string is printed to stdout, regardless of the report generation policy.

pattern is a regular expression to be matched. Parts of the expression encosed in escaped braces \( ... \) are printed to standard output, in order they appear in the expression if a packet matches the pattern. If the -o (output format) option was specified, the output format string is printed instead, with \1 being substituted with the first subexpression in pattern, \2 with the second, etc. The whole thing works much like sed ’s///’. A typical application would be investigating web pages currently visited by users:

# rate -f ’dst port 80’ -E -o ’Host: \2 Browser: \1’ -ie ’User-Agent: \([^\r\n]+\)\r\n.*Host: \([^\r\n]+\)\r\n’

The -i option enables printing source and destination addresses before each set of extracted strings. As you can see, it is possible to use \n, \r, \t and \x in pattern, just like in the case of the -x generic option.

EXAMPLES

To determine overall traffic on eth3:
# rate -i eth3 -R
 

To estimate bandwidth consumed by WWW traffic on ppp0, bit units:
# rate -i ppp0 -f ’port 80’ -Rb
 

To print top 20 nodes from 10.0.0.0/8 that are receiving the highest number of bytes (including transfers between hosts inside the 10.0.0.0/8 network) every 5 seconds:
# rate -i eth0 -r 5 -Aa 20 -lc 10.0.0.0/8
 

Same as above, but w/color output and screen clearing:
# rate -i eth0 -r 5 -w -c -Aa 20 -lc 10.0.0.0/8
 

Show 10 nodes from 10.0.0.0/8 and 192.168.0.0/16 that generated the largest overall number of packets, generate reports on a keypress (RETURN), ANSI color output:
# rate -i eth0 -ck -Ac 10.0.0.0/8 -c 192.168.0.0/16 -a 10 -OPT
 

Estimate ICMP traffic exchanged with the 10.0.0.0/8 subnet, wait for SIGUSR1, then dump the counters for each host in 192.168.0.0/24 to a file named FILE, then quit.
# rate -i eth1 -f ’icmp and net 10.0.0.0/8’ -q 1 -gl -A -c 192.168.0.0/24 -d > FILE
 

Show most active (considering transferred bytes) conversations detected on eth3, color output on keypress; save the option set under the name ’streams’:
# rate -S streams -i eth3 -ckTrs 25 -MB
 

Recall the ’streams’ operation mode:
# rate -L streams
 

On a keypress, show a list of 3 nodes that have sent the highest amount of packets since the application started; color output:
# rate -i eth3 -ckTrvn 3 -SOP
 

Show currently visited web pages:
# rate -f ’dst port 80’ -E -o ’Host: \2 Browser: \1’ -ie ’User-Agent: \([^\r\n]+\)\r\n.*Host: \([^\r\n]+\)\r\n’
 

View addresses e-mails are being sent from:
# rate -i eth1 -f ’dst port 25’ -E -ie ’MAIL FROM: \([^\r\n]+\)’
 

BUGS AND LIMITATIONS

The TRAFFIC ANALYZER (-T) operation mode is experimental. It consumes large amounts of system resources. Memory leaks in code that provides this feature are possible.

The commandline options are a bit complicated, but it seems it’s impossible to do anything about that.

SEE ALSO

tcpdump(1), regex(7), pcap(3), bpf(4)

AUTHOR

Mateusz Golicz <mteg@jaszczur.org>

Feel free to send comments, suggestions, bug reports, etc. The author is not a native english speaker, and is aware of the fact that his english is far from perfect. Because of that, reports on grammar or vocabulary mistakes in this manual are also welcome.

The asynchronous DNS resolver part was taken from mtr - a very handy traceroute replacement by Matt Kimball.

LICENSE

Copyright 2003 Mateusz Golicz. All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, Version 2, as published by the Free Software Foundation. A copy of this license is distributed with this software in the file "COPYING".

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Read the file "COPYING" for more details.

Search for    or go to Top of page |  Section 1 |  Main Index


--> RATE (1) 11-August-2003

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.