GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  TRAFD (8)

NAME

trafd - ip traffic collector daemon.

trafdump
  - Script to dump current traffic to disk.
trafsave
  - Script to save current traffic to disk.
trafstart
  - Startup script for trafd.
trafstop
  - Shutgown script for trafd.
trafd.sh
  - Start/stop script for trafd, placed to the 'local startup directory' ( */rc.d).

CONTENTS

Synopsis
Description
     Usage
     Logging
     Warnings and recommendations.
Options
Exit Status
Signals
Environment
Files
Examples
Compatibility
See Also
Authors
Bugs

SYNOPSIS

trafd [-dOprVX] [-c count] [-i iface] [-f ext] [ -F file | expr ]

trafdump [All | iface [...]] trafsave [All | iface [...]] trafstart [All | iface [...]] trafstop [All | iface [...]] trafd.sh start | stop

DESCRIPTION

Trafd daemon listen specified interface and summ all ip packet sizes and sub-protocol data frame length (tcp, udp, icmp, igmp and other, listed in /etc/protocols protocols(5), or, if sub-protocol unknown, ip data frame length).

Trafd use Berkeley Packet Filter mechanism: open pseudo-device /dev/bpf* (see bpf(4)), read from it all ip packets and store into internal table following information:

  • source hostname or ip address
  • source ip port name or number (not stored with -X option)
  • destination hostname or ip address
  • destination ip port name or number (not stored with -X option)
  • protocol name
  • protocol data frame length
  • ip packet length (this is ip traffic value)

trafd store buffer to 'dump' file on the SIGHUP signal (used in trafdump script). Also it append traffic table to 'save' file and clear table where received the SIGINT signal (this used in trafsave script).

trafd records its process ID in the file /var/run/trafd.<iface> to assist dumping, saving and quitting.

    Usage

Trafd is full-blooded daemon. After run it self-detached from the tty and running in background.

Good idea is using startup script for launch trafd in boot time. This method implemented in trafd.sh, using the rc.d mechanism (see /usr/local/etc/trafd.sh).

Into BPFT programs set also included two scripts: trafstart and trafstop (see /usr/local/bin/trafstart and /usr/local/bin/trafstop).

    Logging

trafd use the system logger daemon syslogd (see syslogd(8)) for the logging various information.

Thus, it use options LOG_PID for log the process id and LOG_CONS for if cannot pass the message to syslogd it will attempt to write the message to console, use facility 'daemon' and levels 'info', 'notice', 'warning' and 'error'. (Facility defined in include/traffic.h, see SYSLOG_FACILITY.)

If you want additional information about condition of your daemon, i.e. what is it doing and how do it do, then you should set syslog message level in your syslog.conf up to ’info’.

    Warnings and recommendations.

Before use of the trafd make sure that bpf support included into kernel and device /dev/bpf0( /dev/bpf1, ...) is exist (analogous requrements to the tcpdump, see tcpdump(1)).

You must launch trafd from root or other user with writing right to /dev/bpf* devices.

We recomend: more often invoke trafdump via cron (see cron(8)) to avoid loss data as a result of system crash and invoke trafsave one per day (for example, using periodic (see periodic(8)) or /etc/daily.local) to have log file aligment by days. Log file is binary file with little size, average size per day approximate to several kilobytes.

Configure syslogd for collect trafd messages into /var/log/trafd.log (common for trafstart & other scripts), for example:

    !trafd

    *.* /var/log/trafd.log

After system crash (power drop & etc) need remove PID file: insert into one of the startup scripts (usually rc.local) line like this:

    rm /var/run/trafd.ed1

OPTIONS

-c count
  Collate count number of packets and exit.
-i iface
  Interface name to listen. Current supported types: ethernet, slip, ppp, loopback (see details in pcap(3) and tcpdump(1) man pages). See also ENVIRONMENT section of this man page.
-f ext Specify extension for traffic save & dump files (interface name by default).
-d Print compiled packet-matching code and exit (see tcpdump(1) for details).
-F file
  File with packet filter expression.
-m minsize
  Minimal record summary size for save into file with collected traffic via trafsave. Records with values less minsize in the ’all’ field summ to one and saved to last record (for decrease file size). Default value is 1024 bytes.
-O Turn off the packet-matching code optimizer (see pcap(3) for details).
-p Don’t put the interface into promiscuous mode (don’t effect to point-to point links, effected to the ethernet).
-r Attempt to resume data from dumped file if exist.
-V Print version number and exit.
-X Use only ip information (don’t store ports and protocol, store ip data frame lenght in the 'Data' field).
expr Packet filter expression (see tcpdump(1) for details).

EXIT STATUS

1 Error (file not found, permissions denied & etc.)
0 Normal program complete: daemon started.
127 Illegal command line parameter(s).

SIGNALS

SIGHUP Backup collected traffic records into dump file.
SIGINT Append collected traffic records into save file.
SIGTERM
SIGQUIT
  Backup traffic and exit.

ENVIRONMENT

IFF_LISTEN
  Set the name of the network interface for listen, same as '-i iface' and -i overwrite it’s value.

FILES

/var/log/trafd.log
  Log file for trafstart, trafstop and trafd.sh
/var/trafd/trafd.*
  Files with saved traffic statistic tables (binary).
/var/trafd/tmp/trafd.*
  Files with traffic dumps (binary).
/var/tmp/trafd.*
  Sockets for send data to trafstatd & etc. This files may be deleted at boot-time tmp cleaning process
/var/run/trafd.*
  Trafd PID files

EXAMPLES

COMPATIBILITY

Version 4.0 of the trafd store traffic information in incompatible format with previous versions. (Hoverer if trafd compiled with #define LAYOUT=OLD then it use compatible with previous version format).

Tested on: BSDI BSD/386 1.0 ( BPFT versions 1.0-2.0),
.Fx 2.2.8 ( BPFT version 2.0),
.Fx 3.0 and above,
.Fx 4.0 and above (BPFT version 3.0 and above).

BPFT versions 3.*, 4.* work only on
.Fx 3.0 and above: requred library pcap (see pcap(3)) don’t present in previous versions of the
.Fx .

SEE ALSO

traflog(1), trafstatd(8), trafstat(1), trafshow(1), bpf(4).

AUTHORS


.An Vladimir Vorobyev Aq bob@turbo.nsk.su

    autor of the BPFT project, versions 1.0..2.0


.An Vitaly V. Belekhov Aq vitaly@riss-telecom.ru

    3.0 release


.An Stas Degteff Aq g@grumbler.org

    4.0 release, man pages

BUGS

If trafd run on the slow, very busy computer or very fast ip channel then it can’t read all packets from kernel and some packets is dropped. Trafd check this on each dump/save event and store dropped packets quantity to log (if to sislog’s then write on 'error' level).
Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.