- ip traffic collector daemon.
|- Script to dump current traffic to disk.|
|- Script to save current traffic to disk.|
|- Startup script for trafd.|
|- Shutgown script for trafd.|
|- Start/stop script for trafd, placed to the 'local startup directory' ( */rc.d).|
Warnings and recommendations.
trafd [-dOprVX] [-c count] [-i iface] [-f ext] [ -F file | expr ]
trafdump [All | iface [...]] trafsave [All | iface [...]] trafstart [All | iface [...]] trafstop [All | iface [...]] trafd.sh start | stop
Trafd daemon listen specified interface and summ all ip packet sizes and sub-protocol data frame length (tcp, udp, icmp, igmp and other, listed in /etc/protocols protocols(5), or, if sub-protocol unknown, ip data frame length).
Trafd use Berkeley Packet Filter mechanism: open pseudo-device /dev/bpf* (see bpf(4)), read from it all ip packets and store into internal table following information:
- source hostname or ip address
- source ip port name or number (not stored with -X option)
- destination hostname or ip address
- destination ip port name or number (not stored with -X option)
- protocol name
- protocol data frame length
- ip packet length (this is ip traffic value)
trafd store buffer to 'dump' file on the SIGHUP signal (used in trafdump script). Also it append traffic table to 'save' file and clear table where received the SIGINT signal (this used in trafsave script).
trafd records its process ID in the file /var/run/trafd.<iface> to assist dumping, saving and quitting.
Trafd is full-blooded daemon. After run it self-detached from the tty and running in background.
Good idea is using startup script for launch trafd in boot time. This method implemented in trafd.sh, using the rc.d mechanism (see /usr/local/etc/trafd.sh).
Into BPFT programs set also included two scripts: trafstart and trafstop (see /usr/local/bin/trafstart and /usr/local/bin/trafstop).
trafd use the system logger daemon syslogd (see syslogd(8)) for the logging various information.
Thus, it use options LOG_PID for log the process id and LOG_CONS for if cannot pass the message to syslogd it will attempt to write the message to console, use facility 'daemon' and levels 'info', 'notice', 'warning' and 'error'. (Facility defined in include/traffic.h, see SYSLOG_FACILITY.)
If you want additional information about condition of your daemon, i.e. what is it doing and how do it do, then you should set syslog message level in your syslog.conf up to info.
Before use of the trafd make sure that bpf support included into kernel and device /dev/bpf0( /dev/bpf1, ...) is exist (analogous requrements to the tcpdump, see tcpdump(1)).
You must launch trafd from root or other user with writing right to /dev/bpf* devices.
We recomend: more often invoke trafdump via cron (see cron(8)) to avoid loss data as a result of system crash and invoke trafsave one per day (for example, using periodic (see periodic(8)) or /etc/daily.local) to have log file aligment by days. Log file is binary file with little size, average size per day approximate to several kilobytes.
Configure syslogd for collect trafd messages into /var/log/trafd.log (common for trafstart & other scripts), for example:
After system crash (power drop & etc) need remove PID file: insert into one of the startup scripts (usually rc.local) line like this:
-c count Collate count number of packets and exit. -i iface Interface name to listen. Current supported types: ethernet, slip, ppp, loopback (see details in pcap(3) and tcpdump(1) man pages). See also ENVIRONMENT section of this man page. -f ext Specify extension for traffic save & dump files (interface name by default). -d Print compiled packet-matching code and exit (see tcpdump(1) for details). -F file File with packet filter expression. -m minsize Minimal record summary size for save into file with collected traffic via trafsave. Records with values less minsize in the all field summ to one and saved to last record (for decrease file size). Default value is 1024 bytes. -O Turn off the packet-matching code optimizer (see pcap(3) for details). -p Dont put the interface into promiscuous mode (dont effect to point-to point links, effected to the ethernet). -r Attempt to resume data from dumped file if exist. -V Print version number and exit. -X Use only ip information (dont store ports and protocol, store ip data frame lenght in the 'Data' field). expr Packet filter expression (see tcpdump(1) for details).
1 Error (file not found, permissions denied & etc.) 0 Normal program complete: daemon started. 127 Illegal command line parameter(s).
SIGHUP Backup collected traffic records into dump file. SIGINT Append collected traffic records into save file. SIGTERM
Backup traffic and exit.
IFF_LISTEN Set the name of the network interface for listen, same as '-i iface' and -i overwrite its value.
/var/log/trafd.log Log file for trafstart, trafstop and trafd.sh /var/trafd/trafd.* Files with saved traffic statistic tables (binary). /var/trafd/tmp/trafd.* Files with traffic dumps (binary). /var/tmp/trafd.* Sockets for send data to trafstatd & etc. This files may be deleted at boot-time tmp cleaning process /var/run/trafd.* Trafd PID files
Version 4.0 of the trafd store traffic information in incompatible format with previous versions. (Hoverer if trafd compiled with #define LAYOUT=OLD then it use compatible with previous version format).
Tested on: BSDI BSD/386 1.0 ( BPFT versions 1.0-2.0),
.Fx 2.2.8 ( BPFT version 2.0),
.Fx 3.0 and above,
.Fx 4.0 and above (BPFT version 3.0 and above).
BPFT versions 3.*, 4.* work only on
.Fx 3.0 and above: requred library pcap (see pcap(3)) dont present in previous versions of the
.An Vladimir Vorobyev Aq firstname.lastname@example.org
autor of the BPFT project, versions 1.0..2.0
.An Vitaly V. Belekhov Aq email@example.com
.An Stas Degteff Aq firstname.lastname@example.org
4.0 release, man pages
If trafd run on the slow, very busy computer or very fast ip channel then it cant read all packets from kernel and some packets is dropped. Trafd check this on each dump/save event and store dropped packets quantity to log (if to sislogs then write on 'error' level).