Int'l Conf. Software Eng. Research and Practice | SERP'15 | 157 cnetmon: Ncurses-based Network Interface Activity Monitor Steve Hutchinson1, John Wittkamper1, Jovina Allen1, Robert F. Erbacher2 1ICF International for US Army Research Laboratory, Adelphi, MD 20783 2US Army Research Laboratory, Adelphi, MD 20783 Abstract - This report illustrates the development and use of 2 Motivation a network interface activity monitoring tool named cnetmon. Server farms, cloud computing, compute clusters, and This tool is intended to aid system administrators and grid computing are all examples of a common technique to developers with network-oriented software projects. The main combine multiple computer systems into a cooperative objective for this project was to develop a capability to network of systems. These systems often intercommunicate monitor network activity for all or selected interfaces on a using two or more NIs (on each system). Clustered- system simultaneously and continuously. We use a display computers are often rack-mounted for higher density and, as generated by the Linux ncurses library that is updated using a a result, often lack a keyboard or monitor; therefore, they are configurable interval. We show added capabilities including frequently managed and configured remotely via ssh or telnet interactive response to window-resizing using SIGWINCH. A over a network connection. During system configuration, novel debug-line display capability is provided to show installation, and testing, it is often difficult to determine dynamic debug messages on a dedicated line of the display. whether network traffic is being sent and received by each interface. Keywords: network traffic monitoring, network interface, systems administration, ncurses In general, such systems are built and configured in a central location and then shipped to remote locations to be added to other servers in a system rack or as a single 1 Introduction distributed sensor. cnetmon allows the installer to observe network traffic from each or all NIs to verify that the system cnetmon1 is a very lightweight command-line tool to seems properly configured for the installed environment. It display network traffic (packet activity) on any or all of the also does not require the use of the system GUI or network interfaces (NIs) on a Linux-based system It uses a Xserver/client because cnetmon will create tabular displays ncurses-library-based display that is compatible with any of all traffic using the LIBCURSES library for display on character-based pseudo terminal, and as such, does not any attached ASCII terminal emulator. cnetmon can be used require the use of the system graphical user interface (GUI) from a remote location, accessed and invoked typically from or Xserver:DISPLAY. a ssh command-line, and can be invoked by any logged-in cnetmon is intended for use in the field for remote user; it does not require root-level access. Many techniques access into devices such as (network) sensors or other to observe or sample traffic from any NI require super-user network-attached Linux systems when an administrator with privileges, but obtaining elevated privileges is often user-level access needs to obtain a dynamic indication of all forbidden, hence a benefit of cnetmon. network traffic entering and leaving that system. Because it In this paper, we describe a few use-cases for cnetmon. does not use the GUI, the complexity and access First, cnetmon can be used on a laptop computer, which often requirements are very minimal. cnetmon can be invoked by has two NIs: wired (eth1) and wireless (wlan), along with the any logged-in user, it does not require sudo access, and it can internal loopback interface. Laptop-users often must operate within a typical secure shell (ssh) or telnet session. transition between networks without rebooting. cnetmon is easily invoked from a command window and will show all NI activities to verify communications to the desired network(s). Second, on a desktop or small server with multiple wired or wireless interfaces, cnetmon can show all network activity for each interface dynamically in this more _______________________________________________ complex network topology. Third, compute-server administration and configuration tasks are often performed 1Throughout this paper, Linux commands are set in an italic using a separate administrative system and command-line font. tools. cnetmon facilitates server configuration and testing and was developed for use in these more complex, multi-network 158 Int'l Conf. Software Eng. Research and Practice | SERP'15 | environments. We frequently use one cnetmon window per devices, this function call is not intended for repeated server during configuration, development, and testing, to invocation to determine network traffic rates. Modern Linux obtain a real-time picture of network inter-communications systems provide a /proc/ file system to allow user-level and to verify proper configuration and operation. processes to easily read a wide variety of counts for devices; these values are maintained and updated by the kernel in a 3 Related work: bmon virtual file system, /proc/. The /proc/ file system was originally intended as a way to provide information about In the search for a user-level, multi-NI monitor, we processes in a system. As such, it also was a convenient noticed the “bmon” tool [1], which provides indications of means of exposing kernel information to a structured file network bandwidth utilization from multiple interfaces using system requiring only user-access rights to read this the /proc/ file-system [2] and a curses-interface. We use this information. A corresponding application programming strategy to implement a curses-based multi-interface activity interface (API) is provided for read and write access — using tool, cnetmon, providing various command-line and key- sysctl (system control) calls to configure parameters of the press event-driven parameters to control the display and running kernel [3]. This capability was gradually introduced monitoring update interval. into Unix systems starting as early as 1984; the current Although bmon was intended to show network implementation in Linux is as an extended, virtual file system bandwidth utilization, we liked its design paradigm using a contained only in memory and has directories for other ncurses display using periodic updates obtained from kernel information categories such as kernel-modules, file- /proc/net/. Our goal was not to show estimated bandwidth systems, interrupts, and devices including NIs, kernel utilization, but to show concurrent network activity measured messages, drivers, and CPUs. in terms of packet counts and transfer rates per sampling The cnetmon executable periodically examines the interval and accumulated for the session. /proc/net/dev file on the Linux system. These values are sampled on each loop cycle (by default, one second), which 4How it works is configurable on invocation or by pressing a number-key A long-standing problem for understanding network while running. Linux systems also maintain an uptime value, activity between (Linux or *nix) systems has been the the number of seconds since last rebooting. cnetmon saves requirement to obtain root or super-user privileges to access this date-time value at launch (fork) time and displays the and configure devices, such as a NI. ifconfig is the Unix or session length time in the screen header section Linux command to display the status of NI devices on a system. Upon executing the ifconfig command, the following Contents of /proc/net/dev: information is produced on the console, shown below in Interface Figure 1. The first 6 lines pertain to the hardware and lo: network address parameters for each interface as well as the bytes 570671 status of the interface. The remaining lines show counts of packets 6267 transmitted and received packets, error counts, and finally the errs 0 interrupt number and buffers memory location. drop 0 user@asc2:~$ifconfig fifo 0 eth0Linkencap:EthernetHWaddr00:24:81:1c:fd:7d frame 0 inetaddr:10.0.0.16Bcast:10.0.0.255Mask:255.255.255.0 compressed 0 inet6addr:2601:a:4680:3e6:5cf:ea3d:eed0:64e0/64 multicast 0 Scope:Global bytes 570671 inet6addr:fe80::224:81ff:fe1c:fd7d/64Scope:Link packets 6267 inet6addr:2601:a:4680:3e6:224:81ff:fe1c:fd7d/64 errs 0 Scope:Global drop 0 UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1 fifo 0 RXpackets:370errors:0dropped:0overruns:0frame:0 colls 0 TXpackets:120errors:0dropped:0overruns:0carrier:0 carrier 0 collisions:0txqueuelen:1000 compressed 0 RXbytes:46300(46.3KB)TXbytes:20936(20.9KB) Interrupt:19Memory:f0500000Ͳf0520000 eth0: bytes 14797900909 Figure 1. Typical ifconfig output. packets 17797994 errs 0 drop 0 Although it is true that we could issue ifconfig fifo 0 repeatedly to obtain the configuration and counts for network frame 0 Int'l Conf. Software Eng. Research and Practice | SERP'15 | 159 compressed 0 For each interface and at each interval: multicast 3120 bytes 4116686178 SessionPKT s P[Tnow ] PT [ 0] (1) packets 14414011 errs 0 IntervalPK Ts P[][]Tnow P now i (2) drop 0 fifo 0 (3) colls 0 SessionRat e ( B [Tnow ] BT [ 0]) /1000 *Li ] carrier 0 compressed 0 IntervalRa te P[Tnow ] PT [ 0] (4) Command-line programs used for monitoring often 5 Implementation generate display data output in the form of one-line records and then render them into a scrolling console window. Very The design goals and requirements for cnetmon are to wide, or multi-line records, when scrolled like this, are periodically examine the network device-file in the /proc difficult to understand. Since network interface data is of this directory on a Linux system to: nature, a scrolling display will be difficult to use. Instead, we x Enumerate NIs use a display technique that renders these parameters in strict rows and columns such that the location of each on the x Collect traffic statistics screen does not change. This tabular process makes the changing parameters more obvious. Cell contents can change x Convert traffic counts to display quantities and units with the fixed regularity of the chosen update loop interval.