Hi everyone. Just wanted to drop a line and say that we're extremely pleased to have iftop here at ARL:UT. I, personally, have been wanting something like this for some time, and seeing it on freshmeat yesterday was really fantastic.
I do have a question, however. We're running it on Solaris 8, and while I understand that it's necessary to use -p to run it in promiscuous mode to see the outgoing packets, even when this is done, I still see nothing but flatline on the cummulative and peak TX stats on the bottom of the display.
This even in the case where I'm seeing outgoing statistics in the bar-graph display.
I built iftop-0.12 against libpcap-0.7.2.. is this a supported configuration?
Thanks for a really attractive tool.
Jon
On Fri, May 23, 2003 at 10:01:24AM -0500, Jonathan Abbey wrote:
Hi everyone. Just wanted to drop a line and say that we're extremely pleased to have iftop here at ARL:UT. I, personally, have been wanting something like this for some time, and seeing it on freshmeat yesterday was really fantastic.
I do have a question, however. We're running it on Solaris 8, and while I understand that it's necessary to use -p to run it in promiscuous mode to see the outgoing packets, even when this is done, I still see nothing but flatline on the cummulative and peak TX stats on the bottom of the display.
This even in the case where I'm seeing outgoing statistics in the bar-graph display.
OK, this is pretty much expected. Presumably when you start up (or after you quit) you see a message saying that it was unable to get the hardware address and/or the IP address?
The problem is that if it can't figure out the above, it doesn't know which way packets are moving across the interface, so assumed that they were picked up in promiscuous mode (between two other hosts) and accounts them as incoming, having assigned the direction in the above display arbitrarily.
Getting the hardware address is real PITA because there seem to be more ways of doing it than there are platforms in the world. Currently it's only working on linux. Can you try the attached patch, which is meant to work on Solaris, and let me know how you get on. I'm afraid I don't have access to a Solaris box to test this on.
cheers,
Paul
On Fri, May 23, 2003 at 05:03:42PM +0100, Paul Warren wrote: | OK, this is pretty much expected. Presumably when you start up (or | after you quit) you see a message saying that it was unable to get the | hardware address and/or the IP address?
Mmm, possibly, I'll have to check.
| The problem is that if it can't figure out the above, it doesn't know | which way packets are moving across the interface, so assumed that they | were picked up in promiscuous mode (between two other hosts) and | accounts them as incoming, having assigned the direction in the above | display arbitrarily.
Right, makes perfect sense.
| Getting the hardware address is real PITA because there seem to be more | ways of doing it than there are platforms in the world. Currently it's | only working on linux. Can you try the attached patch, which is meant | to work on Solaris, and let me know how you get on. I'm afraid I don't | have access to a Solaris box to test this on.
I will give this a try, thanks.
I do have another question. When running iftop, it seems to be almost random which IP addresses are resolved to their DNS names, and which addresses appear in dotted decimal form. This when all the hosts displayed, in whichever form, are properly registered in our local DNS. If we do an nslookup on a host before starting iftop, that host seems to be properly resolved on the bar graph, but the majority go unresolved.
Does that scenario suggest anything?
jon
On Fri, May 23, 2003 at 11:30:04AM -0500, Jonathan Abbey wrote:
| Getting the hardware address is real PITA because there seem to be more | ways of doing it than there are platforms in the world. Currently it's | only working on linux. Can you try the attached patch, which is meant | to work on Solaris, and let me know how you get on. I'm afraid I don't | have access to a Solaris box to test this on.
I will give this a try, thanks.
I do have another question. When running iftop, it seems to be almost random which IP addresses are resolved to their DNS names, and which addresses appear in dotted decimal form. This when all the hosts displayed, in whichever form, are properly registered in our local DNS. If we do an nslookup on a host before starting iftop, that host seems to be properly resolved on the bar graph, but the majority go unresolved.
Which resolver mechanism are you using? I'm guessing that it's fallen back to using the single-threaded gethostbyname implementation. This sucks a lot, because if comes across an IP address that it can't resolve quickly (typically it takes up to a minute to time out) then it won't be able to resolve any more IP addresses. If all the IP addresses it ever encounters are in your local DNS then I'm a bit confused by this, because the resolver thread should never stall.
In general, the best option would be to install ares, and the run:
./configure --with-resolver=ares
You can get ares from: ftp://athena-dist.mit.edu/pub/ATHENA/ares/
Paul