curvetun: Fix issues detected by the Coverity scanner

[netsniff-ng.git] / flowtop.8

.\" netsniff-ng - the packet sniffing beast
.\" Copyright 2013 Daniel Borkmann.
.\" Subject to the GPL, version 2.
.TH FLOWTOP 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
.SH NAME
flowtop \- top-like netfilter TCP/UDP/SCTP/DCCP/ICMP(v6) flow tracking
.PP
.SH SYNOPSIS
.PP
\fBflowtop\fR { [\fIoptions\fR] }
.PP
.SH DESCRIPTION
.PP
flowtop is a top-like connection tracking tool that can run on an end host or
small home router. It is able to present TCP, UDP/UDP-lite, SCTP, DCCP, and
ICMP(v6) flows that have been collected by the kernel's netfilter connection
tracking framework, thus no packet capturing in user space needs to be done.
.PP
flowtop is able to give you a quick overview of current connections on your
local system, e.g. for debugging purposes or to answer questions like:
.PP
    * If you access website X, what other connections are being opened in
      the background that I'm not aware of?
    * What connections are active that pass one's router?
    * I have this proprietary binary Y, to where does it connect?
    * To which countries am I sending data?
    * Are there any suspicious background connections on my machine?
    * How many active connections does binary Y have?
    * How long are connections active already?
.PP
The following information will be presented in flowtop's output:
.PP
    * Application name and PID when run on local machine
    * Reverse DNS for source and destination
    * Geo-location information (country, city)
    * Used protocols (IPv4, IPv6, TCP, UDP, SCTP, ICMP, ...)
    * Flow port's service name heuristic
    * Transport protocol state machine information
    * Byte/packet counters (if they are enabled)
    * Connection duration (if timestamping is enabled)
.PP
In order for flowtop to work, netfilter must be active and running
on your machine, thus kernel-side connection tracking is active. If netfilter
is not running, you can activate it with iptables(8):
.in +4
.sp
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
.sp
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
.in -4
.PP
To dump byte/packet counters flowtop enables the sysctl(8) parameter
\[lq]net.netfilter.nf_conntrack_acct\[rq] via:
.in +4
.sp
echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct
.sp
.in -4
and resets it to the previously set value on exit. These counters will only be
active on connections which were created after accounting was enabled. Thus, to
have these counters be active all the time the parameter should be enabled after
the system is up. To automatically enable it, sysctl.conf(8) or sysctl.d(8)
might be used.
.PP
To calculate the connection duration flowtop enables the sysctl(8) parameter
\[lq]net.netfilter.nf_conntrack_timestamp\[rq] via:
.in +4
.sp
echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
.sp
.in -4
and resets it to the previously set value on exit.
.PP
flowtop's intention is just to get a quick look over your active connections.
If you want logging support, have a look at netfilter's conntrack(8) tools
instead.
.PP
.SH OPTIONS
.PP
.SS -4, --ipv4
Display IPv4 flows. That is the default when flowtop is started without
any arguments.
.PP
.SS -6, --ipv6
Display IPv6 flows. That is the default when flowtop is started without
any arguments.
.PP
.SS -T, --tcp
Display TCP flows. That is the default when flowtop is started without
any arguments.
.PP
.SS -U, --udp
Display UDP and UDP-lite flows.
.PP
.SS -D, --dccp
Display DCCP flows.
.PP
.SS -I, --icmp
Display ICMP version 4 and version 6 flows.
.PP
.SS -S, --sctp
Display SCTP flows.
.PP
.SS -s, --show-src
Also show source information of the flow, not only destination information.
.PP
.SS -u, --update
The built-in database update mechanism will be invoked to get Maxmind's
latest database. To configure search locations for databases, the file
/etc/netsniff-ng/geoip.conf contains possible addresses. Thus, to save
bandwidth or for mirroring Maxmind's databases (to bypass their traffic
limit policy), different hosts or IP addresses can be placed into geoip.conf,
separated by a newline.
.PP
.SS -v, --version
Show version information and exit.
.PP
.SS -h, --help
Show user help and exit.
.PP
.SH USAGE EXAMPLE
.PP
.SS flowtop
Default ncurses output for flowtop that tracks IPv4, IPv6 flows for TCP.
.PP
.SS flowtop -46UTDISs
This example enables the maximum display options for flowtop.
.PP
.SH CONFIG FILES
.PP
Files under /etc/netsniff-ng/ can be modified to extend flowtop's
service resolution and lookup information.
.PP
    * tcp.conf - TCP port/services map
    * udp.conf - UDP port/services map
    * geoip.conf - GeoIP database mirrors
.PP
.SH BUGS
With a fairly high rate of connection tracking updates, flowtop can become
unresponsive for short periods of time while scrolling. The right fix would
be to replace flowtop's connection management backend with a better design
with respect to the locking approach. This is still on the "todo" list.
.PP
.SH LEGAL
flowtop is licensed under the GNU GPL version 2.0.
.PP
.SH HISTORY
.B flowtop
was originally written for the netsniff-ng toolkit by Daniel Borkmann. It
is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel
Borkmann <dborkma@tik.ee.ethz.ch>.
.PP
.SH SEE ALSO
.BR netsniff-ng (8),
.BR trafgen (8),
.BR mausezahn (8),
.BR ifpps (8),
.BR bpfc (8),
.BR astraceroute (8),
.BR curvetun (8),
.BR iptables (8),
.BR sysctl (8),
.BR sysctl.conf (8),
.BR sysctl.d (8)
.PP
.SH AUTHOR
Manpage was written by Daniel Borkmann.
.PP
.SH COLOPHON
This page is part of the Linux netsniff-ng toolkit project. A description of the project,
and information about reporting bugs, can be found at http://netsniff-ng.org/.