From fd4fb3c7e51bb7bdf3e8bfcc47263e0b5890c53f Mon Sep 17 00:00:00 2001
From: Packit <packit>
Date: Sep 29 2020 10:34:34 +0000
Subject: iptraf-ng-1.1.4 base
---
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ccb2759
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,40 @@
+# NOTE! Please use 'git ls-files -i --exclude-standard'
+# command after changing this file, to see if there are
+# any tracked files which get ignored after the change.
+
+# normal rules
+.*
+*.o
+*.lo
+*.la
+
+# ignore binaries
+/iptraf-ng
+/rvnamed-ng
+
+# don't ignore git files
+!.gitignore
+
+# gnu global files
+GPATH
+GRTAGS
+GSYMS
+GTAGS
+
+# cscope files
+cscope.*
+ncscope.*
+
+# autotools
+/configure
+/autom4te.cache/
+/config.log
+/config.mak.append
+/config.mak.autogen
+/config.status
+
+# misc
+*~
+\#*#
+/iptraf-ng.spec
+VERSION-FILE
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..88ffb7b
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1,21 @@
+Original author of iptraf:
+--------------------------
+
+ 1997 - 2004 Gerard Paul Java
+
+Since no progress was made since 2004 and the author didn't answer
+any question if he will be working on iptraf anytime soon again,
+Nikola Pajkovsky from RedHat took over the project in 2010 and made
+a fork named iptraf-ng.
+
+iptraf-ng maintainer:
+---------------------
+ 2010 - Nikola Pajkovsky <npajkovs@redhat.com>
+
+Contributors:
+-------------
+ 2010 - now Nikola Pajkovsky <npajkovs@redhat.com>
+ 2010 Jan Rafaj <jr-tools@cedric.unob.cz>
+ 2010 Petr Uzel <petr.uzel@suse.cz>
+ 2011 Jan Engelhardt <jengelh@medozas.de>
+ 2012 Vitezslav Samel <vitezslav@samel.cz>
diff --git a/CHANGES b/CHANGES
new file mode 100644
index 0000000..77bac9b
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,86 @@
+CHANGES file for iptraf-ng
+
+* Tue Jul 23 2013 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.4
+- locking code rewrite: only one instance is allowed now
+- promiscuous mode rewrite
+- build system: install iptraf-ng to sbin
+- remove token-ring support
+- remove ISDN interfaces support
+- preparation for packet capturing into the file
+- source code cleanups
+- bugfix: don't segfault when there are no ports to remove
+- rvnamed: fix the IPv6 resolving
+- add 802.1ad and QinQ VLAN handling
+- optimize code (to not use that much CPU)
+
+* Wed May 23 2012 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.3
+- new building system (based only on make, no automake/autoconf)
+- code cleanups
+- SIT tunnels support
+- space for HW addresses fix
+- sort interfaces by ifindex
+- print rates every second using moving average (over last 5 seconds)
+- packet_get() bugfix (don't count packets when there's no packet ready)
+- fix segfault in the tui/* code
+- fix checksumming for odd-sized IPv4 header
+
+* Fri May 04 2012 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.2
+- massive code cleanup
+- fix PPP handling
+- move the splash screen to the main menu
+- fix capturing on tun-like interfaces
+- support GRE-over-IP tunnels
+- fix ethernet descriptions
+- change units: bits/sec (bytes/sec) to kbps (kBps)
+- use bind() to lock the socket on interface (should decrease CPU
+ utilization on systems with very busy interfaces)
+- warnings cleanup
+- fix packet length counting for large packets
+- hostmon(): count IPv6 as IP protocol too
+
+* Thu Feb 02 2012 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.1
+- fix frames in UTF-8 locales
+- fix IPv6 port stats
+- fix IPv6 byte counting
+- fix port data rate
+- fix for interfaces with long name
+
+* Wed Jan 11 2012 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.0
+- build system fixes
+- brand new command line options parser
+- rename iptraf to iptraf-ng (binaries, mans)
+- code cleanup (useless code removal, warnings erradication, ...)
+- new ip checksum based on rfc1071 implementation
+- landesc.[c,h]: full rewrite
+
+* Sun Apr 11 2010 Nikola Pajkovsky <npajkovs@redhat.com> - 1.0.3
+- documentation cleanup
+
+* Wed Mar 24 2010 Nikola Pajkovsky <npajkovs@redhat.com> - 1.0.2
+- remove warnings
+- rif of PKG_CHECK_MODULES
+- tx_operate_listbox(): use proper format string for size_t in snprintf
+- ltrim(): simplify function and fix situation when strings overlap in strcpy
+- build: pass libpanel_CFLAGS and ncurses_CFLAGS to compiler
+- selectiface(): use strncpy to prevent buffer overflow and thus avoid gcc warning
+- init_promisc_list(): use IF_NAMESIZE as size of buffer for interface name
+- main(): allow regular users to run iptraf if the sticky-bit is set
+- fix strcpy overlap memory
+- remove -Werror option
+
+* Thu Mar 04 2010 Nikola Pajkovsky <npajkovs@redhat.com> - 1.0.1
+- remove dereferencing type-punned pointer will break strict-aliasing rules
+- convmacaddr(): fix assignment casting. One more warning gone.
+- ipmon(), servmon(): unnecessary casting is gone. Fixes strict-aliasing.
+- Fix compilation issues and crash within LAN station monitor
+
+* Mon Mar 01 2010 Nikola Pajkovsky <npajkovs@redhat.com> - 1.0.0
+- compile with -std=gnu99 -pedantic -Wall -Werror
+- add support for devices(used patches from gentoo, debian and fedora):
+ vlan, hsi, ctc, ath, bond, ra, bnep, dsl, modem, ni, br, tap, dummy, vmnet
+- add longer intefaces names(18 chars)
+- add iptraf -u - show unsupported interfaces(fpeters@debian.org)
+- check if macro is defined ICMP6_DST_UNREACH_NOTNEIGHBOR(jer@gentoo.org)
+- add ipv6 support
+- remove wierd Setup compilation and replaced it by autotools
+- import original iptraf-3.0.0
diff --git a/CHANGES.old b/CHANGES.old
new file mode 100644
index 0000000..28f12e4
--- /dev/null
+++ b/CHANGES.old
@@ -0,0 +1,960 @@
+CHANGES File for IPTraf 3.0.0
+
+Changes to IPTraf 2.7.0 and new features in IPTraf 3.0.0
+
+ New filter behavior. Except for TCP traffic in the IP traffic
+ monitor, filters now do not automatically match reverse packets
+ for TCP and UDP IPTraf-wide. Rather, each filter entry has
+ a field which tells IPTraf whether to match packets flowing
+ in the direction opposite that specified.
+
+ The filters for non-TCP, non-UDP IP traffic (ICMP, IGRP, OSPF,
+ etc.) which never automatically matched packets flowing in the
+ opposite direction, now have that same option field. This way
+ related packets (like ICMP echo request/echo reply) can be
+ matched with a single entry.
+
+ Because reverse-matching is no longer the default IPTraf-wide,
+ the labels are now changed to read Source and Destination.
+
+ Default value for blank address filter fields is now 0.0.0.0,
+ rather than 255.255.255.255. Fields are therefore no longer
+ pre-filled with 0.0.0.0.
+
+ Miscellaneous IP filter entries feature a field for other IP
+ protocols not specifically indicated in the dialog. The user
+ must enter a comma-separated list of individual protocols or a
+ range. IP protocols are defined in the /etc/protocols file.
+
+ The IP traffic monitor consults the /etc/protocols file for
+ miscellaneous IP packets for the protocol names. Previously
+ recognized protocols (ICMP, UDP, OSPF, etc) are still looked up
+ internally for performance reasons.
+
+ The filter rule selection now indicates the mask in CIDR format
+ (e.g. 10.1.0.0/16) for clarity and to save screen space.
+
+ Filter selection list box is now alphabetically sorted.
+
+ Likewise, the CIDR notation can be used when entering IP address
+ data. However the CIDR notation is translated into a mask and
+ discarded. Subsequent editing of the filter will show the
+ corresponding mask.
+
+ Changed color coding for unknown IP packets (those looked up
+ from /etc/services to bright white on blue (instead of yellow on
+ red, which looked like "errors").
+
+ Added internal recognition for L2TP, IPSec AH, and IPSec ESP
+ packets.
+
+ Changed size of the IP traffic monitor's TCP hash table to 1033
+ buckets. Prime number used to improve hash efficiency.
+
+ A new function tx_box() has been added to the screen support
+ library as a solution to the ncurses box() function not accepting
+ the color set by wattrset(), at least on Red Hat 7.3. All calls
+ to box() have been replaced with this tx_box() instead. It takes
+ exactly the same parameters.
+
+ Added support for tun and brg (tunneling and bridging) interfaces.
+ Thanks to Marcio Gomes <tecnica_at_microlink.com.br>.
+
+ Modified logging options. The -L parameter now works with any
+ command-line invocation of a facility, even in foreground mode.
+
+ Added -I command-line parameter to override logging interval
+ configuration option.
+
+ (Thanks to the contributors of the -I and -L patches. I lost your
+ emails when SEUL reinstalled. Please acknowledge. Thanks.
+
+ Corrected promiscuous mode control code. It ignored Token Ring
+ interfaces.
+
+Changes to IPTraf 2.6.1 and new features in IPTraf 2.7.0
+
+ Corrected bug wherein the detailed interface statistics
+ did not filter out the packets based on the selected
+ interface. Thanks to the members of the mailing list for
+ this.
+
+ Corrected minor interface name comparison bugs in the
+ general interface statistics and TCP/UDP service statistics.
+
+ Corrected stale locks when IPTraf did not start due to an
+ improper terminal size.
+
+ Added support for additional DVB interfaces sm2*, sm3*, penta*.
+
+ Added support for wireless LAN interfaces (wlan*, wvlan*).
+
+ Fixed segfault that occurs when /proc/net/dev is empty or
+ contains no active interfaces. Thanks to Chris Armstrong
+ <wolfwings_at_zana.changa.nu> for actually trying it out.
+
+ Added error box to handle the /proc/net/dev error condition
+ mentioned above.
+
+ Added error box when tx_operate_listbox is invoked on an empty
+ list.
+
+Changes to IPTraf 2.6.0
+
+ Corrected a segfault in the IP traffic monitor and TCP/UDP service
+ breakdown when a sort is attempted on an empty screen. Thanks
+ to <lord_at_elreyforce.org> for the report.
+
+ Corrected segfaults in the TCP/UDP service monitor when
+ scrolling using PgUp and PgDn (or space and '-'). Thanks
+ to Ross Gibson <windows_at_prefixservice.com>.
+
+ Corrected post-sorting PgUp problem in TCP/UDP monitor.
+
+ Corrected inaccuracies in the IP traffic monitor's TCP byte
+ counts and flow rates. *** THE BUG ADDRESSED BY THIS CORRECTION
+ DEFERS IPTRAF 2.6.0. ***
+
+ Adjusted black-and-white color scheme.
+
+ Minor adjustments to the printlargenumber() function.
+
+ Minor cosmetic adjustments.
+
+New features in IPTraf 2.6.0 and changes to IPTraf 2.5.0
+
+ Added support for Token Ring interfaces. Thanks to many people
+ for help with patches and testing, including J. Kahn Koontz
+ <csjmk_at_eiu.edu>, Dan Seto <mail_at_seto.org>, and Tomas Dvorak
+ <avatar_at_kanal.ucw.cz>.
+
+ Added support for sbni long-range modem interfaces (Dmitry
+ Sergienko <trooper_at_dolphin.unity.net>).
+
+ Added support for Free s/WAN IPSec logical interfaces (Doug Nazar
+ <nazard_at_dragoninc.on.ca>).
+
+ Code cleanup. Got rid of an ugly goto in itrafmon.c. I hate
+ goto no matter what.
+
+ Moved write_timeout_log.c to tcptable.c.
+
+ Recoded the PgUp/PgDn routines in the IP traffic monitor,
+ TCP/UDP service monitor, and LAN station monitor. These
+ routines now directly manipulate the table pointers instead
+ of merely calling the single-line scrolling routines repeatedly.
+ Faster. More efficient.
+
+ Added a highlight bar to the IP traffic monitor, allowing better
+ readability, especially on long-line screens (> 80 characters),
+ and individual flow rate computation.
+
+ Added flow rates for the highlighted TCP flows (IP traffic
+ monitor) and TCP/UDP ports (TCP/UDP statistical breakdown) I
+ believe this is the best way to allow viewing of data rates
+ without excessively sacrificing CPU time for packet capture.
+
+ Filters now apply to all facilities except the packet size
+ breakdown and LAN station monitor. You can now view the loads
+ and protocol breakdowns on selected packets only using the
+ filters.
+
+ No more byte counters in the IP traffic monitor. This line now
+ just contains a simple packet counter at one end, and the TCP
+ flow rate information at the other.
+
+ Moved menu, selection listbox, and dialog box functions to a
+ separate support/ directory. These routines are first compiled
+ into a library and later on linked into iptraf.
+
+ Added a confirmation box to the main menu's Exit command. This
+ is as much for me as it is for a lot of people. I accidentaly
+ exit too.
+
+ Added broadcast packet and byte counts to the detailed interface
+ statistics log.
+
+ Some cosmetic adjustment.
+
+ Added 5-minute timeout for rvnamed child processes.
+
+New features in IPTraf 2.5.0 and changes to IPTraf 2.4.0
+
+ Now includes a more specific dialog for non-TCP and non-UDP
+ filters. Allows specification of packets by source and
+ destination IP addresses.
+
+ Better organized the filter management and manipulation
+ functions in fltedit.c, fltselect.c, othipflt.c, and utfilter.c.
+
+ othfilter.c renamed to fltselect.c, same thing with the .h.
+
+ All filters are now unified in a single data structure allowing
+ handling of TCP, UDP, misc IP, and non-IP toggles with one set
+ of functions.
+
+ Separate TCP and non-TCP filter menus abolished, everything
+ is now grouped under a Filters... submenu under the main menu.
+
+ Corrected wrong placement of timer in the packet size breakdown.
+
+ Corrected scanning code for timed out entries in the IP traffic
+ monitor sort function. Wrong computation for elapsed time
+ resulted in active connections being placed in the list of
+ closed entries. Thanks to Gal Laszlo <slowTCP_at_hotmail.com> for
+ pointing out the symptom.
+
+ Added support for Frame Relay FRAD/DLCI interfaces. Thanks to
+ Raffaele Gariboldi <lele_at_italynetwork.it> for the information
+ and testing.
+
+ Sorting is now done with the Quicksort algorithm.
+
+ IP Traffic Monitor now adds connection entries to the TCP window
+ upon the receipt of header-only packets. There are cases in which
+ we have to check for possible TCP scans which are implemented with
+ non-SYN packets.
+
+ The reverse DNS lookup function revname() now times out after
+ five seconds, and stops reverse lookups for that session in case
+ rvnamed dies.
+
+ Added some notes to the packet size breakdown window.
+
+ Moved rvnamed cache index update code such that updating of the
+ cache indexes will only be performed once fork() succeeds,
+ otherwise, the allocated slot will just be reallocated for
+ the next queries. This is so that should the fork() fail,
+ future invocations for that IP address won't have the rvnamed
+ parent thinking its resolving when there actually wasn't a child
+ performing the resolution. If the fork() problem condition was
+ temporary, the next invocation can still have rvnamed fork() off
+ to resolve the address. This of course assumes the IP address
+ hasn't expired from the cache.
+
+ Some cosmetic updates (as always).
+
+ The manual features a new format for the sidebars. Corrected
+ typos and spelling errors.
+
+ iptraf-x.y.z.tar.gz no longer comes with precompiled
+ binaries. However a separate iptraf-x.y.z.i386.bin.tar.gz will
+ come only with the precompiled x86 executable programs
+ (i386/glibc-2.1/ncurses-5.0).
+
+New features in IPTraf 2.4.0 and changes to IPTraf 2.3.1
+
+ This version now allows multiple instances of the same facility
+ in different processes, but only one instance can monitor an
+ interface. Please see the RELEASE-NOTES file.
+
+ As a consequence of the above changes, the default names of the
+ logfiles then reflect the instance or interface being
+ monitored. See the RELEASE-NOTES file.
+
+ Implemented a dialog box allowing the user to log to a custom
+ log file.
+
+ Implemented -L command-line parameter to allow specification of
+ the log file name when IPTraf is started with the -B parameter.
+
+ Removed hardcoded UNIX-domain socket name bound by IPTraf, instead
+ a socket name is generated from the current time and pid. Also
+ removed hardcoded socket name in rvnamed, to which it directs
+ replies to IPTraf. rvnamed still binds to hardcoded socket names
+ though.
+
+ IP Traffic Monitor can optionally display the source MAC addresses
+ for LAN-based packets. Added appropriate configuration item.
+
+ IPTraf now reads /etc/ethers in addition to its own database of
+ MAC addresses. Thanks to Frederic Peters <fpeters_at_debian.org> for
+ the patch.
+
+ Moved time-related configuration items to a Timers... submenu to
+ save on screen space.
+
+ The version.h file no longer exists, rather, a plain version file
+ is in place containing merely the version number. The Makefile
+ reads this file, determines the target machine information
+ and passes this data to the compiler with -D parameters.
+
+ Imposed an upper limit of 200 on rvnamed child processes.
+ rvnamed should really not go runaway with a normally-functioning
+ DNS server, but I had the good fortune of experiencing a dead DNS
+ server while monitoring. Took my machine down real fast.
+
+ Precompiled executables now require glibc-2.1 dynamic libaries.
+
+ Included a Setup installation script to ease somewhat the
+ installation process (installation can still be done the old way
+ though).
+
+ Cosmetic/color changes.
+
+ Reflected changes to manual.
+
+Changes to IPTraf 2.3.0
+
+ Fixed segfault bug when sorting is attempted on an empty TCP
+ window. Thanks to Ramon van Elten <mainwave_at_datura.cx> for the
+ report and for the assistance in diagnosis.
+
+ Fixed cosmetic error (sort progress window doesn't disappear)
+ when attempt is made to sort a TCP window with only 1 entry.
+ Thanks again to Ramon for the report.
+
+ Updated some comments.
+
+New features in IPTraf 2.3.0 and changes to IPTraf 2.2.2
+
+ Implemented sorting in the IP traffic monitor, TCP/UDP statistical
+ breakdown, and LAN station monitor. Great thanks go to Gal Laszlo
+ <slowTCP_at_hotmail.com> for the patch. (Note to Gal: I had to do a
+ heck of a lot of overhaul, and had to implement a clearer screen
+ design, but your patch provided the basis :) Thanks a lot.)
+
+ Implemented better bounds checking in the text input routine.
+
+ Added information boxes to TCP/UDP delete and detach filter
+ functions.
+
+ Added recognition of GRE packets. Modified non-TCP display filters
+ accordingly.
+
+ Fixed bug in unrecognized IP display and filter code.
+
+ Added filter item for unrecognized IP packets.
+
+ Removed leftover code from the old warning on IP masquerading.
+
+ Reflected changes and corrected typos in manual.
+
+Changes to IPTraf 2.2.1
+
+ Fixed recognition problem with DVB interfaces.
+
+ Fixed small buffer overrun in TCP timeout log routine, which can
+ cause a segmentation fault under certain conditions.
+
+ Minor cosmetic adjustment in TCP connection window.
+
+Changes to IPTraf 2.2.0
+
+ Fixed segfault in IP Traffic Monitor due to packets from an
+ unsupported link type.
+
+ Fixed segfault in promiscuous mode management module in the (rare)
+ case of a failure to save or load the interface flags from the
+ temporary storage files. Normally due to a bad installation.
+ Thanks to Udo A. Steinberg <sorisor_at_Hell.WH8.TU-Dresden.De> for
+ the report.
+
+ Added support for Ethernet-emulated FDDI interfaces. Thanks to Udo
+ A. Steinberg <sorisor_at_Hell.WH8.TU-Dresden.De> for the report and
+ help with the testing.
+
+ Added support for DVB interfaces, thanks to Alex
+ <vasile_at_keeper.meganet.ro> for the notification and the help.
+
+ Replaced inet_addr() references on filter address entries with
+ inet_aton(). This fixes failure of filters on packets with
+ 255.255.255.255 in their source or destination address fields.
+ Thanks for Peter Magnusson for the report and the test
+ environment.
+
+ Overhauled TCP/UDP editing facility. Fixed bug wherein garbage
+ entries remain in the filter's parameter list even if an insert/
+ add dialog is aborted.
+
+ Fixed detailed interface statistics logging bug (activity and
+ packets-per-second figures were the same).
+
+ Apologies to Dustin Trammell for my failure to credit him for his
+ report on the behavior of IPTraf on bridges.
+
+Changes to IPTraf 2.1.1 and new features in IPTraf 2.2.0
+
+ Immediate flushing of disk buffers after a log file write to
+ better accomodate separate logfile parsing scripts.
+
+ Addition of a manual and automatic clearing of closed and idle
+ TCP entries in the IP Traffic Monitor
+
+ Added a TCP closed/idle persistence configuration option to
+ control the TCP closed/idle clearing interval.
+
+ Clarified TCP timeout logfile entries.
+
+ Saves the state of the interface flags at startup of a facility,
+ and restores them on exit, allowing interfaces previously set to
+ promiscuous mode to retain that state. Important on bridges.
+ Thanks to Dustin D. Trammell <dtrammell_at_cautech.com> and Holger Friese
+ <evildead_at_bs-pc5.et-inf.fho-emden.de> for the patch. However, I had
+ to modify it a little more than a bit and had to overhaul quite a
+ good deal of the rest of the software to better accomodate
+ multiple instances.
+
+ Promiscuous mode is set only when a facility is started, and
+ restored when it exits. Promiscuous mode is no longer forced at
+ menus. Restoration is not performed though if there is still
+ another facility running, but the interface state remains saved.
+
+ Fixed a minor bug in the LAN station monitor. The raw socket is
+ now closed when the facility exits. duh.
+
+ Fixed rare bug in the packet size distribution. The lock file didn't
+ get deleted if the raw socket open failed.
+
+ Changed the promiscuous mode option to "Force promiscuous".
+ Cosmetic.
+
+ Added PID's (a la syslog) to daemon log entries.
+
+ Minor cosmetic adjustments.
+
+Changes to IPTraf 2.1.0
+
+ Fixed bug in the packet size statistical breakdown. The facility
+ didn't filter packets based on interface name, thus causing
+ inaccurate counts on systems with multiple network interfaces.
+
+ Fixed a few minor cosmetic errors.
+
+ Corrected some typographical errors in the manual.
+
+ Added a FAQ (or the beginnings thereof).
+
+ Added a spec file for RPM generation. Thanks to Dag Wieers
+ <dag_at_life.be>. I'm not a really good RPM'er beyond RPM
+ installation and removal. :)
+
+Changes to IPTraf 2.0.2 and new features in IPTraf 2.1.0
+
+ Added non-IP to the display/logging filter selections
+
+ Added interface selection to the IP Traffic Monitor and LAN
+ Station Monitor (with an "All Interfaces" option).
+
+ Related to the above: now requires an interface name as an
+ argument to the -i and -l command-line parameters. 'all' may be
+ specified for monitoring all interfaces.
+
+ Added -B command-line parameter to fork program into the
+ background solely for logging purposes. Several people had
+ requested this.
+
+ Corrected TCP/UDP filter file placement error. Included cfconv
+ program to move files to the proper place.
+
+ Added program-wide Ctrl+L sequence to redraw the screen if
+ corrupted by outside factors (write, talk, syslog).
+
+ Added TCP/UDP filter editing facility.
+
+ Corrected several possible buffer overruns in TCP/UDP filter
+ module.
+
+ Corrected errors and reflected changes to manual and man pages.
+
+Changes to IPTraf 2.0.1
+
+ Fixed a rarely-occuring but nevertheless severe segmentation fault
+ bug when long hostnames are coupled with long service names.
+ Great thanks go to Ronald Wahl <rwahl_at_gmx.net> for the advice and
+ the help. Ron, I'm really gonna find the time to do the code the
+ Right Way :)
+
+Changes to IPTraf 2.0.0
+
+ Fixed minor non-IP byte count bug in detailed interface statistics.
+
+ Fixed minor cosmetic bug causing elapsed time indicator to appear
+ in the wrong line on screens not containing 25 lines. Thanks to
+ Uwe Storbeck <uwe_at_datacomm.ch> for the patch.
+
+New features/changes in IPTraf 2.0 from 1.4.2
+
+ Now uses the new PF_PACKET socket family as its packet capture
+ mechanism. Requires Linux 2.2.
+
+ Added target/source IP addresses in ARP packet
+ request/reply packet entries in the IP traffic monitor. Also
+ added target/source MAC addresses to RARP request/reply entries.
+
+ Reorganized menu structure, see the README file for details.
+
+ Moved packet counts by size to a facility of its own. Added
+ corresponding -z command-line option.
+
+ New incoming/outgoing packet and byte counts and activity rates in
+ the detailed interface statistics facility.
+
+ Corrected a bug in the FDDI packet parsing code (wrong link type).
+
+ Added a check for the IFF_UP flag when generating interface
+ lists, to omit inactive interfaces (but still in /proc/net/dev).
+ This covers the General Interface Statistics and all interface
+ selection lists.
+
+ Now uses the maximum number of columns on the screen. High thanks
+ to Michael "M." Brown <m2brown_at_waterloo.ca> for the patch. Saved
+ me a lot of tedious work. :)
+
+ Reformatted TCP screen to show only one hostname:port per line,
+ with connections indicated by the green "brackets". I think
+ that's clear enough.
+
+ Added ARP/RARP opcode and target addresses in the ARP/RARP
+ indicator lines.
+
+ Added vertical scrolling to the lower (non-TCP) window in the
+ IP traffic monitor to allow for long lines (ICMP, OSPF, some UDP).
+
+ Allowed for slightly longer host names in the lower IP traffic
+ monitor window.
+
+ Still increased the rvnamed cache size to 2048 entries.
+
+ Miscellaneous cosmetic changes.
+
+ Manual now includes screen shots and comes in HTML format only.
+
+Changes to IPTraf 1.4.1
+
+ Fixed SEGV condition when attempts are made to load a filter list
+ application or deletion with a zero-length filter list file, which
+ could be caused by deleting the last filter. Thanks to Daniel
+ Savard <daniel.savard_at_gespro.com> for the report.
+
+ Makefile comes with the -m486 option commented out
+
+Changes to IPTraf 1.4.0
+
+ Moved configuration status window to unobscure a long menu option.
+
+Changes to IPTraf 1.3.0 and new features in 1.4.0
+
+ Support for PLIP interfaces.
+
+ Support for other ISDN encapsulations (specifically raw IP and
+ Cisco HDLC) high thanks to Gerald Richter <richter_at_ecos.de> for
+ the information and testing.
+
+ Added -q parameter to suppress the 1.3.0 masquerading warning for
+ users who wish to automate the various facilities from their
+ inittab and similar non-interactive fashions. Incorporated into
+ the Debian version of 1.3.0 by Debian maintainer Frederic Peters
+ (<fpeters_at_debian.org>, carried over to general release 1.4.0.
+
+ Added an option to change activity indications between kbits/s and
+ kbytes/s. On a suggestion by Paul G. Fitzgerald
+ <pgfitzgerald_at_buckman.com>.
+
+ Incorporated more flexible compile-time control of directories for
+ configuration, log, and other files. Thanks to Stefan Luethje
+ <luethje_at_sl-gw.lake.de> for the patch.
+
+ Corrected minor flaws in the default screen update delay code
+ (visually insignificant), that led to occasional skips of the
+ delays. (Call it nitpicking if you will. :))
+
+ Moved signal() calls to after terminal checks in iptraf.c,
+ allowing standard behavior of signals when error/warning messages
+ may still be sent to stderr. Allows the user to break out of it
+ with Ctrl+C at the terminal warning if so desired.
+
+ Reformatted IP traffic monitor log entries on Gerald Richter's
+ <richter_at_ecos.de> suggestions for easier processing with Perl
+ scripts.
+
+ Included logfile rotation with the USR1 signal. Again on Gerald
+ Richter's <richter_at_ecos.de> suggestion.
+
+ Moved first-instance tag sequence to after the initscr() call.
+
+ Indicated IP fragments with no additional information in the lower
+ traffic monitor window. Datagram size, addresses, and interface
+ are still indicated.
+
+ Changed Non-IP count in IP traffic monitor to byte count
+ (including data-link header lengths) from packet counts.
+ Consistency purposes.
+
+ Added some extra information for certain non-IP packets. These
+ may eventually grow, but not in too much detail, since this is an
+ IP-oriented utility. Thanks to David Harbaugh
+ <dlh_at_linux.cayuga-cc.edu> for the patch.
+
+ Removed bind() operation on raw socket to address a condition in
+ which the detailed interface statistics and TCP/UDP statistics
+ stop counting if an interface goes down then up again. This will
+ be studied further. Symptom report sent in by Roeland Jansen
+ <bengel_at_xs4all.nl>.
+
+ Changed Ethernet/FDDI/PLIP description file formats from binary to
+ plain text, allowing database appends. Other files (configuration
+ and filters) are still binary. On a suggestion by David Harbaugh
+ <dlh_at_linux.cayuga-cc.edu>.
+
+ Copied IP and upper-layer headers and some data from Ethernet,
+ PLIP, FDDI, and loopback frames into an aligned buffer. Avoids
+ SIGBUS on picky systems (like SPARCs) and general alignment
+ problems. I don't know yet which is worse, the overhead of
+ a 96-byte transfer or the performance hit with misaligned reads.
+ Thanks to Jonas Majauskas <jmajau_at_soften.ktu.lt> for reports and
+ tests.
+
+ Replaced __-type references with u_int-type references.
+
+ Increased cache array size in rvnamed to 1024 entries from the
+ previous 512, to better handle combinations of busy networks and
+ slow DNS servers.
+
+ Cleared up a few instructions in the Makefile, thanks to Arjan
+ Opmeer <a.d.opmeer_at_student.utwente.nl>
+
+New features in IPTraf 1.3.0 and changes to IPTraf 1.2.0
+
+ Experimental FDDI support. High thanks to Paonia Ezrine
+ <paonia_at_massart.edu> for the initial tests on the FDDI code. More
+ feedback is requested on the FDDI functionality. Bugs may still
+ be present.
+
+ Reestablished ippp interfaces (synchronous PPP over ISDN) after
+ reports that the ISDN problem was fixed with Linux 2.0.34.
+
+ Fixed fragmentation oversight in TCP/UDP service monitor.
+
+ Applied the bind() system call to the raw socket to have the
+ kernel filter out packets from interfaces we're not interested in.
+ Makes for better capture times on multiple-interfaced machines.
+ However, a strncmp() is still performed on the returned interface
+ name to counter the race condition between the socket() and bind()
+ calls.
+
+ Fixed interface statistics print routines to print unsigned
+ rather than signed numbers.
+
+ Added additional option to adjust screen updates. Useful for
+ IPTraf sessions run on remote terminals (thanks to Lutz Vieweg
+ <lkv_at_isg.de> for the suggestion and Dean Gaudet
+ <dgaudet_at_arctic.org> for the base patch. I modified it a bit,
+ Dean.)
+
+ Discovered terrible performance penalty due to screen refresh with
+ heavily loaded LAN segments. Therefore, with the new screen
+ update interval option set to 0, all facilities have a 50 ms delay
+ between refreshes (exception: the LAN station monitor has a delay
+ of 100 ms). This is still visually fast (although updates
+ look kinda slower), but this gives more time to packet capture,
+ therefore increasing accuracy and capture performance. Thanks to
+ everyone who responded to my request for advice on this matter and
+ to Ronald Wahl <rwahl_at_gmx.net> for giving me the symptom report.
+
+ Modified IP traffic monitor to mark TCP connection entries for reuse
+ once one side is fully closed and acknowledged ("CLOSED" on the
+ screen) and the other closed but even if not acknowledged ("DONE"
+ on the screen. This is because many times, the last ACK gets lost.
+
+ Included an additional parameter used together with the other
+ command-line arguments to specify an amount of time for which the
+ selected facility would run before automatically terminating (on a
+ suggestion by Linux HOWTO coordinator Tim Bynum
+ <tjbynum_at_wallybox.cei.net)>.
+
+ Supplemented the main data structure for the IP traffic monitor
+ with an open hash table for increased search efficiency,
+ especially after the facility has been running for quite some
+ time (the other facilities, which don't grow as much still use
+ linearly-searched linked lists. I'll probably hash them depending
+ on feedback.)
+
+ Fixed rare bugs in various facilities that caused IPTraf to
+ attempt to proceed even in the event of a raw socket open failure.
+
+ Fixed SEGV condition when IPTraf is invoked with a command-line
+ parameter that cannot be parsed with getopt().
+
+ Added labels to LAN address description selection box.
+
+ Fixed unsightly LAN address description dialog scrolling.
+
+ Added a separator feature to the menurt.c module, allowing
+ separation lines within menus.
+
+ Added separator lines between related groups of menu items in both
+ main and configuration menus.
+
+ Changed the Options main menu item to Configure.
+
+ Added the space bar and the '-' key as "unofficial" alternates to
+ the PgUp and PgDn keys (it's not in the manual).
+
+ Transferred Ethernet description facility option to the Configure
+ submenu, and added a related facility for FDDI addresses.
+
+ Removed Ethernet-specific references where FDDI and (potentially)
+ other LAN technologies also fit. We'll just use "LAN" as a
+ general term.
+
+ Adjusted detailed statistics screen to automatically generate the
+ appropriate packet size distribution brackets based on interface
+ MTU. This means the brackets may no longer end on numbers
+ divisible by 10, but rather on boundaries based on the MTU divided
+ by 16 (the number of brackets). But at least 1500 is not
+ hardcoded anymore as the maximum.
+
+ Related to the immediately preceeding change: packet size
+ distribution updates are done one at a time now, no longer as a
+ whole bunch. In other words, as a frame arrives, only the
+ appropriate bracket is updated.
+
+ Also related to previous two: changed basis for packet size
+ distribution to the Ethernet frame length from the IP datagram
+ length (which really doesn't matter except for a few frames).
+
+ Fixed bug which causes the existing log interval to multiply by 60
+ when the dialog is aborted (instead of retaining the current
+ setting). Thanks to Chris Higgins <chiggins_at_pobox.com> for the
+ bug report and the patch. (I had to modify it a bit to fit in
+ with the screen update interval patch sent in by Dean Gaudet.)
+
+ Potentially large counts have been changed to type "unsigned long
+ long" to significantly increase running time on heavily loaded
+ networks, plus automatic switching of denominations (from exact
+ counts to K(ilo) to M(ega) to G(iga) to T(era)) to prevent screen
+ disruption (on a suggestion by Lutz Vieweg <lkv_at_isg.de>).
+
+ Separated log file into different logs for each facility.
+
+ Moved log files to /var/log/iptraf to avoid mixing them with the
+ mess in the /var/local/iptraf directory. At least that way,
+ we humans don't have to look in /var/local/iptraf anymore.
+
+ Relaxed multiple-instance restriction from a
+ no-multiple-instances-of-IPTraf requirement to a
+ no-multiple-instance-of-the-same-facility. In other words,
+ several copies of IPTraf can run, but only one instance of each
+ facility can run at any one time. The -f parameter removes the
+ tags, overriding the restrictions on that IPTraf instance. This
+ modification was done to address needs indicated by Chris Panayis
+ <chris_at_freedom2surf.net>).
+
+ Added a startup warning box if IPTraf detects IP Masquerading
+ enabled on the computer. IPTraf will continue to work, but its
+ results may be quite confusing. The detection is done by
+ opening /proc/net/ip_masquerade.
+
+ Modified additional port facility to accept ranges of ports rather
+ than several single port numbers (on a suggestion by Lutz Vieweg
+ <lkv_at_isg.de>)
+
+ Reduced minimum number of lines from 25 to 24 for better VT100
+ terminal compliance.
+
+ Miscellaneous cosmetic retouches. (I consider user interface an
+ important factor too, ya know! :)
+
+ Distribution binary now comes statically linked with ncurses 4.2.
+ You may recompile to suit your system.
+
+ Included manual pages derived from the Debian GNU/Linux 2.0
+ distribution. Man pages written by Frederic Peters
+ <fpeters_at_debian.org> who is now maintaining the Debian IPTraf
+ package.
+
+ Reversed version order (newest first) in the CHANGES file.
+
+New features in IPTraf 1.2.0 and changes to IPTraf 1.1.0
+
+ Increased buffer size in ifstats.c for /proc/net/dev lines to 161
+ to better accomodate the longer lines in the new 2.1.x kernels
+ (which will be carried over to the new stable kernel series).
+ Based on bug reports by Dop Ganger <DopG_at_sprint.ca> and Christoph
+ Lameter <christoph_at_lameter.com> et al.
+
+ Fixed rarely occuring high CPU utilization bug occuring whenever
+ a terminal connection is lost, resulting in a SIGHUP which is
+ ignored. (This is an example of a software author's temporary
+ insanity. I mean, what sane programmer would set SIGHUP to
+ SIG_IGN for a terminal-based program huh? Thought so :) Thanks
+ to Dop Ganger <DopG_at_sprint.ca> for the symptom report.
+
+ Refined Ethernet station monitor rate updates and scrolling code.
+
+ Fixed autosave bug for non-TCP filters (this was working before
+ 1.1.0. All of a sudden, the function call disappeared
+ mysteriously. Must have been sleepy that time :)
+
+ Fixed bug in UDP filter default settings.
+
+ Added option to display TCP and UDP ports in either name form or
+ numeric form (on a suggestion by Felix von Leitner
+ <leitner_at_math.fu-berlin.de> and others).
+
+ Added facility to describe Ethernet addresses for the Ethernet
+ station monitor (to address needs as presented by Erlend Middtun
+ <erlendbm_at_funcom.com> via James Ullman <james_at_irc.ingok.hitos.no>)
+
+ Added an additional field to the TCP/UDP filter dialogs to allow
+ the user to "exclude" certain addresses from the display allowing
+ all others. Details on the new behavior are in the manual (on a
+ suggestion by Sean Hough <seh_at_javanet.com>)
+
+ Relaxed screen management code to better adjust to the number of
+ lines on the screen. As of this release, columns are still based
+ on a maximum number of 80 though. Also under study is a
+ SIGWINCH handler, but this will have to come later (on comments and
+ suggestions by a *lot* of users...thanks guys :-) ).
+
+ Fixed a subtle bug in the rvnamed interface IPC code, resulting in
+ an accurate transfer of data but causing recvfrom() to return an
+ EINVAL at unpredictable intervals. Bug was an uninitialized address
+ structure length parameter. Code in both iptraf and rvnamed was
+ fixed.
+
+ Eliminated unsupported interfaces from interface selection lists.
+
+ Included enforced restriction disallowng multiple instances of
+ IPTraf and an overriding command-line parameter. (This may
+ just be temporary, in lieu of a more elegant solution).
+
+ Included autosave for TCP and UDP filters. Filters now survive
+ IPTraf exits and restarts without requiring manual reapplication
+ (on a suggestion by Chad Clark <cclark_at_comstar.net>).
+
+ Included upgrade program and makefile rule to convert IPTraf 1.1.0
+ configuration and filter files to 1.2.0 format.
+
+ Clarified TCP/UDP and non-TCP/UDP filter error messages.
+
+ Color-coded the TCP and UDP protocol/port indicators in the
+ TCP/UDP service monitor for better identification.
+
+ Revised IP traffic monitor to query rvnamed only once per
+ invocation of the facility. Less overhead.
+
+ Revised IP traffic monitor to open and close the rvnamed
+ communication socket only once per invocation of the facility.
+ Less overhead.
+
+ Added a 2-second delay after the rvnamed invocation to give
+ the daemon more than enough time to open its sockets.
+
+ Fixed SEGV condition which occurs when an attempt is made to
+ destroy an interface list never loaded (which could only occur
+ if the /proc system is unreadable, something which shouldn't
+ happen on any decent Linux system).
+
+ Moved filter list load routine to fltmgr.c, for better linking with
+ the cfconv module.
+
+ Makefile now installs rvnamed together with the iptraf executable
+ in /usr/local/bin by default.
+
+ Added table of contents (hyperlinked in the HTML version) to the
+ manual.
+
+ Cleaned up the Makefile.
+
+New features in IPTraf 1.1.0 and changes to IPTraf 1.0.3
+
+ Added command-line options for direct facility access from the
+ shell, and an appropriate help screen for IPTraf invocation (on a
+ suggestion by BJ Goodwin <latency_at_radiolink.net>).
+
+ Added separate DNS reverse name lookup program (rvnamed) for
+ quicker response time on reverse DNS lookups. Subsequently
+ modified the revname function to use the new functionality.
+ This also required additions of address resolution state fields
+ to struct tcptableent in tcptable.h.
+
+ Added checkrvnamed() and killrvnamed() to revname.c, used by
+ itrafmon.c to query and stop the rvnamed daemon.
+
+ Added scrolling capability to the general interface statistics.
+ Interface list will now grow as packets from newly created
+ interfaces are received (e.g. PPP interfaces). This now makes
+ IPTraf better suited to monitor Linux machines configured as
+ access servers.
+
+ Interface selection lists can now be scrolled.
+
+ Increased maximum number of entries in for the non-TCP window
+ in the IP traffic monitor from 256 to 512.
+
+ Fixed SEGV condition in itrafmon.c that happens whenever the
+ Down cursor key is pressed with the lower window active, but
+ not yet full.
+
+ Added elapsed time indicators to each facility, showing the
+ hours and minutes that have passed since the start of the
+ monitor (on a suggestion by James Ullman
+ <james_at_irc.Ingok.Hitos.No>)
+
+ Changed ncurses include file references from <ncurses.h>
+ to <curses.h>
+
+ Cleaned up preprocessor code for glibc2 support. Thanks for
+ help and suggestions from John Labovitz <johnl_at_meer.net>. Thanks
+ also for a test account on debs.fuller.edu opened by Christoph
+ Lameter <christoph_at_lameter.com>.
+
+ Fixed SEGV condition which may occur when trying to close the
+ log file which may never have opened (thanks to John Labovitz
+ <johnl_at_meer.net> for the patch).
+
+ Adjusted cosmetic code to better indicate the closed status in
+ the TCP monitor.
+
+ TCP and UDP filters now accept host names in in place of IP
+ addresses. Host names will be resolved and can still be used
+ with wildcard masks (may be useful for names that resolve to
+ several IP addresses)
+
+ Distribution now includes an HTML-formatted manual.
+
+Changes to IPTraf 1.0.2
+
+ Fixed SEGV condition when scrolling commands are applied to
+ an empty Ethernet station monitor
+
+ Distribution executable now comes compiled with -m486 by default.
+ Binary will still execute on a 386, but a 486 or higher is still
+ preferred.
+
+Changes to IPTraf 1.0.1
+
+ Fixed conflicting hotkey for non-TCP filter menu items RARP and
+ IGRP (the "R" key). Changed the shortcut key for RARP to "P".
+
+ Modified layer-2 header stripping code to cleanly ignore packets
+ from unrecognized interfaces (see README).
+
+ Fixed "duplicate port" misbehavior for the "Additional port"
+ dialog's Cancel command
+
+ Added error-checking for the port list file open sequence.
+
+ Added PgUp/PgDn capability to the facilities that can be scrolled
+ (IP traffic monitor, TCP/UDP services, and Ethernet station
+ monitor).
+
+ Cleaned up scrolling code a bit.
+
+ Fixed bug in the non-TCP logging facility that caused extraneous
+ log entries whenever the window is scrolled.
+
+ Sent non-fancy messages to standard error rather than standard
+ output.
+
+ Changed a few messages
+
+Changes to IPTraf 1.0.0
+
+ Fixed X/Ctrl-X keystroke bug in the General Interface Statistics
+ module (thanks to BJ Goodwin <latency_at_radiolink.net>). This was
+ kinda an emergency, so I fixed this and released 1.0.1
+ immediately.
+
diff --git a/Documentation/Makefile b/Documentation/Makefile
new file mode 100644
index 0000000..fd31fe5
--- /dev/null
+++ b/Documentation/Makefile
@@ -0,0 +1,20 @@
+#
+# Makefile for Documentation
+#
+
+html: manual.sgml
+ docbook2html manual.sgml
+
+pspdf: manual.sgml
+ docbook2ps manual.sgml
+ ps2pdf manual.ps
+
+manual.sgml:
+ cat manual.template | sed -e s/@@version@@/`cat version`/ \
+ -e s/@@major@@/`awk -F '.' -f version.awk < version`/ \
+ > manual.sgml
+
+clean:
+ rm -f *~ *.html manual.sgml
+
+
diff --git a/Documentation/backop.html b/Documentation/backop.html
new file mode 100644
index 0000000..9c6ec14
--- /dev/null
+++ b/Documentation/backop.html
@@ -0,0 +1,244 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Background Operation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Custom Information"
+HREF="customports.html"><LINK
+REL="NEXT"
+TITLE="Messages"
+HREF="messages.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="customports.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="messages.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="BACKOP"
+>Background Operation</A
+></H1
+><P
+> IPTraf's facilities can be placed in the background solely for
+ logging. When running in the background, it doesn't display any output
+ on the screen, and doesn't receive input
+ from the keyboard, and drops you back to the shell.</P
+><P
+> Before starting a statistical facility in the background, configure
+ IPTraf in the usual way (set filters, add TCP/UDP ports, etc).</P
+><P
+> Once that's done, exit all instances of IPTraf on the system, then
+ invoke IPTraf from the command line with the parameter
+ to start the facility you want, the timeout (<TT
+CLASS="COMPUTEROUTPUT"
+>-t</TT
+>) parameter
+ if you wish, and the <TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+> parameter to actually daemonize the program.
+ For example, to run the IP traffic monitor in the
+ background for all interfaces, issue the command</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf -i all -B</PRE
+></TD
+></TR
+></TABLE
+><P
+> To run the detailed interface statistics
+on interface <TT
+CLASS="FILENAME"
+>eth0</TT
+> for 5 minutes
+ in the background:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf -d eth0 -t 5 -B</PRE
+></TD
+></TR
+></TABLE
+><P
+> If the timeout parameter is not specified, the facility
+ will run until the process receives a USR2 signal. To stop a facility in
+ the background, do a</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>ps x</PRE
+></TD
+></TR
+></TABLE
+><P
+> at the command line, and find the process id (pid) of the iptraf process
+ you're looking for. Then send that process a USR2 signal with the kill
+ command:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>kill -USR2 pid</PRE
+></TD
+></TR
+></TABLE
+><P
+> Since IPTraf cannot send error messages to the terminal, all
+ messages are written to the file daemon.log in the
+ IPTraf logging directory.</P
+><P
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+> parameter automatically enables logging regardless of its configured
+ setting. The parameter is ignored if not used with one of the parameters
+ to start a facility from the command line.</P
+><P
+> The log file can be specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> command-line parameter. If
+ this parameter is not specified, the default log file name for the
+ facility will be used (see the descriptions of the
+ facilities above for the default log name patterns).
+ If you don't specify an path, the log file will be placed in
+ <TT
+CLASS="FILENAME"
+>/var/log/iptraf</TT
+>.</P
+><P
+> The logging interval for all facilities (except the IP traffic monitor) can also be overriden
+ with the <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+> command-line parameter.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="customports.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="messages.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Custom Information</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Messages</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/cmdline.html b/Documentation/cmdline.html
new file mode 100644
index 0000000..937fc4f
--- /dev/null
+++ b/Documentation/cmdline.html
@@ -0,0 +1,427 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Command-line Options</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE="Starting and Stopping IPTraf"
+HREF="startstop.html"><LINK
+REL="NEXT"
+TITLE="Using the Menus"
+HREF="menus.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="startstop.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="menus.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="CMDLINE"
+>Command-line Options</A
+></H1
+><P
+> IPTraf has a few optional command-line parameters. As with most UNIX
+ commands, IPTraf command-line parameters are
+case-sensitive (<TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+>
+ is NOT the same as <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+>).</P
+><P
+> The following command-line parameters can be supplied
+to the <B
+CLASS="COMMAND"
+>iptraf</B
+> command:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+></TT
+></DT
+><DD
+><P
+> causes the IP traffic monitor to start immediately on the specified interface.
+ If -i all is specified, all interfaces are monitored.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-g</TT
+></DT
+><DD
+><P
+> starts the general interface statistics</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+></TT
+></DT
+><DD
+><P
+> shows detailed statistics for the specified interface</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+></TT
+></DT
+><DD
+><P
+> starts the TCP/UDP traffic monitor for the specified interface</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-z <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+></TT
+></DT
+><DD
+><P
+> starts the packet size breakdown for the specified interface</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-l <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+></TT
+></DT
+><DD
+><P
+> starts the LAN station monitor on the specified interface. If
+<TT
+CLASS="COMPUTEROUTPUT"
+>-l all</TT
+> is specified, all LAN interfaces are monitored.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>timeout</I
+></TT
+></TT
+></DT
+><DD
+><P
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>-t</TT
+> parameter, when used with one
+ of the other parameters that specify a facility to start, tells
+ IPTraf to run the indicated facility for only timeout
+ minutes, after which the facility
+ exits. The <TT
+CLASS="COMPUTEROUTPUT"
+>-t</TT
+> parameter is ignored in menu
+ mode.</P
+><P
+> If this parameter is not specified, the facility runs until the
+ exit keystroke is pressed.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+></DT
+><DD
+><P
+> Redirects all terminal output to the "bit bucket"
+<TT
+CLASS="FILENAME"
+>/dev/null</TT
+>, closes standard input, and
+places the program in the background. This parameter can be used only with
+one of the <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-g</TT
+>,
+<TT
+CLASS="COMPUTEROUTPUT"
+>-d</TT
+>,
+<TT
+CLASS="COMPUTEROUTPUT"
+>-s</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-z</TT
+>, or
+<TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+> parameters. See
+<A
+HREF="backop.html"
+>Background Operation</A
+> in Chapter 9. <TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+> is ignored in menu
+mode.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-L <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+></TT
+></DT
+><DD
+><P
+> Allows you to specify an alternate log file name when the
+ any facility is directly started from the command line, whether in foreground or
+ background mode. If specified in foreground mode, the log filename prompt is
+ bypassed, even when logging is turned on in the <I
+CLASS="EMPHASIS"
+>Configure...</I
+>
+ menu. If this parameter is omitted in background mode, the default log filename
+ is used.</P
+><P
+> This parameter always turns on logging.</P
+><P
+> If an absolute path is not specified, the log
+ file will be created in the default log file directory</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-I <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></TT
+></DT
+><DD
+><P
+> Sets the logging interval (in minutes) when the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> parameter is
+ used. This overrides the <I
+CLASS="EMPHASIS"
+>Log interval...</I
+> setting in the <I
+CLASS="EMPHASIS"
+>Configure...</I
+>
+ menu. If omitted, the configured value is used. This parameter is ignored when the
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> parameter is omitted and logging is disabled.</P
+><P
+> The value specified here will affect all facilities except for the IP traffic monitor.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-q</TT
+></DT
+><DD
+><P
+> Previously used to suppress the warning screen when IPTraf is run
+ on kernels with IP masquerading. Since the masquerading
+ code now processes packets in a way better suited to raw capture,
+ this parameter is no longer needed and is retained only for
+ compatibility.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-f</TT
+></DT
+><DD
+><P
+> Forces IPTraf to clear all lock files and reset all instance counters
+ to zero before running any facilities. IPTraf will then think
+ it's the first instance of itself.</P
+><P
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>-f</TT
+> parameter overrides the
+ existing locks and counters imposed by the IPTraf process and
+ by the various facilities, causing this instance to think it is the
+ first and that there are no other facilities running. Use
+ this parameter with great caution. A common use for this parameter is
+ to recover from abrupt or abnormal terminations which may leave stale
+ locks and counters still lying around.</P
+><P
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>-f</TT
+> parameter may be used together with the others.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>iptraf -h</TT
+></DT
+><DD
+><P
+> displays a short help screen</P
+></DD
+></DL
+></DIV
+><P
+> While the command-line options are case-sensitive, interactive keystroke
+ at the IPTraf full-screen interface are not.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="startstop.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="menus.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Starting and Stopping IPTraf</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Using the Menus</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/config.html b/Documentation/config.html
new file mode 100644
index 0000000..a37c9f4
--- /dev/null
+++ b/Documentation/config.html
@@ -0,0 +1,504 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Configuring IPTraf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="ARP, RARP, and other Non-IP Packet Filters"
+HREF="nonipfilters.html"><LINK
+REL="NEXT"
+TITLE="Timers"
+HREF="timers.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="nonipfilters.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="timers.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="CONFIG"
+>Configuring IPTraf</A
+></H1
+><P
+> IPTraf can be easily configured
+with the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> item in the
+ main menu. The configuration is stored in the
+ <TT
+CLASS="FILENAME"
+>/var/local/iptraf/iptraf.cfg</TT
+> file. If the file is not found, IPTraf uses
+ the default settings. Any changes to the configuration immediately get
+ stored in the configuration file.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1942"
+></A
+><P
+><IMG
+SRC="iptraf-configmenu.png"></P
+><P
+><B
+>Figure 1. The IPTraf configuration menu</B
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="TOGGLES"
+>Toggles</A
+></H1
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1947"
+>Reverse DNS Lookups</A
+></H2
+><P
+> Activating reverse lookup
+ causes IPTraf to find out the name of the hosts with the addresses
+ in the IP packets. When this option is enabled, IPTraf's
+ IP traffic monitor starts the rvnamed DNS lookup server to help resolve
+ IP addresses in the background while allowing IPTraf to
+ continue capturing packets.</P
+><P
+> This option is off by default.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1951"
+>TCP/UDP Service Names</A
+></H2
+><P
+> This option, when on, causes IPTraf to display the TCP/UDP service names
+ (<TT
+CLASS="COMPUTEROUTPUT"
+>smtp</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>www</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>pop3</TT
+>, etc.) instead of their numeric ports (25, 80,
+ 110, etc). The number-to-name mappings will depend on the systems
+ services database file (usually <TT
+CLASS="FILENAME"
+>/etc/services</TT
+>).
+ Should there be no corresponding service name for the
+ port number, the numeric form will still be displayed. </P
+><P
+> This setting is off by default.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Reverse lookup and service name lookup take some
+ time and may impact performance and increase the chances of dropped
+ packets. Performance and results are best (albeit more cryptic) with both
+ these settings off.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1962"
+>Force promiscuous</A
+></H2
+><P
+> If this option is enabled, your LAN interfaces will capture all packets
+ on your LAN. Using this option enables you
+ to see all TCP connections and packets passing your LAN segment, even if
+ they're not from or for your machine. When this option is active
+ in the statistics windows, the Activity indicators will show a
+ good estimate of the load on your LAN segment.</P
+><P
+> When this option is disabled, you'll
+ only receive information about packets coming from and entering your
+ machine.</P
+><P
+> The setting of this option affects all LAN (
+ Ethernet, FDDI, some Token Ring) interfaces on your machine, if you have more than one.</P
+><P
+> The interface's promiscuous flag is set only when a facility is started,
+ and turned off when it exits. However, if promiscuous
+ mode was already set when a facility was started, it remains set on exit.</P
+><P
+> If multiple instances of IPTraf are started, the promiscuous setting
+ is restored only upon exit of the last facility.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Do not use other programs that change the interface's promiscuous flag at
+ the same time you're using IPTraf. The programs can interfere with
+ each other's expected operations. While IPTraf tries to obtain the
+ initial setting of any promiscuous flags for restoration
+ upon exit, other programs may not be as well-behaved, and they may
+ turn off the promiscuous flags while IPTraf is still monitoring.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1972"
+>Color</A
+></H2
+><P
+> Turn this on with color monitors. Turn it off with
+ black-and- white monitors or non-color terminals (like xterms). Changes
+ to this setting will take effect the next time the program is started.</P
+><P
+> Color is on by default on consoles and color xterms, off on non-color terminals like xterms and VT100s.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1976"
+>Logging</A
+></H2
+><P
+> When this option is active, IPTraf will log information to a
+ disk file, which can be examined or analyzed later. Since IPTraf
+ 2.4.0, IPTraf prompts you for the name of the file to which to write the
+ logs. It will provide a default name, which you are free to accept
+ or change. The IP traffic monitor and LAN station monitor will
+ generate a log file name that is based on what instance they are (first,
+ second, and so on). The general interface statistics' default log file
+ name is constant, because it listens to all interfaces at once, and only
+ one instance can run at one time.</P
+><P
+> The other facilities generate a log file name based
+ on the interface they're listening on.</P
+><P
+> See the descriptions on the facilities above for the default log file names.</P
+><P
+> Press Enter to accept the log file name, or Ctrl+X to cancel. Canceling will turn logging off for that session.</P
+><P
+> The IP traffic monitor will write the following pieces of information to its log file:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+>Start of the traffic monitor</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Receipt of the first TCP packet for a connection. If that packet is a
+ SYN, (SYN) will be indicated in the log entry. (Of course, the traffic
+ monitor may start in the middle of established connections. It
+ will still count those packets. This also explains why some connection
+ entries may become idle if the traffic monitor is started in the
+ middle of a half-closed connection, and miss the first FIN.
+ Such entries time out in a while.)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Receipt of a FIN (with average flow rate)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>ACK of a FIN</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Timeouts of TCP entries (with average flow rate)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Reset connections (with average flow rate)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Everything that appears in the bottom window of the traffic monitor</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Stopping of the traffic monitor</P
+></LI
+></UL
+><P
+> Each log entry includes the date and time the entry was written. Logging
+ is also affected by the defined filters.</P
+><P
+> Log files can grow very fast, so be prepared with plenty of
+ free space and delete unneeded logs. Log write errors are not indicated.</P
+><P
+> Copies of the interface statistics, TCP/UDP statistics, packet
+ size statistics, and LAN host statistics are also written
+ to the log files at regular intervals. See <I
+CLASS="EMPHASIS"
+>Log
+Interval...</I
+> in this chapter.</P
+><P
+> IPTraf closes and reopens the active log file when it receives a
+ <TT
+CLASS="COMPUTEROUTPUT"
+>USR1</TT
+> signal. This is useful in cases where a facility is run for
+ long periods of time but the log files have to be cleared or moved.</P
+><P
+> To clear or move an active log file, rename it first. IPTraf will
+ continue to write to the file despite the new name. Then use the UNIX
+ kill command to send the running IPTraf process a <TT
+CLASS="COMPUTEROUTPUT"
+>USR1</TT
+> signal. IPTraf
+ will then close the log file and open another with the
+ original name. You can then safely remove or delete the renamed file.</P
+><P
+> Do not delete an open log file. Doing so will only result in a file just
+ as large but filled with null characters (ASCII code 0).</P
+><P
+> Logging comes disabled by default. The <TT
+CLASS="COMPUTEROUTPUT"
+>USR1</TT
+> signal is caught only if
+ logging is enabled, it is ignored otherwise.</P
+><P
+> A valid specification of <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> on the command line with automatically
+ enable logging for that particular session. The saved configuration setting is not affected.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2013"
+>Activity mode</A
+></H2
+><P
+> Toggles activity indicators in the interface and LAN statistics
+ facilities between kilobits per second (kbits/s) or kilobytes per second
+ (kbytes/s).</P
+><P
+> The default setting is kilobits per second.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2017"
+>Source MAC addrs in traffic monitor</A
+></H2
+><P
+> When enabled, the IP traffic monitor retrieves the packets' source MAC
+ addresses if they came in on an Ethernet, FDDI, or PLIP interface. The
+ addresses appear in the lower window for non-TCP
+ packets, while for TCP connections, they can be viewed by pressing M.</P
+><P
+> No such information is displayed
+ if the network interface doesn't use MAC addresses (such
+ as PPP interfaces).</P
+><P
+> This can be used to determine the actual source of the packets on your local LAN.</P
+><P
+> The traffic monitor also logs the MAC addresses with this option
+ enabled. The default setting is off.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="nonipfilters.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="timers.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>ARP, RARP, and other Non-IP Packet Filters</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Timers</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/conventions.html b/Documentation/conventions.html
new file mode 100644
index 0000000..f67d049
--- /dev/null
+++ b/Documentation/conventions.html
@@ -0,0 +1,230 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Document Conventions</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="About This Document"
+HREF="preface.html"><LINK
+REL="PREVIOUS"
+TITLE="About This Document"
+HREF="preface.html"><LINK
+REL="NEXT"
+TITLE="Getting Started"
+HREF="gettingstarted.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="preface.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>About This Document</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gettingstarted.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="CONVENTIONS"
+>Document Conventions</A
+></H1
+><P
+> The following symbols and typefaces are used throughout this manual:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>[ ]</TT
+></DT
+><DD
+><P
+>items in brackets are optional. Brackets also denote items that may or may
+not be displayed onscreen depending on settings or conditions.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>{ }</TT
+></DT
+><DD
+><P
+> curly braces enclose items you choose from</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>|</TT
+></DT
+><DD
+><P
+> the vertical bar separates choices in curly braces</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>normal monospace</TT
+></DT
+><DD
+><P
+> normal monospace text in syntax specifications should be typed in exactly as presented. Because UNIX and variants are case-sensitive, case must be preserved. Monospace is also used in presenting items that appear on the screen.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+><TT
+CLASS="REPLACEABLE"
+><I
+> monospace italics</I
+></TT
+></TT
+></DT
+><DD
+><P
+> italics in syntax specifications indicate items that are to be
+ replaced with an actual item (e.g.
+ <TT
+CLASS="REPLACEABLE"
+><I
+>interface</I
+></TT
+> should be replaced with an
+ actual interface name, like <TT
+CLASS="COMPUTEROUTPUT"
+>eth0</TT
+>). </P
+></DD
+></DL
+></DIV
+><P
+>Additional information appears distinctively set apart from the main text.
+This information includes Notes, Tips, or Technical Notes.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Notes</I
+> are additional pieces of information that may be useful or may
+ clarify the preceeding paragraphs of the manual.</P
+><P
+> <I
+CLASS="EMPHASIS"
+>Tips</I
+> provide shortcuts, clarify tasks that may not
+ be immediately obvious, or provide references to additional sources of information.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Technical notes</I
+> are explanations of a
+ more technical nature and may be of more use to programmers and advanced
+ users.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="preface.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>About This Document</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="preface.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Getting Started</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/customports.html b/Documentation/customports.html
new file mode 100644
index 0000000..a118eaa
--- /dev/null
+++ b/Documentation/customports.html
@@ -0,0 +1,344 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Custom Information</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Configuring IPTraf"
+HREF="config.html"><LINK
+REL="PREVIOUS"
+TITLE="Timers"
+HREF="timers.html"><LINK
+REL="NEXT"
+TITLE="Background Operation"
+HREF="backop.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="timers.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Configuring IPTraf</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="backop.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="CUSTOMPORTS"
+>Custom Information</A
+></H1
+><P
+> The remaining configuration items allow you to enter information which
+ IPTraf uses for its displays and logs.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2061"
+>Additional ports</A
+></H2
+><P
+>Select this item to enter a port
+ number to be included in the TCP/UDP counts in the TCP/UDP service
+ statistics main menu item described above. By default,
+ port numbers above 1023 are not monitored. If you do
+ have a higher-numbered port to monitor, enter it here.</P
+><P
+> You will see two fields. If you have only one port to enter, just fill
+ up the first field. To specify a range, fill both fields, the first port
+ in the first field, the last port in the second field.</P
+><P
+> You can select this option multiple times to add more values or ranges.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2066"
+>Delete port/range</A
+></H2
+><P
+> Select this item to remove a higher-numbered port number or
+ port range you entered earlier with the <I
+CLASS="EMPHASIS"
+>Additional
+ ports...</I
+> option. A window will come up
+ containing the entered ports and ranges. Select the entry you want
+ delete and press Enter.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2070"
+>LAN Station Identifiers</A
+></H2
+><P
+> The LAN station statistics facility monitors stations based
+ on their respective MAC addresses. The hexadecimal notation of these
+ addresses make them even more difficult to remember than the
+ dotted-decimal IP addresses, so these facilities were added to
+ help you better determine which station is which.</P
+><P
+> Selecting the <I
+CLASS="EMPHASIS"
+>Ethernet/PLIP host descriptions...</I
+> or
+ <I
+CLASS="EMPHASIS"
+>FDDI/Token Ring host descriptions...</I
+> options brings
+ up a submenu asking you to add, edit, or delete descriptions.</P
+><P
+> To add a new description, select the <I
+CLASS="EMPHASIS"
+>Add
+description...</I
+> option. A dialog
+ box will appear, asking you for the MAC address and an appropriate
+ description. Type in the address in hexadecimal notation with no
+ punctuation of any kind. The dialog box is
+ case-insensitive for the address; the alphabetical digits A to F will be
+ stored in lowercase.</P
+><P
+> Use the Tab key to move between fields and Enter to accept. Press Ctrl+X
+ to discard this dialog and return to the main menu.</P
+><P
+> The description may be anything: the IP address, a fully-qualified
+ domain name, or a description of your liking as long
+ as the field can hold.</P
+><P
+> Enter as many descriptions as you need. Press Ctrl+X at a blank dialog
+ after you have entered the last entry</P
+><P
+> These descriptions will be displayed alongside the MAC addresses
+ in the LAN station monitor, together with the type of frame (Ethernet,
+ PLIP, or FDDI).</P
+><P
+> An existing address or description may be edited
+by selecting the <I
+CLASS="EMPHASIS"
+>Edit
+ description...</I
+> option from the submenu. A panel will appear with a list
+ of existing address descriptions. Select the one you wish to
+ edit and press Enter. A dialog box identical to that
+ when you add a description will appear with prefilled fields. Just
+ backspace over and edit the fields. Press Enter to accept or Ctrl+X to
+ cancel.</P
+><P
+> Selecting the <I
+CLASS="EMPHASIS"
+>Delete description...</I
+> submenu
+ item brings up the selection panel. Select the description you want to
+ delete and press Enter. You can also press Ctrl+X to cancel the operation.</P
+><P
+> IPTraf 2.4 and later also recognizes the <TT
+CLASS="FILENAME"
+>/etc/ethers</TT
+> file.
+ Should a hardware address be present in the IPTraf definition files and
+ in <TT
+CLASS="FILENAME"
+>/etc/ethers</TT
+>, the IPTraf definition will be used.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> The description file for Ethernet and PLIP is
+ <TT
+CLASS="FILENAME"
+>ethernet.desc</TT
+>, while the FDDI and Token Ring mappings are stored
+ in <TT
+CLASS="FILENAME"
+>fddi.desc</TT
+> in the IPTraf working directory. These files are in
+ colon-delimited text format. Database engines or custom scripts can be
+ told to append data lines to those files. Each line follows this
+ simple format:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+><TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+>:<TT
+CLASS="REPLACEABLE"
+><I
+>description</I
+></TT
+></PRE
+></TD
+></TR
+></TABLE
+><P
+>
+ For example</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>00201e457e:Cisco 3640 gateway</PRE
+></TD
+></TR
+></TABLE
+><P
+> Do not put colons, periods, or any invalid characters in the MAC address.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="timers.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="backop.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Timers</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="config.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Background Operation</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/detstats.html b/Documentation/detstats.html
new file mode 100644
index 0000000..dd83f7d
--- /dev/null
+++ b/Documentation/detstats.html
@@ -0,0 +1,400 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Detailed Interface Statistics</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Network Interface Statistics"
+HREF="netstats.html"><LINK
+REL="PREVIOUS"
+TITLE="Network Interface Statistics"
+HREF="netstats.html"><LINK
+REL="NEXT"
+TITLE="Statistical Breakdowns"
+HREF="statbreakdowns.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="netstats.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Network Interface Statistics</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="statbreakdowns.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="DETSTATS"
+>Detailed Interface Statistics</A
+></H1
+><P
+> The third menu option displays packet statistics for any
+ selected interface. It provides basically the same information
+ as the <I
+CLASS="EMPHASIS"
+>General interface statistics</I
+>
+ option, with additional details.
+ This facility provides the following information:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+> Total packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> IP packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> TCP packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> UDP packet and byte count</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> ICMP packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Other IP-type packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Non-IP packet and byte counts</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Checksum error count</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Interface activity</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Broadcast packet and byte counts</P
+></LI
+></UL
+><P
+> All IP byte counts (IP, TCP, UDP, ICMP, other IP) include IP header data
+ and payload. The data link header is not included. The full frame length
+ (including data-link header) is included in the non-IP and Total
+ byte count. All data-link headers are also included in the Total byte
+ counts.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1145"
+></A
+><P
+><IMG
+SRC="iptraf-dstat1.png"></P
+><P
+><B
+>Figure 2. The detailed interface statistics screen</B
+></P
+></DIV
+><P
+> The upper portion of the screen
+ contains the packet and byte counts for all IP and
+ non-IP packets intercepted on the interface. The lower portion
+ contains the total, incoming, and outgoing interface data rates.</P
+><P
+> This facility also displays incoming and outgoing counts and data rates.
+ The packet size breakdown in versions prior to 2.0.0 has been moved
+ to its own facility under <I
+CLASS="EMPHASIS"
+>Statistical breakdowns.../By packet
+ size</I
+> as described in <A
+HREF="statbreakdowns.html#PKTSIZE"
+>Chapter 5</A
+>.</P
+><P
+> An outgoing packet is one that exits your interface, regardless
+ of whether it originated from your machine or came
+ from another machine and was routed through yours. An incoming packet is
+ one that enters your interface, either addressed
+ to you directly, broadcast, multicast, or captured promiscuously.</P
+><P
+> The rate indicators can be set to display kbits/s or kbytes/s with the
+ <I
+CLASS="EMPHASIS"
+>Activity mode</I
+> configuration option.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Buffering and some other factors may affect the data rates, notably
+ the outgoing rate, causing it to reflect a higher figure than the actual
+ rate at which the interface is sending.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> The figures are logged at regular intervals if logging is enabled. The
+ default log file name at the prompt is
+ <TT
+CLASS="FILENAME"
+>iface_stats_detailed-<TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+>.log</TT
+>
+ where iface is the selected interface for this session (for example,
+ <TT
+CLASS="FILENAME"
+>iface_stats_detailed-eth0.log</TT
+>).</P
+><P
+> If you wish to start this facility directly
+ from the command line, you can specify the
+<TT
+CLASS="COMPUTEROUTPUT"
+>-d</TT
+> parameter and an interface
+ to monitor. For example,</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf -d eth0</PRE
+></TD
+></TR
+></TABLE
+><P
+> starts the statistics for <TT
+CLASS="FILENAME"
+>eth0</TT
+>. The interface must be specified, or
+ IPTraf will not start the facility.</P
+><P
+> When started from the command line, the log filename and log interval can be
+ specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> and <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+>
+ parameters respectively. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> In both the general and detailed statistics screens, as well as
+ in the IP traffic monitor, the packet counts are for
+ actual network packets (layer 2), not the logical IP packets (layer 3)
+ that may be reconstructed after fragmentation. That means, if a
+ packet was fragmented into four pieces, and these four fragments pass
+ over your interface, the packet counts will indicate four separate
+ packets.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> The figure for the IP checksum errors is a packet count only, because the
+ corrupted IP header cannot be relied upon to give a correct IP
+ packet length value.</P
+><P
+> This facility's output is also affected by IPTraf's <A
+HREF="filters.html"
+>filters</A
+>. See Chapter 7 for more information
+on filters.</P
+><P
+> Pressing X or Q takes you back to the main menu (if this
+ facility was started with the command-line option, X or Q drops you back
+ to the shell).</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="netstats.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="statbreakdowns.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Network Interface Statistics</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="netstats.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Statistical Breakdowns</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/exiting.html b/Documentation/exiting.html
new file mode 100644
index 0000000..27850e9
--- /dev/null
+++ b/Documentation/exiting.html
@@ -0,0 +1,159 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Exiting IPTraf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE="Using the Menus"
+HREF="menus.html"><LINK
+REL="NEXT"
+TITLE="Preparing to Use IPTraf"
+HREF="preparingtouse.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="menus.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="preparingtouse.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="EXITING"
+>Exiting IPTraf</A
+></H1
+><P
+> You can exit IPTraf with the Exit command in the main menu.</P
+><P
+> When started with one of the command-line options to
+ directly start a statistical facility, pressing X or Q will exit the
+ facility directly, without any confirmation. The
+<TT
+CLASS="COMPUTEROUTPUT"
+>-t</TT
+>
+ command-line parameter will automatically exit the
+ facility after the specified length of time without any confirmation
+ as well. Daemon facilities started with the <TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+> parameter
+ will immediately terminate after being sent a
+ USR2 signal. See <A
+HREF="backop.html"
+>background
+ operation</A
+> in chapter 9 for more information.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="menus.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="preparingtouse.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Using the Menus</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Preparing to Use IPTraf</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/filters.html b/Documentation/filters.html
new file mode 100644
index 0000000..d409faa
--- /dev/null
+++ b/Documentation/filters.html
@@ -0,0 +1,2876 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Filters</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Additional Information"
+HREF="morelanmoninfo.html"><LINK
+REL="NEXT"
+TITLE="ARP, RARP, and other Non-IP Packet Filters"
+HREF="nonipfilters.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="morelanmoninfo.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="nonipfilters.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="FILTERS"
+>Filters</A
+></H1
+><P
+> Filters are used to control the information displayed by all facilities.
+ You may want to view statistics only on particular traffic
+ so you must restrict the information displayed. The filters also apply
+ to logging activity.</P
+><P
+> The IPTraf filter management system is accessible through the
+ <I
+CLASS="EMPHASIS"
+>Filters...</I
+> submenu.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1295"
+></A
+><P
+><IMG
+SRC="iptraf-filtermenu.png"></P
+><P
+><B
+>Figure 1. The Filters submenu</B
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="IPFILTERS"
+>IP Filters</A
+></H1
+><P
+> The <I
+CLASS="EMPHASIS"
+>Filters/IP...</I
+> menu option
+ allows you to define a set of rules that determine what IP traffic
+ to pass to the monitors. Selecting this option pops up another menu with
+ the tasks used to define and apply custom IP filters.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1302"
+></A
+><P
+><IMG
+SRC="iptraf-ipfltmenu.png"></P
+><P
+><B
+>Figure 2. The IP filter menu</B
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1305"
+>Defining a New Filter</A
+></H2
+><P
+> A freshly installed program will have no filters defined, so
+ before anything else, you will have to define a filter. You can do this
+ by selecting the <I
+CLASS="EMPHASIS"
+>Define new filter...</I
+> option.</P
+><P
+> Selecting this option displays a box asking you to enter a short
+ description of the filter you are going to define. Just enter any text
+ that clearly identifies the nature of the filter.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1310"
+></A
+><P
+><IMG
+SRC="iptraf-ipfltnamedlg.png"></P
+><P
+><B
+>Figure 3. The IP filter name dialog</B
+></P
+></DIV
+><P
+> Press Enter when you're done with that box. As an alternative, you can
+ also press Ctrl+X to cancel the operation.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1314"
+>The Filter Rule Selection Screen</A
+></H3
+><P
+>After you enter the filter's description, you will be taken to a blank
+rule selection box. At this screen you manage the various rules you
+define for this filter. You can opt to insert, append, edit, or delete
+rules.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1317"
+></A
+><P
+><IMG
+SRC="iptraf-ipfltlist.png"></P
+><P
+><B
+>Figure 4. The filter rule selection screen. Selecting an entry
+displays that set for editing</B
+></P
+></DIV
+><P
+>Any rules defined will appear here. You will see the
+source and destination
+addresses, masks and ports (long addresses and masks may
+be truncated) and whether this rule includes or excludes matching
+packets.</P
+><P
+>Between the source and destination parameters is an arrow that
+indicates whether the rule matches packets (single-headed) only exactly or whether
+it matches packets flowing in the opposite direction (double-headed).</P
+><P
+>At this screen, press I to insert at the current position of the selection
+bar, A to append a rule to the end of the list, Enter to
+edit the highlighted rule and D to delete the selected rule. With
+an empty list, A or I can be used to add the first rule.</P
+><P
+>To add the first rule, press A or I. You will then be presented with
+a dialog box that allows you to enter the rule's parameters.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1324"
+>Entering Filter Rules</A
+></H3
+><P
+> You can enter addresses of individual hosts, networks,
+ or a catch-all address. The nature of the address will be determined
+ by the wildcard mask.</P
+><P
+> You'll notice two sets of fields, marked <TT
+CLASS="COMPUTEROUTPUT"
+>Source</TT
+>
+ and <TT
+CLASS="COMPUTEROUTPUT"
+>Destination</TT
+>. You fill these out
+ with the information about your source and targets.</P
+><P
+> Fill out the host name or IP address of the hosts or networks in
+ the first field
+ marked <TT
+CLASS="COMPUTEROUTPUT"
+>Host name/IP Address</TT
+>. Enter it in
+ standard dotted-decimal notation. When done, press Tab to move to the
+ <TT
+CLASS="COMPUTEROUTPUT"
+>Wildcard mask</TT
+> field. The wildcard mask
+ is similar but not exactly identical to the standard IP subnet
+ mask. The wildcard mask is used to determine which bits to ignore
+ when processing the filter. In most cases, it will work very closely
+ like a subnet mask. Place ones (1) under the bits you want the filter to
+ recognize, and keep zeros (0) under the bits you want the filter
+ to ignore. For example:</P
+><P
+>To recognize the host 207.0.115.44</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1334"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>IP address</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>207.0.115.44</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>To recognize all hosts belonging to network
+202.47.132.<TT
+CLASS="REPLACEABLE"
+><I
+>x</I
+></TT
+></P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1349"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>IP address</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>202.47.132.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>To recognize all hosts with any address:</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1363"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>IP address</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="50%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> The IP address/wildcard mask mechanism of the display filter doesn't
+ recognize IP address class. It uses a simple bit- pattern matching
+ algorithm.</P
+><P
+> The wildcard mask also does not have to end on a
+ byte boundary; you may mask right into a byte itself. For example,
+ 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in
+ binary).</P
+><P
+> IPTraf also accepts host names in place of the IP addresses. IPTraf will
+ resolve the host name when the filter is loaded. When the filter
+ is interpreted, the wildcard mask will also be applied. This can be
+ useful in cases where a single host name may resolve to several IP
+ addresses.</P
+><DIV
+CLASS="TIP"
+><P
+></P
+><TABLE
+CLASS="TIP"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/tip.gif"
+HSPACE="5"
+ALT="Tip"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Tip</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> See the <I
+CLASS="EMPHASIS"
+>Linux Network Administrator's Guide</I
+>
+ if you need more information on IP addresses and subnet masking.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="TIP"
+><P
+></P
+><TABLE
+CLASS="TIP"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/tip.gif"
+HSPACE="5"
+ALT="Tip"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Tip</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>IPTraf allows you to specify the wildcard mask in Classless Interdomain Routing
+(CIDR) format. This format allows you to specify the number of 1-bits that
+mask the address. CIDR notation is the form
+<I
+CLASS="EMPHASIS"
+><TT
+CLASS="COMPUTEROUTPUT"
+>address/bits</TT
+></I
+> where the
+<I
+CLASS="EMPHASIS"
+><TT
+CLASS="COMPUTEROUTPUT"
+>address</TT
+></I
+> is the IP
+address or host name and
+<I
+CLASS="EMPHASIS"
+><TT
+CLASS="COMPUTEROUTPUT"
+>bits</TT
+></I
+> is the number of
+1-bits in the mask. For example, if you want to mask 10.1.1.0 with
+<TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+>, note that
+<TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+> has 24 1-bits, so instead
+of specifying <TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+> in the wildcard
+mask field, you can just enter <TT
+CLASS="COMPUTEROUTPUT"
+>10.1.1.0/24</TT
+>
+in the address field. IPTraf will translate the mask bits into an
+appropriate wildcard mask and fill in the mask field the next time you edit
+the filter rule.</P
+><P
+>If you specify the mask in CIDR notation, leave the wildcard mask fields
+blank. If you fill them up, the wildcard mask fields will take precedence.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>Port</TT
+> fields should contain a
+ port number or range of any TCP or UDP service you may be
+ interested in. If you want to match only a single port number, fill
+ in the first field, while leaving the second blank or set to zero.
+ Fill in the second field if you want to match a range of ports (e.g. 80 to
+ 90).
+ Leave the first field blank or set to zero to let the filter ignore
+ the ports altogether.
+ You will most likely be interested in target ports rather than source ports
+ (which are usually unpredictable anyway, perhaps with the exception
+ of FTP data).</P
+><P
+>Non-TCP and non-UDP packets are not affected by these fields, and these
+are used only when filtering TCP or UDP packets.</P
+><P
+> Fill out the second set of fields with the parameters of the
+ opposite end of the connection.</P
+><DIV
+CLASS="TIP"
+><P
+></P
+><TABLE
+CLASS="TIP"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/tip.gif"
+HSPACE="5"
+ALT="Tip"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Tip</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Any address or mask fields left blank default to
+0.0.0.0 while blank
+<TT
+CLASS="COMPUTEROUTPUT"
+>Port</TT
+> fields default to 0.
+This makes it easy to define
+filter rules if you're interested only in either the source or destination,
+but not the other. For example, you may be interested
+in traffic originating from network 61.9.88.0, in which case you just enter
+the source address, mask and port
+in the
+<TT
+CLASS="COMPUTEROUTPUT"
+>Source</TT
+> fields, while leaving the
+<TT
+CLASS="COMPUTEROUTPUT"
+>Destination</TT
+> fields blank.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>The next fields let you specify which IP-type protocols you want matched by
+this filter rule. Any packet whose protocol's corresponding field
+is marked with a <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+> is matched against the
+filter's defined IP addresses and ports, otherwise
+they don't pass through this filter rule.</P
+><P
+>If you want to evaluate all IP packets just mark
+with <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+> the <TT
+CLASS="COMPUTEROUTPUT"
+>All
+IP</TT
+> field.</P
+><P
+>For example, if you want to see only all TCP traffic, mark the
+<TT
+CLASS="COMPUTEROUTPUT"
+>TCP</TT
+> field
+with <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+>.</P
+><P
+>The long field marked <TT
+CLASS="COMPUTEROUTPUT"
+>Additional
+protocols</TT
+> allows you to specify other protocols
+by their IANA number. (You can view the common IP protocol number
+in the <TT
+CLASS="FILENAME"
+>/etc/protocols</TT
+> file). You can specify a list
+of protocol numbers or ranges separated by commas,
+Ranges have the beginning and ending protocol numbers separated with a
+hyphen.</P
+><P
+>For example, to see the RSVP (46), IP mobile (55), and protocols
+(101 to 104), you use an entry that looks like this:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>46, 55, 101-104</PRE
+></TD
+></TR
+></TABLE
+><P
+>It's certainly possible to specify any of the protocols listed above in
+this field. Entering <TT
+CLASS="COMPUTEROUTPUT"
+>1-255</TT
+> is
+functionally identical
+to marking <TT
+CLASS="COMPUTEROUTPUT"
+>All IP</TT
+>
+with a <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+>.</P
+><P
+> The next field is marked <TT
+CLASS="COMPUTEROUTPUT"
+>Include/Exclude</TT
+>.
+ This field allows you to decide whether to include or filter out matching
+ packets. Setting this field to <TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+> causes the filter to
+ pass matching packets, while setting it to <TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+> causes
+ the filter to drop them. This field is set to
+ <TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+> by default.</P
+><P
+>The last field in the dialog is labeled <TT
+CLASS="COMPUTEROUTPUT"
+>Match opposite</TT
+>. When set
+to <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+>, the filter will match packets flowing in the opposite direction.
+Previous versions of IPTraf used to match TCP packets flowing in either direction, so the source
+and destination address/mask/port combinations were actually interchangeable. Starting with
+IPTraf 3.0, when filters extended to more than just the IP traffic monitor, this behavior is no longer
+the default throughout IPTraf except in the IP traffic monitor's TCP window.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>For TCP packets, this field is used in all facilities except the IP traffic monitor. Because
+the IP traffic monitor must capture TCP packets in both directions
+to properly determine a closed connection, the filter automatically matches
+packets in the opposite direction, regardless of this field's setting. However
+iin all other facilities, automatic matching of the reverse packets is not performed
+unless you set this field to <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+>.</P
+><P
+>Filters for UDP and other IP protocols do not automatically match packets in the opposite direction
+unless you set the field to <TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+>, even in the IP traffic monitor.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> Press Enter to accept all parameters when done. The parameters will be
+ accepted and you'll be taken back to the rule selection box. You can
+then add more rules by pressing A or you can insert new rules at any point
+by pressing I. Should you make a mistake, you can press Enter to
+edit the selected filter. You may enter
+ as many sets of parameters as you wish. Press Ctrl+X when done.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Because of the major changes in the filtering system since IPTraf 2.7,
+old filters will no longer work and will have to be redefined.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1442"
+></A
+><P
+><IMG
+SRC="iptraf-ipfltdlg.png"></P
+><P
+><B
+>Figure 5. The IP filter parameters dialog</B
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1445"
+>Examples</A
+></H3
+><P
+>To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1448"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>202.47.132.2</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>207.0.115.44</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>To see all traffic from host 207.0.115.44 to all hosts
+on network 202.47.132.x</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1485"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>207.0.115.44</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>202.47.132.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>All IP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>N</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To see all Web traffic (to and from port 80)
+ regardless of source or destination</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1522"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>80</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To see all IRC traffic from port 6666 to 6669</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1559"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>6666</TT
+>
+to <TT
+CLASS="COMPUTEROUTPUT"
+>6669</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To see all DNS traffic, (TCP and UDP, destination port 53)
+ regardless of source or destination</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1597"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard
+mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>53</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y UDP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1634"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>202.47.132.2</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>25</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>N</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To see traffic from from/to host sunsite.unc.edu to/from cebu.mozcom.com</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1671"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>sunsite.unc.edu</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>cebu.mozcom.com</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>All IP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> To omit display of traffic to/from 140.66.5.x from/to anywhere</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1708"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP Address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>140.66.5.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>All IP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+> You can enter as many parameters as you wish. All of them will
+ be interpreted until the first match is found.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1745"
+>Excluding Certain Sites</A
+></H3
+><P
+> Filters follow an implicit "no-match" policy, that is, only packets
+ matching defined rules will be matched, others will be filtered out.
+ This is similar
+ to the access-list policy "whatever is not explicitly permitted is
+ denied". If you want to show all traffic to/from everywhere,
+ except certain places, you can specify the sites you wish to exclude,
+ mark them with <TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+> in the <TT
+CLASS="COMPUTEROUTPUT"
+>Include/Exclude
+field</TT
+>, and
+ define a general catch-all entry with source address
+<TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+>, mask
+ <TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+>, port <TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+>, and destination
+<TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+>, mask <TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+>,
+port <TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+>, tagged
+ with an <TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+>
+in the <TT
+CLASS="COMPUTEROUTPUT"
+>Include/Exclude</TT
+> field as the last entry.</P
+><P
+> For example:</P
+><P
+>To see all traffic except all SMTP (both directions), Web (both directions), and traffic
+(only) from 207.0.115.44</P
+><DIV
+CLASS="INFORMALTABLE"
+><A
+NAME="AEN1760"
+></A
+><P
+></P
+><TABLE
+BORDER="0"
+WIDTH="100%"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>25</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+> </TD
+><TD
+> </TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+> 0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>80</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>TCP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+> </TD
+><TD
+> </TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>207.0.115.44</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>255.255.255.255</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>All IP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>N</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+> </TD
+><TD
+> </TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Host name/IP address</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Wildcard mask</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Port</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Protocols</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>All IP: Y</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Include/Exclude</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>I</TT
+></TD
+><TD
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+>Match opposite</TD
+><TD
+WIDTH="33%"
+ALIGN="LEFT"
+VALIGN="TOP"
+><TT
+CLASS="COMPUTEROUTPUT"
+>N</TT
+></TD
+><TD
+> </TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><DIV
+CLASS="TIP"
+><P
+></P
+><TABLE
+CLASS="TIP"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/tip.gif"
+HSPACE="5"
+ALT="Tip"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Tip</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> To filter out all TCP, define a filter with a single entry, with a source of
+ <TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+> mask
+<TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+> port <TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+>, and a destination
+ of <TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+> mask <TT
+CLASS="COMPUTEROUTPUT"
+>0.0.0.0</TT
+>
+port <TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+>,
+with the <TT
+CLASS="COMPUTEROUTPUT"
+>Include/Exclude</TT
+> field
+ marked <TT
+CLASS="COMPUTEROUTPUT"
+>E</TT
+> (exclude). Then apply this filter.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1903"
+>Applying a Filter</A
+></H2
+><P
+> The above steps only add the filter to a defined list. To actually apply
+ the filter, you must select <I
+CLASS="EMPHASIS"
+>Apply filter...</I
+> from the menu. You will be
+ presented with a list of filters you already defined. Select the one you
+ want to apply, and press Enter.</P
+><P
+> The applied filter stays in effect over exits and restarts of the IPTraf program until it is detached.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1908"
+>Editing a Defined Filter</A
+></H2
+><P
+> Select <I
+CLASS="EMPHASIS"
+>Edit filter...</I
+> to modify an existing filter. Once you select this
+ option, you will be presented with the list of defined filters.
+ Select the filter you want to edit by moving the selection bar and press
+ Enter.</P
+><P
+> Edit the description if you wish. Pressing Ctrl+X at this point
+ will abort the operation, and the filter will remain unmodified. Press
+ Enter to accept any changes to the filter description.</P
+><P
+> After pressing Enter, you will see the filter's rules. To edit an
+ existing filter rule, move the selection bar
+ to the desired entry and press Enter. A prefilled dialog box
+ will appear. Edit its contents as desired. Press Enter to accept the
+ changes or Ctrl+X to discard.</P
+><P
+> You can add a new filter rule by pressing I to insert at the selection
+ bar's current position. When you press I, you will be presented with a
+ dialog box asking you to enter the new rule data. Pressing A results
+ in a similar operation, except the rule will be appended as the
+ last entry in the rule list.</P
+><P
+> Pressing D deletes the currently pointed entry.</P
+><P
+> Press X or Ctrl+X to end the edit and save the changes.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>If you're editing the currently applied filter, you will need
+ to re-apply the filter for the changes to take effect.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Be aware that the filter processes the rules in order. In other
+ words, if a packet matches more than one rule, only the first matching
+ rule is followed.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1923"
+>Deleting a Defined Filter</A
+></H2
+><P
+> Select <I
+CLASS="EMPHASIS"
+>Delete filter...</I
+> from the menu to remove a filter
+ from the list. Just move the selection bar to the filter you want to
+ delete, and press Enter.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1927"
+>Detaching a Filter</A
+></H2
+><P
+> The <I
+CLASS="EMPHASIS"
+>Detach filter</I
+> option deactivates the filter currently in
+ use. Selecting this option causes all TCP traffic to be passed
+ to the monitors.</P
+><P
+> When you're done with the menu, just select the Exit menu option.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="morelanmoninfo.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="nonipfilters.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Additional Information</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>ARP, RARP, and other Non-IP Packet Filters</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gettingstarted.html b/Documentation/gettingstarted.html
new file mode 100644
index 0000000..37b64f1
--- /dev/null
+++ b/Documentation/gettingstarted.html
@@ -0,0 +1,219 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Getting Started</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Document Conventions"
+HREF="conventions.html"><LINK
+REL="NEXT"
+TITLE=" Installation"
+HREF="installation.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="conventions.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="installation.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="GETTINGSTARTED"
+>Getting Started</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN66"
+>About IPTraf</A
+></H1
+><P
+>IPTraf is a network monitoring utility and traffic analyzer for IP networks. It
+intercepts packets and returns data about captured the network traffic
+in various statistical facilities.</P
+><P
+>IPTraf comes with these major features:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+>An IP traffic monitor that shows TCP
+connection information (hosts, packet/byte counts, flags,
+window sizes), and color-coded information about other
+IP packets</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Statistics (counts and load rates) for network interfaces
+in general and detailed views</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Statistics per TCP/UDP port</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Statistical breakdown according to packet sizes</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>A LAN host monitor that returns counts and loads per
+detected MAC address</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>A powerful filtering system for users to view
+only interesting traffic</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Logging</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>An asynchronous DNS resolver for the
+IP traffic monitor</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>A text-based, full-color, menu-driven user interface
+suitable for use on all Linux systems with terminals, especially Linux
+consoles and color xterms</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Easy configuration</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Fully software-based. No additional
+hardware required</P
+></LI
+></UL
+><P
+> Basic knowledge of the important TCP/IP protocols (IP, TCP, UDP, ICMP,
+ etc.) is necessary for you to best understand the information generated
+ by the program.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="conventions.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="installation.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Document Conventions</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Installation</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-1.html b/Documentation/gfdl-1.html
new file mode 100644
index 0000000..7cb8029
--- /dev/null
+++ b/Documentation/gfdl-1.html
@@ -0,0 +1,201 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>APPLICABILITY AND DEFINITIONS</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="NEXT"
+TITLE="VERBATIM COPYING"
+HREF="gfdl-2.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-2.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-1"
+>APPLICABILITY AND DEFINITIONS</A
+></H1
+><P
+>This License applies to any manual or other work that
+ contains a notice placed by the copyright holder saying it can be
+ distributed under the terms of this License. The "Document",
+ below, refers to any such manual or work. Any member of the
+ public is a licensee, and is addressed as "you".</P
+><P
+>A "Modified Version" of the Document means any work
+ containing the Document or a portion of it, either copied
+ verbatim, or with modifications and/or translated into another
+ language.</P
+><P
+>A "Secondary Section" is a named appendix or a front-matter
+ section of the Document that deals exclusively with the
+ relationship of the publishers or authors of the Document to the
+ Document's overall subject (or to related matters) and contains
+ nothing that could fall directly within that overall subject.
+ (For example, if the Document is in part a textbook of
+ mathematics, a Secondary Section may not explain any mathematics.)
+ The relationship could be a matter of historical connection with
+ the subject or with related matters, or of legal, commercial,
+ philosophical, ethical or political position regarding
+ them.</P
+><P
+>The "Invariant Sections" are certain Secondary Sections
+ whose titles are designated, as being those of Invariant Sections,
+ in the notice that says that the Document is released under this
+ License.</P
+><P
+>The "Cover Texts" are certain short passages of text that
+ are listed, as Front-Cover Texts or Back-Cover Texts, in the
+ notice that says that the Document is released under this
+ License.</P
+><P
+>A "Transparent" copy of the Document means a
+ machine-readable copy, represented in a format whose specification
+ is available to the general public, whose contents can be viewed
+ and edited directly and straightforwardly with generic text
+ editors or (for images composed of pixels) generic paint programs
+ or (for drawings) some widely available drawing editor, and that
+ is suitable for input to text formatters or for automatic
+ translation to a variety of formats suitable for input to text
+ formatters. A copy made in an otherwise Transparent file format
+ whose markup has been designed to thwart or discourage subsequent
+ modification by readers is not Transparent. A copy that is not
+ "Transparent" is called "Opaque".</P
+><P
+>Examples of suitable formats for Transparent copies include
+ plain ASCII without markup, Texinfo input format, LaTeX input
+ format, SGML or XML using a publicly available DTD, and
+ standard-conforming simple HTML designed for human modification.
+ Opaque formats include PostScript, PDF, proprietary formats that
+ can be read and edited only by proprietary word processors, SGML
+ or XML for which the DTD and/or processing tools are not generally
+ available, and the machine-generated HTML produced by some word
+ processors for output purposes only.</P
+><P
+>The "Title Page" means, for a printed book, the title page
+ itself, plus such following pages as are needed to hold, legibly,
+ the material this License requires to appear in the title page.
+ For works in formats which do not have any title page as such,
+ "Title Page" means the text near the most prominent appearance of
+ the work's title, preceding the beginning of the body of the
+ text.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-2.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>VERBATIM COPYING</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-10.html b/Documentation/gfdl-10.html
new file mode 100644
index 0000000..7c2ee4e
--- /dev/null
+++ b/Documentation/gfdl-10.html
@@ -0,0 +1,157 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>FUTURE REVISIONS OF THIS LICENSE</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="TERMINATION"
+HREF="gfdl-9.html"><LINK
+REL="NEXT"
+TITLE="How to use this License for your documents"
+HREF="gfdl-11.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-9.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-11.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-10"
+>FUTURE REVISIONS OF THIS LICENSE</A
+></H1
+><P
+>The Free Software Foundation may publish new, revised
+ versions of the GNU Free Documentation License from time to time.
+ Such new versions will be similar in spirit to the present
+ version, but may differ in detail to address new problems or
+ concerns. See <A
+HREF="http://www.gnu.org/copyleft/"
+TARGET="_top"
+>http://www.gnu.org/copyleft/</A
+>.</P
+><P
+>Each version of the License is given a distinguishing
+ version number. If the Document specifies that a particular
+ numbered version of this License "or any later version" applies to
+ it, you have the option of following the terms and conditions
+ either of that specified version or of any later version that has
+ been published (not as a draft) by the Free Software Foundation.
+ If the Document does not specify a version number of this License,
+ you may choose any version ever published (not as a draft) by the
+ Free Software Foundation.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-9.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-11.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>TERMINATION</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>How to use this License for your documents</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-11.html b/Documentation/gfdl-11.html
new file mode 100644
index 0000000..51d0779
--- /dev/null
+++ b/Documentation/gfdl-11.html
@@ -0,0 +1,158 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>How to use this License for your documents</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="FUTURE REVISIONS OF THIS LICENSE"
+HREF="gfdl-10.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-10.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+> </TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-11"
+>How to use this License for your documents</A
+></H1
+><P
+>To use this License in a document you have written, include
+ a copy of the License in the document and put the following
+ copyright and license notices just after the title page:</P
+><A
+NAME="AEN2615"
+></A
+><BLOCKQUOTE
+CLASS="BLOCKQUOTE"
+><P
+> Copyright (c) YEAR YOUR NAME.
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the GNU Free Documentation License, Version 1.1
+ or any later version published by the Free Software Foundation;
+ with the Invariant Sections being LIST THEIR TITLES, with the
+ Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
+ A copy of the license is included in the section entitled "GNU
+ Free Documentation License".</P
+></BLOCKQUOTE
+><P
+>If you have no Invariant Sections, write "with no Invariant
+ Sections" instead of saying which ones are invariant. If you have
+ no Front-Cover Texts, write "no Front-Cover Texts" instead of
+ "Front-Cover Texts being LIST"; likewise for Back-Cover
+ Texts.</P
+><P
+>If your document contains nontrivial examples of program
+ code, we recommend releasing these examples in parallel under your
+ choice of free software license, such as the GNU General Public
+ License, to permit their use in free software.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-10.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+> </TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>FUTURE REVISIONS OF THIS LICENSE</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+> </TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-2.html b/Documentation/gfdl-2.html
new file mode 100644
index 0000000..50cd1b8
--- /dev/null
+++ b/Documentation/gfdl-2.html
@@ -0,0 +1,151 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>VERBATIM COPYING</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="APPLICABILITY AND DEFINITIONS"
+HREF="gfdl-1.html"><LINK
+REL="NEXT"
+TITLE="COPYING IN QUANTITY"
+HREF="gfdl-3.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-1.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-3.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-2"
+>VERBATIM COPYING</A
+></H1
+><P
+>You may copy and distribute the Document in any medium,
+ either commercially or noncommercially, provided that this
+ License, the copyright notices, and the license notice saying this
+ License applies to the Document are reproduced in all copies, and
+ that you add no other conditions whatsoever to those of this
+ License. You may not use technical measures to obstruct or
+ control the reading or further copying of the copies you make or
+ distribute. However, you may accept compensation in exchange for
+ copies. If you distribute a large enough number of copies you
+ must also follow the conditions in section 3.</P
+><P
+>You may also lend copies, under the same conditions stated
+ above, and you may publicly display copies.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-1.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-3.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>APPLICABILITY AND DEFINITIONS</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>COPYING IN QUANTITY</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-3.html b/Documentation/gfdl-3.html
new file mode 100644
index 0000000..3ec6c1a
--- /dev/null
+++ b/Documentation/gfdl-3.html
@@ -0,0 +1,175 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>COPYING IN QUANTITY</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="VERBATIM COPYING"
+HREF="gfdl-2.html"><LINK
+REL="NEXT"
+TITLE="MODIFICATIONS"
+HREF="gfdl-4.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-2.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-4.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-3"
+>COPYING IN QUANTITY</A
+></H1
+><P
+>If you publish printed copies of the Document numbering more
+ than 100, and the Document's license notice requires Cover Texts,
+ you must enclose the copies in covers that carry, clearly and
+ legibly, all these Cover Texts: Front-Cover Texts on the front
+ cover, and Back-Cover Texts on the back cover. Both covers must
+ also clearly and legibly identify you as the publisher of these
+ copies. The front cover must present the full title with all
+ words of the title equally prominent and visible. You may add
+ other material on the covers in addition. Copying with changes
+ limited to the covers, as long as they preserve the title of the
+ Document and satisfy these conditions, can be treated as verbatim
+ copying in other respects.</P
+><P
+>If the required texts for either cover are too voluminous to
+ fit legibly, you should put the first ones listed (as many as fit
+ reasonably) on the actual cover, and continue the rest onto
+ adjacent pages.</P
+><P
+>If you publish or distribute Opaque copies of the Document
+ numbering more than 100, you must either include a
+ machine-readable Transparent copy along with each Opaque copy, or
+ state in or with each Opaque copy a publicly-accessible
+ computer-network location containing a complete Transparent copy
+ of the Document, free of added material, which the general
+ network-using public has access to download anonymously at no
+ charge using public-standard network protocols. If you use the
+ latter option, you must take reasonably prudent steps, when you
+ begin distribution of Opaque copies in quantity, to ensure that
+ this Transparent copy will remain thus accessible at the stated
+ location until at least one year after the last time you
+ distribute an Opaque copy (directly or through your agents or
+ retailers) of that edition to the public.</P
+><P
+>It is requested, but not required, that you contact the
+ authors of the Document well before redistributing any large
+ number of copies, to give them a chance to provide you with an
+ updated version of the Document.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-2.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-4.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>VERBATIM COPYING</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>MODIFICATIONS</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-4.html b/Documentation/gfdl-4.html
new file mode 100644
index 0000000..3c22b00
--- /dev/null
+++ b/Documentation/gfdl-4.html
@@ -0,0 +1,281 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>MODIFICATIONS</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="COPYING IN QUANTITY"
+HREF="gfdl-3.html"><LINK
+REL="NEXT"
+TITLE="COMBINING DOCUMENTS"
+HREF="gfdl-5.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-3.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-5.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-4"
+>MODIFICATIONS</A
+></H1
+><P
+>You may copy and distribute a Modified Version of the
+ Document under the conditions of sections 2 and 3 above, provided
+ that you release the Modified Version under precisely this
+ License, with the Modified Version filling the role of the
+ Document, thus licensing distribution and modification of the
+ Modified Version to whoever possesses a copy of it. In addition,
+ you must do these things in the Modified Version:</P
+><P
+></P
+><OL
+TYPE="A"
+><LI
+><P
+>Use in the Title Page
+ (and on the covers, if any) a title distinct from that of the
+ Document, and from those of previous versions (which should, if
+ there were any, be listed in the History section of the
+ Document). You may use the same title as a previous version if
+ the original publisher of that version gives permission.</P
+></LI
+><LI
+><P
+>List on the Title Page,
+ as authors, one or more persons or entities responsible for
+ authorship of the modifications in the Modified Version,
+ together with at least five of the principal authors of the
+ Document (all of its principal authors, if it has less than
+ five).</P
+></LI
+><LI
+><P
+>State on the Title page
+ the name of the publisher of the Modified Version, as the
+ publisher.</P
+></LI
+><LI
+><P
+>Preserve all the
+ copyright notices of the Document.</P
+></LI
+><LI
+><P
+>Add an appropriate
+ copyright notice for your modifications adjacent to the other
+ copyright notices.</P
+></LI
+><LI
+><P
+>Include, immediately
+ after the copyright notices, a license notice giving the public
+ permission to use the Modified Version under the terms of this
+ License, in the form shown in the Addendum below.</P
+></LI
+><LI
+><P
+>Preserve in that license
+ notice the full lists of Invariant Sections and required Cover
+ Texts given in the Document's license notice.</P
+></LI
+><LI
+><P
+>Include an unaltered
+ copy of this License.</P
+></LI
+><LI
+><P
+>Preserve the section
+ entitled "History", and its title, and add to it an item stating
+ at least the title, year, new authors, and publisher of the
+ Modified Version as given on the Title Page. If there is no
+ section entitled "History" in the Document, create one stating
+ the title, year, authors, and publisher of the Document as given
+ on its Title Page, then add an item describing the Modified
+ Version as stated in the previous sentence.</P
+></LI
+><LI
+><P
+>Preserve the network
+ location, if any, given in the Document for public access to a
+ Transparent copy of the Document, and likewise the network
+ locations given in the Document for previous versions it was
+ based on. These may be placed in the "History" section. You
+ may omit a network location for a work that was published at
+ least four years before the Document itself, or if the original
+ publisher of the version it refers to gives permission.</P
+></LI
+><LI
+><P
+>In any section entitled
+ "Acknowledgements" or "Dedications", preserve the section's
+ title, and preserve in the section all the substance and tone of
+ each of the contributor acknowledgements and/or dedications
+ given therein.</P
+></LI
+><LI
+><P
+>Preserve all the
+ Invariant Sections of the Document, unaltered in their text and
+ in their titles. Section numbers or the equivalent are not
+ considered part of the section titles.</P
+></LI
+><LI
+><P
+>Delete any section
+ entitled "Endorsements". Such a section may not be included in
+ the Modified Version.</P
+></LI
+><LI
+><P
+>Do not retitle any
+ existing section as "Endorsements" or to conflict in title with
+ any Invariant Section.</P
+></LI
+></OL
+><P
+>If the Modified Version includes new front-matter sections
+ or appendices that qualify as Secondary Sections and contain no
+ material copied from the Document, you may at your option
+ designate some or all of these sections as invariant. To do this,
+ add their titles to the list of Invariant Sections in the Modified
+ Version's license notice. These titles must be distinct from any
+ other section titles.</P
+><P
+>You may add a section entitled "Endorsements", provided it
+ contains nothing but endorsements of your Modified Version by
+ various parties--for example, statements of peer review or that
+ the text has been approved by an organization as the authoritative
+ definition of a standard.</P
+><P
+>You may add a passage of up to five words as a Front-Cover
+ Text, and a passage of up to 25 words as a Back-Cover Text, to the
+ end of the list of Cover Texts in the Modified Version. Only one
+ passage of Front-Cover Text and one of Back-Cover Text may be
+ added by (or through arrangements made by) any one entity. If the
+ Document already includes a cover text for the same cover,
+ previously added by you or by arrangement made by the same entity
+ you are acting on behalf of, you may not add another; but you may
+ replace the old one, on explicit permission from the previous
+ publisher that added the old one.</P
+><P
+>The author(s) and publisher(s) of the Document do not by
+ this License give permission to use their names for publicity for
+ or to assert or imply endorsement of any Modified Version.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-3.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-5.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>COPYING IN QUANTITY</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>COMBINING DOCUMENTS</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-5.html b/Documentation/gfdl-5.html
new file mode 100644
index 0000000..82ea41a
--- /dev/null
+++ b/Documentation/gfdl-5.html
@@ -0,0 +1,160 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>COMBINING DOCUMENTS</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="MODIFICATIONS"
+HREF="gfdl-4.html"><LINK
+REL="NEXT"
+TITLE="COLLECTIONS OF DOCUMENTS"
+HREF="gfdl-6.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-4.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-6.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-5"
+>COMBINING DOCUMENTS</A
+></H1
+><P
+>You may combine the Document with other documents released
+ under this License, under the terms defined in section 4 above for
+ modified versions, provided that you include in the combination
+ all of the Invariant Sections of all of the original documents,
+ unmodified, and list them all as Invariant Sections of your
+ combined work in its license notice.</P
+><P
+>The combined work need only contain one copy of this
+ License, and multiple identical Invariant Sections may be replaced
+ with a single copy. If there are multiple Invariant Sections with
+ the same name but different contents, make the title of each such
+ section unique by adding at the end of it, in parentheses, the
+ name of the original author or publisher of that section if known,
+ or else a unique number. Make the same adjustment to the section
+ titles in the list of Invariant Sections in the license notice of
+ the combined work.</P
+><P
+>In the combination, you must combine any sections entitled
+ "History" in the various original documents, forming one section
+ entitled "History"; likewise combine any sections entitled
+ "Acknowledgements", and any sections entitled "Dedications". You
+ must delete all sections entitled "Endorsements."</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-4.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-6.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>MODIFICATIONS</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>COLLECTIONS OF DOCUMENTS</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-6.html b/Documentation/gfdl-6.html
new file mode 100644
index 0000000..61386de
--- /dev/null
+++ b/Documentation/gfdl-6.html
@@ -0,0 +1,150 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>COLLECTIONS OF DOCUMENTS</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="COMBINING DOCUMENTS"
+HREF="gfdl-5.html"><LINK
+REL="NEXT"
+TITLE="AGGREGATION WITH INDEPENDENT WORKS"
+HREF="gfdl-7.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-5.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-7.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-6"
+>COLLECTIONS OF DOCUMENTS</A
+></H1
+><P
+>You may make a collection consisting of the Document and
+ other documents released under this License, and replace the
+ individual copies of this License in the various documents with a
+ single copy that is included in the collection, provided that you
+ follow the rules of this License for verbatim copying of each of
+ the documents in all other respects.</P
+><P
+>You may extract a single document from such a collection,
+ and distribute it individually under this License, provided you
+ insert a copy of this License into the extracted document, and
+ follow this License in all other respects regarding verbatim
+ copying of that document.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-5.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-7.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>COMBINING DOCUMENTS</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>AGGREGATION WITH INDEPENDENT WORKS</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-7.html b/Documentation/gfdl-7.html
new file mode 100644
index 0000000..4c81df5
--- /dev/null
+++ b/Documentation/gfdl-7.html
@@ -0,0 +1,154 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>AGGREGATION WITH INDEPENDENT WORKS</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="COLLECTIONS OF DOCUMENTS"
+HREF="gfdl-6.html"><LINK
+REL="NEXT"
+TITLE="TRANSLATION"
+HREF="gfdl-8.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-6.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-8.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-7"
+>AGGREGATION WITH INDEPENDENT WORKS</A
+></H1
+><P
+>A compilation of the Document or its derivatives with other
+ separate and independent documents or works, in or on a volume of
+ a storage or distribution medium, does not as a whole count as a
+ Modified Version of the Document, provided no compilation
+ copyright is claimed for the compilation. Such a compilation is
+ called an "aggregate", and this License does not apply to the
+ other self-contained works thus compiled with the Document, on
+ account of their being thus compiled, if they are not themselves
+ derivative works of the Document.</P
+><P
+>If the Cover Text requirement of section 3 is applicable to
+ these copies of the Document, then if the Document is less than
+ one quarter of the entire aggregate, the Document's Cover Texts
+ may be placed on covers that surround only the Document within the
+ aggregate. Otherwise they must appear on covers around the whole
+ aggregate.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-6.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-8.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>COLLECTIONS OF DOCUMENTS</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>TRANSLATION</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-8.html b/Documentation/gfdl-8.html
new file mode 100644
index 0000000..f381e78
--- /dev/null
+++ b/Documentation/gfdl-8.html
@@ -0,0 +1,149 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>TRANSLATION</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="AGGREGATION WITH INDEPENDENT WORKS"
+HREF="gfdl-7.html"><LINK
+REL="NEXT"
+TITLE="TERMINATION"
+HREF="gfdl-9.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-7.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-9.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-8"
+>TRANSLATION</A
+></H1
+><P
+>Translation is considered a kind of modification, so you may
+ distribute translations of the Document under the terms of section
+ 4. Replacing Invariant Sections with translations requires
+ special permission from their copyright holders, but you may
+ include translations of some or all Invariant Sections in addition
+ to the original versions of these Invariant Sections. You may
+ include a translation of this License provided that you also
+ include the original English version of this License. In case of
+ a disagreement between the translation and the original English
+ version of this License, the original English version will
+ prevail.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-7.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-9.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>AGGREGATION WITH INDEPENDENT WORKS</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>TERMINATION</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl-9.html b/Documentation/gfdl-9.html
new file mode 100644
index 0000000..28f1a56
--- /dev/null
+++ b/Documentation/gfdl-9.html
@@ -0,0 +1,146 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>TERMINATION</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"><LINK
+REL="PREVIOUS"
+TITLE="TRANSLATION"
+HREF="gfdl-8.html"><LINK
+REL="NEXT"
+TITLE="FUTURE REVISIONS OF THIS LICENSE"
+HREF="gfdl-10.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gfdl-8.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>GNU Free Documentation License</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-10.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-9"
+>TERMINATION</A
+></H1
+><P
+>You may not copy, modify, sublicense, or distribute the
+ Document except as expressly provided for under this License. Any
+ other attempt to copy, modify, sublicense or distribute the
+ Document is void, and will automatically terminate your rights
+ under this License. However, parties who have received copies, or
+ rights, from you under this License will not have their licenses
+ terminated so long as such parties remain in full
+ compliance.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gfdl-8.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-10.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>TRANSLATION</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>FUTURE REVISIONS OF THIS LICENSE</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/gfdl.html b/Documentation/gfdl.html
new file mode 100644
index 0000000..bb69869
--- /dev/null
+++ b/Documentation/gfdl.html
@@ -0,0 +1,175 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>GNU Free Documentation License</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE=" rvnamed Messages"
+HREF="rvnamedmessages.html"><LINK
+REL="NEXT"
+TITLE="APPLICABILITY AND DEFINITIONS"
+HREF="gfdl-1.html"></HEAD
+><BODY
+CLASS="APPENDIX"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="rvnamedmessages.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl-1.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="APPENDIX"
+><H1
+><A
+NAME="GFDL"
+>GNU Free Documentation License</A
+></H1
+><P
+>Version 1.1, March 2000</P
+><A
+NAME="AEN2525"
+></A
+><BLOCKQUOTE
+CLASS="BLOCKQUOTE"
+><P
+>Copyright (C) 2000 Free Software Foundation, Inc.
+59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.</P
+></BLOCKQUOTE
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GFDL-0"
+>PREAMBLE</A
+></H1
+><P
+>The purpose of this License is to make a manual, textbook,
+ or other written document "free" in the sense of freedom: to
+ assure everyone the effective freedom to copy and redistribute it,
+ with or without modifying it, either commercially or
+ noncommercially. Secondarily, this License preserves for the
+ author and publisher a way to get credit for their work, while not
+ being considered responsible for modifications made by
+ others.</P
+><P
+>This License is a kind of "copyleft", which means that
+ derivative works of the document must themselves be free in the
+ same sense. It complements the GNU General Public License, which
+ is a copyleft license designed for free software.</P
+><P
+>We have designed this License in order to use it for manuals
+ for free software, because free software needs free documentation:
+ a free program should come with manuals providing the same
+ freedoms that the software does. But this License is not limited
+ to software manuals; it can be used for any textual work,
+ regardless of subject matter or whether it is published as a
+ printed book. We recommend this License principally for works
+ whose purpose is instruction or reference.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="rvnamedmessages.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl-1.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>rvnamed Messages</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>APPLICABILITY AND DEFINITIONS</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/hostmon.html b/Documentation/hostmon.html
new file mode 100644
index 0000000..c97b87b
--- /dev/null
+++ b/Documentation/hostmon.html
@@ -0,0 +1,267 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>LAN Station Statistics</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="TCP and UDP Traffic Statistics"
+HREF="servmon.html"><LINK
+REL="NEXT"
+TITLE="Additional Information"
+HREF="morelanmoninfo.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="servmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="morelanmoninfo.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="HOSTMON"
+>LAN Station Statistics</A
+></H1
+><P
+> The LAN station monitor (Ethernet station monitor on versions prior to
+ 1.3.0) discovers MAC addresses and displays statistics on the number
+ of incoming, and outgoing packets. It also includes figures for incoming
+ and outgoing kilobits per second for each discovered station.</P
+><P
+> The entry above each line of statistics is the station's LAN
+ type (Ethernet, PLIP, Token Ring, or FDDI) and the hardware MAC address.
+ Each statistics line consists of the following information:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+>Total packets incoming</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>IP packets incoming</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Total bytes incoming</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Incoming rate</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Total packets outgoing</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>IP packets outgoing</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Total bytes outgoing</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+>Outgoing rate</P
+></LI
+></UL
+><P
+> The byte counts include the data link header. The activity
+ indicators can be set to display kbits/s or kbytes/s with the <I
+CLASS="EMPHASIS"
+>Activity
+ mode</I
+> configuration option.</P
+><P
+> This facility works only for Ethernet, PLIP, Token Ring, and
+ FDDI frames. Loopback. ISDN, and SLIP/PPP networks are not monitored here.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1268"
+></A
+><P
+><IMG
+SRC="iptraf-hw.png"></P
+><P
+><B
+>Figure 1. The LAN station monitor</B
+></P
+></DIV
+><P
+> Copies of the statistics are written to a log file at regular intervals
+ if logging is enabled. The default log file name
+ is <TT
+CLASS="FILENAME"
+>lan_statistics-<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+>.log</TT
+>, where n is the instance number of this facility
+ (for example, if this is the first instance, the generated default log
+ file name is <TT
+CLASS="FILENAME"
+>lan_statistics-1.log</TT
+>).</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="SORTINGLAN"
+>Sorting the LAN Station Monitor Entries</A
+></H1
+><P
+> Press S to sort the entries. A box will pop up and display the
+ keys you can press to select the field by which the entries will
+ be sorted. Press P to sort by total incoming packets, I to sort by
+ incoming IP packets, B to sort by total incoming bytes, K to sort
+ by total outgoing packets, O to sort by outgoing IP packets, and Y to
+ sort by total outgoing bytes. Pressing any other key cancels the sort.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1278"
+></A
+><P
+><IMG
+SRC="iptraf-hwsort.png"></P
+><P
+><B
+>Figure 2. The LAN station monitor's sort criteria</B
+></P
+></DIV
+><P
+> When started from the command line, the log filename and log interval can be
+ specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> and <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+>
+ parameters respectively. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="servmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="morelanmoninfo.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>TCP and UDP Traffic Statistics</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Additional Information</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/ifaces.html b/Documentation/ifaces.html
new file mode 100644
index 0000000..aca39db
--- /dev/null
+++ b/Documentation/ifaces.html
@@ -0,0 +1,474 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Supported Network Interfaces</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Preparing to Use IPTraf"
+HREF="preparingtouse.html"><LINK
+REL="PREVIOUS"
+TITLE="Screen Update Delays"
+HREF="updates.html"><LINK
+REL="NEXT"
+TITLE="The IP Traffic Monitor"
+HREF="itrafmon.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="updates.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Preparing to Use IPTraf</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="itrafmon.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="IFACES"
+>Supported Network Interfaces</A
+></H1
+><P
+> IPTraf currently supports the following network interface types and names.</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>lo</TT
+></DT
+><DD
+><P
+> The loopback interface. Every machine has one, and has an IP address
+ of 127.0.0.1. <TT
+CLASS="FILENAME"
+>lo</TT
+> is also indicated if data
+ is detected on the
+<TT
+CLASS="FILENAME"
+>dummy<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+> interface(s).</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>eth<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> An Ethernet interface. <TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.
+ Therefore, <TT
+CLASS="FILENAME"
+>eth0</TT
+> refers to the first
+ Ethernet interface, <TT
+CLASS="FILENAME"
+>eth1</TT
+> to the second, and
+ so on. Most machines only have one.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>fddi<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> An FDDI interface. <TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>tr<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> A Token Ring interface, where <TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>ppp<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> A PPP interface. <TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>sli<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+>A SLIP interface. <TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>ippp<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> A synchronous PPP interface using ISDN.
+<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+> starts from 0.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>isdn<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> ISDN interfaces can be given arbitrary names, but for them to work
+ with IPTraf, they must
+ be named <TT
+CLASS="FILENAME"
+>isdn<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+>.
+ IPTraf supports synchronous PPP
+ (the <TT
+CLASS="FILENAME"
+>ippp<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+>
+ interfaces above), raw IP, and Cisco-HDLC encapsulation.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>plip<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> PLIP interfaces. These are point-to-point IP connections using the PC
+ parallel port.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>ipsec<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> This refers to Free s/WAN (and possibly other) logical VPN interfaces.</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>sbni<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> SBNI long-range modem interfaces</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>dvb<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+>,
+<TT
+CLASS="FILENAME"
+>sm200</TT
+>, <TT
+CLASS="FILENAME"
+>sm300</TT
+></DT
+><DD
+><P
+> DVB satellite-receive interfaces</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>wlan<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+>,
+<TT
+CLASS="FILENAME"
+>wvlan<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> Wireless LAN interfaces</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>tun<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+>general logical tunnel interfaces</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>brg<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+>general logical bridge interfaces</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>hdlc<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> Frame Relay base (FRAD) interfaces (non-PVC)</P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>pvc<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+></DT
+><DD
+><P
+> Frame Relay Permanent Virtual Circuit interfaces</P
+></DD
+></DL
+></DIV
+><P
+> Your system's network interfaces must be named according
+ to the schemes specified above.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="updates.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="itrafmon.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Screen Update Delays</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="preparingtouse.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>The IP Traffic Monitor</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/installation.html b/Documentation/installation.html
new file mode 100644
index 0000000..6fcbcf0
--- /dev/null
+++ b/Documentation/installation.html
@@ -0,0 +1,698 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+> Installation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="NEXT"
+TITLE=" Upgrading from Earlier Versions"
+HREF="upgrading.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="gettingstarted.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="upgrading.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="INSTALLATION"
+>Installation</A
+></H1
+><P
+> IPTraf is most readily available on the Internet, but some may receive
+ it on a diskette. Here are the instructions for both types
+ of distributions.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN97"
+>System Requirements</A
+></H2
+><P
+>IPTraf requires:</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN100"
+>Hardware Requirements</A
+></H3
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+> 16 megabytes of physical RAM (more recommended, at least 64 MB for very busy networks)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> 2 megabytes of free disk space for installation (more will be needed if you log high amounts of traffic over time)</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> Pentium-class processor or higher (Pentium-II 200 MHz or higher recommended) or equivalent.</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> One or more of the supported network interfaces.</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN111"
+>Operating System Requirements</A
+></H3
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+> Linux kernel 2.2.0 or higher</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> GNU C Library 2.1 or later</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> ncurses 4.2 or later with the complete terminfo database in
+ <TT
+CLASS="FILENAME"
+>/usr/share/terminfo</TT
+>. Support for
+ <TT
+CLASS="COMPUTEROUTPUT"
+>linux</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>vt100</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>xterm</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>xterm-color</TT
+> recommended. </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN125"
+>Compilation Requirements</A
+></H3
+><P
+>The following components are required when compiling IPTraf from the
+source code.</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+STYLE="list-style-type: disc"
+><P
+> gcc 2.7.2.3 or later</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> GNU C (glibc) development library 2.1 or later</P
+></LI
+><LI
+STYLE="list-style-type: disc"
+><P
+> ncurses development libraries 4.2 or later</P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN135"
+>Availability</A
+></H2
+><P
+> IPTraf can be downloaded from the Internet from the official FTP site at
+ <A
+HREF="ftp://iptraf.seul.org/pub/iptraf/"
+TARGET="_top"
+>ftp://iptraf.seul.org/pub/iptraf/</A
+>.</P
+><P
+> The software is available in source form in
+ compressed
+<TT
+CLASS="FILENAME"
+>.tar.gz</TT
+> files named
+<TT
+CLASS="FILENAME"
+>iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.tar.gz</TT
+> where
+<TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+></TT
+>
+ is the version number. Precompiled ready-to-run software is available in
+ the
+<TT
+CLASS="FILENAME"
+>iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z.machinetype</I
+></TT
+>.bin.tar.gz</TT
+>
+ files. (<TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>machinetype</I
+></TT
+></TT
+> indicates
+ what platform the precompiled binaries run on. The official distribution
+ will only be for the Intel x86 architecture indicated as
+<TT
+CLASS="FILENAME"
+>i386</TT
+>.)</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN150"
+>Installing Downloaded Packages</A
+></H2
+><P
+> You will need to have GNU tar and GNU zip installed. All
+ modern Linux installations already have these utilities ready.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>
+ Decompress the <TT
+CLASS="FILENAME"
+>.tar.gz</TT
+> file by entering</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>tar zxvf iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.tar.gz</PRE
+></TD
+></TR
+></TABLE
+><P
+> for the source code or</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>tar zxvf iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.i386.bin.tar.gz</PRE
+></TD
+></TR
+></TABLE
+><P
+>for the precompiled x86 programs.</P
+><P
+>If your tar doesn't support the z option, you can separately
+decompress the <TT
+CLASS="FILENAME"
+>.tar.gz</TT
+> file
+then extract the resulting <TT
+CLASS="FILENAME"
+>.tar</TT
+> archive.</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>gunzip iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.tar.gz
+tar xvf iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.tar</PRE
+></TD
+></TR
+></TABLE
+><P
+>This will decompress the sources into a directory called
+<TT
+CLASS="FILENAME"
+>iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+></TT
+> (source code)
+or
+<TT
+CLASS="FILENAME"
+>iptraf-<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+>.bin</TT
+>
+(precompiled).
+ (<TT
+CLASS="REPLACEABLE"
+><I
+>x.y.z</I
+></TT
+> here should be the IPTraf version number
+you're installing, like <TT
+CLASS="FILENAME"
+>3.0.0</TT
+>).</P
+></LI
+><LI
+><P
+>Change to the created top level directory.</P
+></LI
+><LI
+><P
+>To compile and install the software, run the Setup program by entering</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>./Setup</PRE
+></TD
+></TR
+></TABLE
+><P
+> while you are logged in as root. The Setup script will recognize the
+ source distribution and compile the software before installing. It
+ will immediately install a precompiled distribution.</P
+></LI
+></OL
+><P
+> The resulting binaries will be placed in the
+<TT
+CLASS="FILENAME"
+>/usr/local/bin</TT
+> directory.
+ All needed directories will also be created.</P
+><P
+> After installation, you will be asked if you want to
+ read the <TT
+CLASS="FILENAME"
+>RELEASE-NOTES</TT
+> file. It is recommended that you do so at
+ that point, since the <TT
+CLASS="FILENAME"
+>RELEASE-NOTES</TT
+> file
+ contains important information about the new version.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN187"
+>Installing a Floppy Distribution</A
+></H2
+><P
+> If you received IPTraf
+ on a diskette, the sources are already decompressed. The diskette is
+ in Second Extended filesystem format. Perform the following steps to
+ install the software. </P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Insert the floppy in the drive.</P
+></LI
+><LI
+><P
+>Mount the floppy on an empty directory. For example, to
+mount the floppy in the first floppy drive under a directory
+called <TT
+CLASS="FILENAME"
+>/mnt</TT
+>, enter</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>mount -t ext2 /dev/fd0 /mnt</PRE
+></TD
+></TR
+></TABLE
+><P
+> This assumes your floppy is in
+ <TT
+CLASS="FILENAME"
+>/dev/fd0</TT
+>. You can use any empty directory in place
+ of <TT
+CLASS="FILENAME"
+>/mnt</TT
+>. With most Linux installations, this will work fine.</P
+></LI
+><LI
+><P
+> After mounting, change
+to the <TT
+CLASS="FILENAME"
+>/mnt</TT
+> (or whatever) directory.</P
+></LI
+><LI
+><P
+>Enter</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>./Setup</PRE
+></TD
+></TR
+></TABLE
+><P
+> while logged in as root. Setup will determine whether the diskette
+ contains a source code distribution or
+ ready-to-run precompiled software. This will copy the binaries to
+ <TT
+CLASS="FILENAME"
+>/usr/local/bin</TT
+>, and
+ create the necessary working directories.</P
+></LI
+><LI
+><P
+>Unmount the diskette by typing</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>umount /mnt</PRE
+></TD
+></TR
+></TABLE
+><P
+> (That's <I
+CLASS="EMPHASIS"
+>u</I
+>mount, not <I
+CLASS="EMPHASIS"
+>un</I
+>mount.)</P
+><P
+> You can then eject the diskette. Store it in a safe place.</P
+><P
+> You will also be asked if you want to view the
+<TT
+CLASS="FILENAME"
+>RELEASE-NOTES</TT
+> file. It is
+ recommended that you do so at that point.</P
+><P
+> In both cases (downloaded and floppy), the installation will store the
+ program in <TT
+CLASS="FILENAME"
+>/usr/local/bin</TT
+> with the binaries owned by
+ user root, readable, writable, and executable by the owner,
+ no permissions for the group, no permissions for all others. (700 octal,
+ or <TT
+CLASS="COMPUTEROUTPUT"
+>-rwx------</TT
+>).</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="90%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> You must be <TT
+CLASS="FILENAME"
+>root</TT
+> to
+ do the installation. The old style of installation (<B
+CLASS="COMMAND"
+>cd src;make
+ install</B
+>)
+ is still supported.</P
+></TD
+></TR
+></TABLE
+></DIV
+></LI
+></OL
+><P
+> Be sure <TT
+CLASS="FILENAME"
+>/usr/local/bin</TT
+> is included in
+ your environment's <TT
+CLASS="ENVAR"
+>PATH</TT
+> variable. You can
+ edit the appropriate command in your login customization
+ file (<TT
+CLASS="FILENAME"
+>.profile</TT
+> for the Bourne-type shells,
+ <TT
+CLASS="FILENAME"
+>.cshrc</TT
+> for the C shell and its relatives).</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="upgrading.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Getting Started</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Upgrading from Earlier Versions</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/instances.html b/Documentation/instances.html
new file mode 100644
index 0000000..a8aba95
--- /dev/null
+++ b/Documentation/instances.html
@@ -0,0 +1,201 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Instances and Logging</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Preparing to Use IPTraf"
+HREF="preparingtouse.html"><LINK
+REL="PREVIOUS"
+TITLE="Preparing to Use IPTraf"
+HREF="preparingtouse.html"><LINK
+REL="NEXT"
+TITLE="Screen Update Delays"
+HREF="updates.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="preparingtouse.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Preparing to Use IPTraf</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="updates.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="INSTANCES"
+>Instances and Logging</A
+></H1
+><P
+> Since version 2.4, IPTraf allows multiple instances of the
+ facilities at the same time in different processes (for example, you can
+ now run two or more IP Traffic Monitors at the same time).
+ However only one can listen on a specific interface or all interfaces
+ at once. The only exception is the general interface
+ statistics, which is still restricted to only one instance at a time.</P
+><P
+> Because of this relaxation, each instance now generates log files with
+ unique names for instances, depending on either their instance
+ or the interface they're listening on. If the <I
+CLASS="EMPHASIS"
+>Logging</I
+> option is turned
+ on (see the <A
+HREF="config.html"
+>Configuration</A
+> chapter), IPTraf
+ will prompt you for a log file name while presenting a
+ default. You may accept this default or change it. Press Enter
+ to accept, or Ctrl+X to cancel. Canceling will turn logging off for that
+ particular session.</P
+><P
+> If you don't specify an absolute path, the log file will be placed
+ in <TT
+CLASS="FILENAME"
+>/var/log/iptraf</TT
+>.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN419"
+></A
+><P
+><IMG
+SRC="iptraf-logprompt.png"></P
+><P
+><B
+>Figure 1. The logfile prompt dialog</B
+></P
+></DIV
+><P
+> See the Logging section
+in the <A
+HREF="config.html"
+>Configuration</A
+> chapter for
+detailed information on logging. See also the documentation on
+each statistical facility for the default log file names.</P
+><P
+> The default log file names will also be used
+if the <TT
+CLASS="COMPUTEROUTPUT"
+>-B</TT
+> parameter is used
+ to run IPTraf in the background. You can override the defaults with the
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> parameter. See
+<A
+HREF="backop.html"
+>Background Operation</A
+> in Chapter 9.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="preparingtouse.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="updates.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Preparing to Use IPTraf</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="preparingtouse.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Screen Update Delays</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/iptraf-configmenu.png b/Documentation/iptraf-configmenu.png
new file mode 100644
index 0000000..cf4a9ad
Binary files /dev/null and b/Documentation/iptraf-configmenu.png differ
diff --git a/Documentation/iptraf-dstat1.png b/Documentation/iptraf-dstat1.png
new file mode 100644
index 0000000..d56c5d5
Binary files /dev/null and b/Documentation/iptraf-dstat1.png differ
diff --git a/Documentation/iptraf-editfilter.png b/Documentation/iptraf-editfilter.png
new file mode 100644
index 0000000..3db0bf7
Binary files /dev/null and b/Documentation/iptraf-editfilter.png differ
diff --git a/Documentation/iptraf-filtermenu.png b/Documentation/iptraf-filtermenu.png
new file mode 100644
index 0000000..1298e3e
Binary files /dev/null and b/Documentation/iptraf-filtermenu.png differ
diff --git a/Documentation/iptraf-gstat1.png b/Documentation/iptraf-gstat1.png
new file mode 100644
index 0000000..b333cd1
Binary files /dev/null and b/Documentation/iptraf-gstat1.png differ
diff --git a/Documentation/iptraf-hw.png b/Documentation/iptraf-hw.png
new file mode 100644
index 0000000..f874f97
Binary files /dev/null and b/Documentation/iptraf-hw.png differ
diff --git a/Documentation/iptraf-hwsort.png b/Documentation/iptraf-hwsort.png
new file mode 100644
index 0000000..11497f3
Binary files /dev/null and b/Documentation/iptraf-hwsort.png differ
diff --git a/Documentation/iptraf-ipfltdlg.png b/Documentation/iptraf-ipfltdlg.png
new file mode 100644
index 0000000..e8de177
Binary files /dev/null and b/Documentation/iptraf-ipfltdlg.png differ
diff --git a/Documentation/iptraf-ipfltlist.png b/Documentation/iptraf-ipfltlist.png
new file mode 100644
index 0000000..1595311
Binary files /dev/null and b/Documentation/iptraf-ipfltlist.png differ
diff --git a/Documentation/iptraf-ipfltmenu.png b/Documentation/iptraf-ipfltmenu.png
new file mode 100644
index 0000000..db117b4
Binary files /dev/null and b/Documentation/iptraf-ipfltmenu.png differ
diff --git a/Documentation/iptraf-ipfltnamedlg.png b/Documentation/iptraf-ipfltnamedlg.png
new file mode 100644
index 0000000..2354174
Binary files /dev/null and b/Documentation/iptraf-ipfltnamedlg.png differ
diff --git a/Documentation/iptraf-iptm1.png b/Documentation/iptraf-iptm1.png
new file mode 100644
index 0000000..d66ce51
Binary files /dev/null and b/Documentation/iptraf-iptm1.png differ
diff --git a/Documentation/iptraf-iptmsort.png b/Documentation/iptraf-iptmsort.png
new file mode 100644
index 0000000..8158d21
Binary files /dev/null and b/Documentation/iptraf-iptmsort.png differ
diff --git a/Documentation/iptraf-logprompt.png b/Documentation/iptraf-logprompt.png
new file mode 100644
index 0000000..e6927d8
Binary files /dev/null and b/Documentation/iptraf-logprompt.png differ
diff --git a/Documentation/iptraf-mmenu.png b/Documentation/iptraf-mmenu.png
new file mode 100644
index 0000000..f7212a3
Binary files /dev/null and b/Documentation/iptraf-mmenu.png differ
diff --git a/Documentation/iptraf-othipfltdefine.png b/Documentation/iptraf-othipfltdefine.png
new file mode 100644
index 0000000..671913a
Binary files /dev/null and b/Documentation/iptraf-othipfltdefine.png differ
diff --git a/Documentation/iptraf-othipfltdlg.png b/Documentation/iptraf-othipfltdlg.png
new file mode 100644
index 0000000..5c72886
Binary files /dev/null and b/Documentation/iptraf-othipfltdlg.png differ
diff --git a/Documentation/iptraf-othipfltselect.png b/Documentation/iptraf-othipfltselect.png
new file mode 100644
index 0000000..1c21a0e
Binary files /dev/null and b/Documentation/iptraf-othipfltselect.png differ
diff --git a/Documentation/iptraf-pktsize.png b/Documentation/iptraf-pktsize.png
new file mode 100644
index 0000000..10902a2
Binary files /dev/null and b/Documentation/iptraf-pktsize.png differ
diff --git a/Documentation/iptraf-tcpflt-dlg2.png b/Documentation/iptraf-tcpflt-dlg2.png
new file mode 100644
index 0000000..b63928c
Binary files /dev/null and b/Documentation/iptraf-tcpflt-dlg2.png differ
diff --git a/Documentation/iptraf-tcpfltmenu.png b/Documentation/iptraf-tcpfltmenu.png
new file mode 100644
index 0000000..d7a1884
Binary files /dev/null and b/Documentation/iptraf-tcpfltmenu.png differ
diff --git a/Documentation/iptraf-tcpudp.png b/Documentation/iptraf-tcpudp.png
new file mode 100644
index 0000000..a68b2d6
Binary files /dev/null and b/Documentation/iptraf-tcpudp.png differ
diff --git a/Documentation/iptraf-tcpudpsort.png b/Documentation/iptraf-tcpudpsort.png
new file mode 100644
index 0000000..a7e7950
Binary files /dev/null and b/Documentation/iptraf-tcpudpsort.png differ
diff --git a/Documentation/iptraf-timermenu.png b/Documentation/iptraf-timermenu.png
new file mode 100644
index 0000000..7d1b6c4
Binary files /dev/null and b/Documentation/iptraf-timermenu.png differ
diff --git a/Documentation/iptraf.xpm b/Documentation/iptraf.xpm
new file mode 100644
index 0000000..96aec98
--- /dev/null
+++ b/Documentation/iptraf.xpm
@@ -0,0 +1,10 @@
+/* XPM */
+static char * iptraf_xpm[] = {
+"5 5 2 1",
+" c None",
+". c #15FF00",
+" ... ",
+".....",
+".....",
+".....",
+" ... "};
diff --git a/Documentation/itrafmon.html b/Documentation/itrafmon.html
new file mode 100644
index 0000000..99b4b30
--- /dev/null
+++ b/Documentation/itrafmon.html
@@ -0,0 +1,844 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>The IP Traffic Monitor</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Supported Network Interfaces"
+HREF="ifaces.html"><LINK
+REL="NEXT"
+TITLE="Lower Window"
+HREF="lowerwin.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="ifaces.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="lowerwin.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="ITRAFMON"
+>The IP Traffic Monitor</A
+></H1
+><P
+> Executing the first menu item or specifying <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>
+ to the <B
+CLASS="COMMAND"
+>iptraf</B
+> command takes you to the IP traffic monitor. The traffic
+ monitor is a real-time monitoring system that intercepts all packets
+ on all detected network interfaces, decodes the IP information on all IP packets and
+ displays the appropriate information, most notably the
+ source and destination addresses. It also
+ determines the encapsulated protocol within the IP packet, and
+ displays some important information about that as well.</P
+><P
+> There are two windows in the traffic monitor, both of which can be
+ scrolled with the Up and Down cursor keys. Just press W to
+ move the <TT
+CLASS="COMPUTEROUTPUT"
+>Active</TT
+> indicator to the window you
+ want to control.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN566"
+></A
+><P
+><IMG
+SRC="iptraf-iptm1.png"></P
+><P
+><B
+>Figure 1. The IP traffic monitor</B
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="UPPERWIN"
+>The Upper Window</A
+></H1
+><P
+> The upper window of the traffic monitor displays the currently
+ detected TCP
+ connections. Information about TCP packets are displayed here. The
+ window contains these pieces of information:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>Source address and port</P
+></LI
+><LI
+><P
+>Packet count</P
+></LI
+><LI
+><P
+>Byte count</P
+></LI
+><LI
+><P
+>Source MAC address</P
+></LI
+><LI
+><P
+>Packet Size</P
+></LI
+><LI
+><P
+>Window Size</P
+></LI
+><LI
+><P
+>TCP flag statuses</P
+></LI
+><LI
+><P
+>Interface</P
+></LI
+></UL
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Previous versions of IPTraf showed
+ both the source and destination addresses on each line. IPTraf 2 and
+higher show
+only the <TT
+CLASS="COMPUTEROUTPUT"
+><TT
+CLASS="REPLACEABLE"
+><I
+>source
+host</I
+></TT
+>:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+> combination to save
+on screen real estate. TCP
+ connection endpoints are still indicated with the green
+ brackets (on color terminals) along the left edge of the screen.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> The Up and Down cursor keys move an indicator bar between entries in the
+ TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys
+ display the previous and next screenfuls of entries respectively.</P
+><P
+> The IP traffic monitor computes the data flow rate
+ of the currently highlighted TCP flow and displays it on the lower-right
+ corner of the screen. The flow rate is in kilobits or kilobytes per
+ second depending on the <I
+CLASS="EMPHASIS"
+>Activity mode</I
+> switch
+in the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> menu.</P
+><P
+> Because this monitoring system relies solely on packet information, it
+ does not determine which endpoint initiated the connection. In other
+ words, it does not know which endpoints are the client and server.
+ This is necessary because it can operate in promiscuous
+ mode, and as such cannot determine the socket statuses for other
+ machines on the LAN. However, a little knowledge of the well-known TCP
+port numbers can give a good idea about which address is that of the server.</P
+><P
+> The system therefore displays two entries for each connection, one for
+ each direction of the TCP connection. To make it easier to determine the
+ direction pairs of each connection, a bracket is used to "join" both
+ together. This bracket appears at the leftmost part of each entry.</P
+><P
+> Just because a host entry appears at the upper end of a
+ connection bracket doesn't mean it was the initiator of the connection.</P
+><P
+> Each entry in the window contains these fields:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><I
+CLASS="EMPHASIS"
+>Source address and port</I
+></DT
+><DD
+><P
+> The source address and port indicator is
+in <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+>:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+> format.
+ This indicates the source machine and TCP port on that machine
+ from which this data is coming.</P
+><P
+> The destination is the host:port at the other end of the bracket.</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Packet count</I
+></DT
+><DD
+><P
+> The number of packets received for this direction of the TCP connection</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Byte count</I
+></DT
+><DD
+><P
+> The number of bytes received for this direction
+ of the TCP connection. These bytes include total IP and TCP header
+ information, in addition to the actual data. Data link
+ header (e.g. Ethernet and FDDI) data are not included.</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Source MAC address</I
+></DT
+><DD
+><P
+> The address of the host on your local LAN that delivered this packet.
+ This can be viewed by pressing M once if <I
+CLASS="EMPHASIS"
+>Source MAC
+addrs</I
+> in traffic
+ monitor is enabled in the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> menu.</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Packet Size</I
+></DT
+><DD
+><P
+> The size of the most recently received packet. This item
+ is visible if you press M for more TCP information. This is the size
+ of the IP datagram only, not including the data link header.</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Window Size</I
+></DT
+><DD
+><P
+> The advertised window size of the most recently received packet. This
+ item is visible if you press M for more TCP information.</P
+></DD
+><DT
+><I
+CLASS="EMPHASIS"
+>Flag statuses</I
+></DT
+><DD
+><P
+> The flags of the most recently received packet.
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>S</TT
+></DT
+><DD
+><P
+> SYN. A synchronization is taking place in preparation for
+ connection establishment. If only an <TT
+CLASS="COMPUTEROUTPUT"
+>S</TT
+>
+ is present (<TT
+CLASS="COMPUTEROUTPUT"
+>S---</TT
+>) the source is trying
+ to initiate a connection. If an <TT
+CLASS="COMPUTEROUTPUT"
+>A</TT
+> is
+ also present (<TT
+CLASS="COMPUTEROUTPUT"
+>S-A-</TT
+>), this is an
+ acknowledgment of a previous connection request, and is responding.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>A</TT
+></DT
+><DD
+><P
+> ACK. This is an acknowledgment of a previously received packet</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>P</TT
+></DT
+><DD
+><P
+> PSH. A request to push all data to the top of the receiving queue</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>U</TT
+></DT
+><DD
+><P
+> URG. This packet contains urgent data</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>RESET</TT
+></DT
+><DD
+><P
+> RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>DONE</TT
+></DT
+><DD
+><P
+> The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>CLOSED</TT
+></DT
+><DD
+><P
+> The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>-</TT
+></DT
+><DD
+><P
+> The flag is not set</P
+></DD
+></DL
+></DIV
+></P
+></DD
+></DL
+></DIV
+><P
+> Some other pieces of information can be viewed as well. The M key
+ displays more TCP information. Pressing M once
+ displays the MAC addresses of the LAN hosts
+ that delivered the packets (if the <I
+CLASS="EMPHASIS"
+>Source MAC addrs in traffic
+monitor</I
+>
+ option is enabled in the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+>
+menu). <TT
+CLASS="COMPUTEROUTPUT"
+>N/A</TT
+> is displayed if
+ no packets have been received from the source yet, or if the interface
+ doesn't support MAC addresses (such as PPP interfaces).</P
+><P
+> If the <I
+CLASS="EMPHASIS"
+>Source MAC addrs in traffic monitor</I
+> option is not enabled,
+ pressing M simply toggles between the counts and the packet and window
+ sizes.</P
+><P
+> By default, only IP addresses are displayed, but if you have access to a
+ name server or host table, you may enable reverse lookup for the
+ IP addresses. Just enable reverse lookup
+in the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> menu.</P
+><TABLE
+CLASS="SIDEBAR"
+BORDER="1"
+CELLPADDING="5"
+><TR
+><TD
+><DIV
+CLASS="SIDEBAR"
+><A
+NAME="AEN701"
+></A
+><P
+><B
+>The rvnamed Process</B
+></P
+><P
+> The IP traffic monitor starts a daemon called
+ <B
+CLASS="COMMAND"
+>rvnamed</B
+> to help speed
+ up reverse lookups without sacrificing too much keyboard control and
+ accuracy of the counts. While reverse lookup is being conducted in the
+ background, IP addresses will be used until the resolution is complete.</P
+><P
+> If for some reason <B
+CLASS="COMMAND"
+>rvnamed</B
+> cannot start (probably due to
+ improper installation or lack of memory), and you are
+ on the Internet, and you enable reverse lookup, your
+ keyboard control can become very slow. This is because the standard
+ lookup functions do not return until they have completed their
+ tasks, and it can take several seconds for a name resolution
+ in the foreground to complete.</P
+><P
+> <B
+CLASS="COMMAND"
+>rvnamed</B
+> will spawn up to 200 children to process reverse DNS queries.</P
+></DIV
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="TIP"
+><P
+></P
+><TABLE
+CLASS="TIP"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/tip.gif"
+HSPACE="5"
+ALT="Tip"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Tip</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>If you notice unusual SYN activity (too many
+initial (<TT
+CLASS="COMPUTEROUTPUT"
+>S---</TT
+>) but frozen SYN entries, or rapidly
+increasing initial SYN packets for a single connection), you may
+be under a SYN flooding attack or TCP port scan. Apply appropriate measures, or the
+targeted machines may begin denying network services.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> Entries not updated within a user-configurable amount of
+ time may get replaced with new connections. The default time is 15
+ minutes. This is regardless of whether the connection is closed or
+ not. (Some unclosed connections may be due to extremely slow links
+ or crashes at either end of the connection.) This figure can be changed
+ at the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> menu.</P
+><P
+> Some early entries may have a > symbol in front of its packet
+ count. This means the connection was already established
+ when the monitor started. In other words, the figures indicated do not
+ reflect the counts since the start
+ of the TCP connection, but rather, since the start of the traffic
+ monitor. Eventually, these > entries will close (or time out) and
+ disappear. TCP entries without the >
+ were initiated after the traffic monitor started, and the counts
+ indicate the totals of the connection itself. Just consider entries
+ with > partial.</P
+><P
+> Some > entries may go idle if the traffic monitor was started
+ when these connections were already half-closed (FIN sent
+ by one host, but data still being sent by the other). This
+ is because the traffic monitor cannot determine if a
+ connection was already half-closed when it started. These entries will
+ eventually time out. (To minimize these entries, an entry is not added
+ by the monitor until a packet with data or a SYN packet is received.)</P
+><P
+> Direction entries also become available for reuse if an ICMP Destination
+ Unreachable message is received for the connection.</P
+><P
+> The lower part of the screen contains a summary line showing the IP,
+ TCP, UDP, ICMP, and non-IP byte counts since the start of the
+ monitor. The IP, TCP, UDP, and ICMP counts include only the IP
+ datagram header and data, not the data-link headers. The
+ non-IP count includes the data-link headers.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Technical note: IP Forwarding and Masquerading</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Previous versions of IPTraf issued a warning if the kernel had
+ IP masquerading enabled due to the way the
+ kernel masqueraded and translated the IP addresses. The new kernels no
+ longer do it as before and IPTraf now gives output properly on
+ masquerading machines. The <TT
+CLASS="COMPUTEROUTPUT"
+>-q</TT
+> parameter is no
+ longer required to suppress the warning screen.</P
+><P
+> On forwarding (non-masquerading)
+ machines packets and TCP connections simply appear twice, one
+ each for the incoming and outgoing interfaces if all interafaces
+ are being monitored.</P
+><P
+> On masquerading machines, packets and connections from the
+ internal network to the external network also appear
+ twice, one for the internal and external interface. Packets coming
+ from the internal network will be indicated as coming from the internal
+ IP address that sourced them, and also as coming from the IP address
+ of the external interface on your masquerading machine. In much the same
+ way, packets coming in from the external network will look
+ like they're destined for the external interface's IP address, and again
+ as destined for the final host on the internal network.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN726"
+>Closed/Idle/Timed Out Connections</A
+></H2
+><P
+> A TCP connection entry that closes, gets reset, or stays idle too long
+ normally gets replaced with new connections. However,
+ if there are too many of these, active connections may become
+ interspersed among closed, reset, or idle entries.</P
+><P
+> IPTraf can be set to automatically remove all closed, reset, and
+ idle entries with the <I
+CLASS="EMPHASIS"
+>TCP closed/idle
+ persistence...</I
+> configuration option. You can also press the F key to
+ immediately clear them at any time.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>The <I
+CLASS="EMPHASIS"
+>TCP timeout...</I
+> option only tells
+IPTraf how long it should take before a connection should be considered
+idle and open to replacement by new connections. This
+does not determine how long it remains on-screen. The <I
+CLASS="EMPHASIS"
+>TCP closed/idle
+persistence...</I
+> parameter flushes entries that have been idle for the
+number of minutes defined by the <I
+CLASS="EMPHASIS"
+>TCP timeout...</I
+> option.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN737"
+>Sorting TCP Entries</A
+></H2
+><P
+> The TCP connection entries can be sorted by pressing the S key, then
+ by selecting a sort criterion. Pressing S will display a box showing the
+ available sort criteria. Press P to sort by packet count, B to sort by
+ byte count. Pressing any other key cancels the sort.</P
+><P
+> The sort operation compares the larger values in each connection entry
+ pair and sorts the counts in descending order.</P
+><P
+> Over time, the entries will go out of order as counts proceed at varying
+ rates. Sorting is not done automatically so as not to degrade performance
+and accuracy.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN742"
+></A
+><P
+><IMG
+SRC="iptraf-iptmsort.png"></P
+><P
+><B
+>Figure 2. The IP traffic monitor sort criteria</B
+></P
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="ifaces.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="lowerwin.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Supported Network Interfaces</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Lower Window</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/ln9.html b/Documentation/ln9.html
new file mode 100644
index 0000000..989c715
--- /dev/null
+++ b/Documentation/ln9.html
@@ -0,0 +1,109 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="NEXT"
+TITLE="About This Document"
+HREF="preface.html"></HEAD
+><BODY
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="LEGALNOTICE"
+><A
+NAME="LEGALINFO"
+></A
+><P
+></P
+><P
+>This manual is released under the terms of the GNU
+Free Documentation License of March, 2000 as published by the
+Free Software Foundation, reproduced in this manual as Appendix B.</P
+><P
+>IPTraf is open-source software released under the terms of the GNU General
+Public License version 2 or any later version as published by the Free
+Software Foundation, reproduced in the LICENSE file in the distribution's
+top-level directory.</P
+><P
+>The accomanying software and the information contained in this
+document are provided "AS IS" without warranty of any kind, express or
+implied, including, without limitation, the implied warranties
+of mercantability or fitness for any particular purpose.</P
+><P
+>In no event shall the author be liable for any indirect,
+special, consequential, or incidental damages arising from the use of this
+manual or the accompanying software even if the author has been advised of
+the possibility of such damages.</P
+><P
+>Linux is a registered trademark of Linus Torvalds. Pentium is a
+registered trademark of Intel Corporation. All other trademarks are
+property of their respective owners.</P
+><P
+>Some structure declarations were based on code copyrighted by the Regents
+of the University of California.</P
+><P
+>Token Ring parsing code based on the Token Ring packet construction code
+in the Linux 2.2 kernel.</P
+><P
+></P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+> </TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/lowerwin.html b/Documentation/lowerwin.html
new file mode 100644
index 0000000..27805e5
--- /dev/null
+++ b/Documentation/lowerwin.html
@@ -0,0 +1,942 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Lower Window</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="The IP Traffic Monitor"
+HREF="itrafmon.html"><LINK
+REL="PREVIOUS"
+TITLE="The IP Traffic Monitor"
+HREF="itrafmon.html"><LINK
+REL="NEXT"
+TITLE="Additional Information"
+HREF="x1077.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="itrafmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>The IP Traffic Monitor</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="x1077.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="LOWERWIN"
+>Lower Window</A
+></H1
+><P
+> The lower window displays information about the other types of traffic
+ on your network. The following protocols are detected internally:</P
+><P
+></P
+><UL
+COMPACT="COMPACT"
+><LI
+><P
+>User Datagram Protocol (UDP)</P
+></LI
+><LI
+><P
+>Internet Control Message Protocol (ICMP)</P
+></LI
+><LI
+><P
+>Open Shortest-Path First (OSPF)</P
+></LI
+><LI
+><P
+>Interior Gateway Routing Protocol (IGRP)</P
+></LI
+><LI
+><P
+>Interior Gateway Protocol (IGP)</P
+></LI
+><LI
+><P
+>Internet Group Management Protocol (IGMP)</P
+></LI
+><LI
+><P
+>General Routing Encapsulation (GRE)</P
+></LI
+><LI
+><P
+>Layer 2 Tunneling Protocol (L2TP)</P
+></LI
+><LI
+><P
+>IPSec AH and ESP protocols (IPSec AH and IPSec ESP)</P
+></LI
+><LI
+><P
+>Address Resolution Protocol (ARP)</P
+></LI
+><LI
+><P
+>Reverse Address Resolution Protocol (RARP)</P
+></LI
+></UL
+><P
+> Other IP protocols are looked up from the <TT
+CLASS="FILENAME"
+>/etc/services</TT
+>
+ file. If <TT
+CLASS="FILENAME"
+>/etc/services</TT
+> doesn't contain information about
+ that protocol, the protocol number is indicated.</P
+><P
+> Non-IP packets are indicated as
+<TT
+CLASS="COMPUTEROUTPUT"
+>Non-IP</TT
+> in the lower window.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>The source and destination addresses for ARP and
+RARP entries are MAC addresses.</P
+><P
+> Strictly speaking, ARP and RARP packets aren't IP packets, since
+ they are not encapsulated in an IP datagram. They're
+ just indicated because they are integral to proper IP operation on LANs.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+> For all packets in the lower window, only the first IP fragment is
+ indicated (since that contains the header
+ of the IP-encapsulated protocol) but with no further information
+ from the encapsulated protocol.</P
+><P
+>UDP packets are also displayed
+in
+<TT
+CLASS="COMPUTEROUTPUT"
+><TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+>:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+> format while ICMP entries also contain the
+ICMP message type. For easier location, each type of protocol
+is color-coded (only on color terminals such as the Linux console).</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>UDP</DT
+><DD
+><P
+>Red on White</P
+></DD
+><DT
+>ICMP</DT
+><DD
+><P
+>Yellow on Blue</P
+></DD
+><DT
+>OSPF</DT
+><DD
+><P
+>Black on Cyan</P
+></DD
+><DT
+>IGRP</DT
+><DD
+><P
+>Bright white on Cyan</P
+></DD
+><DT
+>IGP</DT
+><DD
+><P
+>Red on Cyan</P
+></DD
+><DT
+>IGMP</DT
+><DD
+><P
+>Bright green on Blue</P
+></DD
+><DT
+>GRE</DT
+><DD
+><P
+>Blue on white</P
+></DD
+><DT
+>ARP</DT
+><DD
+><P
+>Bright white on Red</P
+></DD
+><DT
+>RARP</DT
+><DD
+><P
+>Bright white on Red</P
+></DD
+><DT
+>Other IP</DT
+><DD
+><P
+>Yellow on red</P
+></DD
+><DT
+>Non-IP</DT
+><DD
+><P
+>Yellow on Red</P
+></DD
+></DL
+></DIV
+><P
+> The lower window can hold up to 512 entries. You can
+ scroll the lower window by using the W key to move the Active indicator
+ to it, and by using the Up and Down cursor keys. The lower
+ window automatically scrolls every time a new entry is added, and either
+ the first entry or last entry is visible. Upon reaching 512 entries, old
+ entries are thrown out as new entries are added.</P
+><P
+> Some entries may be too long to completely fit in a screen line. You can
+ use the Left and Right cursor keys to vertically scroll the lower window
+ when it is marked <TT
+CLASS="COMPUTEROUTPUT"
+>Active</TT
+>. If your
+terminal can be resized (e.g. xterm), you may do so before starting
+IPTraf.</P
+><P
+> Entries for packets received on LAN interfaces also include the
+ source MAC address of the LAN host which delivered it. This behavior
+ is enabled by turning on the Source MAC addrs in traffic monitor toggle
+ in the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+></I
+> menu.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN836"
+>Entry Details</A
+></H2
+><P
+> In general, the entries in the lower window indicate the protocol, the
+ IP datagram size (full frame size for non-IP, including ARP and
+ RARP), the source address, the destination
+ address, and the network interface the packet was detected on.
+ However, some protocols have a little more information.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN839"
+>ICMP</A
+></H3
+><P
+> ICMP entries are displayed in this format:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>ICMP <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+> [(<TT
+CLASS="REPLACEABLE"
+><I
+>subtype</I
+></TT
+>)] (<TT
+CLASS="REPLACEABLE"
+><I
+>size</I
+></TT
+> bytes) from <TT
+CLASS="REPLACEABLE"
+><I
+>source</I
+></TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>destination</I
+></TT
+>
+[(src HWaddr <TT
+CLASS="REPLACEABLE"
+><I
+>srcMACaddress</I
+></TT
+>)] on <TT
+CLASS="REPLACEABLE"
+><I
+>interface</I
+></TT
+></PRE
+></TD
+></TR
+></TABLE
+><P
+> where type could be any of the following:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>echo req, echo rply</TT
+></DT
+><DD
+><P
+> ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program. </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>dest unrch</TT
+></DT
+><DD
+><P
+> ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper
+ window to be made available for reuse by new connections. </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>redirct</TT
+></DT
+><DD
+><P
+> ICMP redirect. Usually generated by a router to tell a host that a better gateway is available. </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>src qnch</TT
+></DT
+><DD
+><P
+> The ICMP source quench is used to stop a host from transmitting. It's a
+flow control mechanism for IP. </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>time excd</TT
+></DT
+><DD
+><P
+> Indicates a packet's time-to-live value expired before it got
+to its destination. Mostly happens if a destination is too far away.
+Also used by the traceroute program.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>router adv</TT
+></DT
+><DD
+><P
+> ICMP router advertisement </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>router sol</TT
+></DT
+><DD
+><P
+> ICMP router solicitation </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>timestmp req</TT
+></DT
+><DD
+><P
+> ICMP timestamp request</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>timestmp rep</TT
+></DT
+><DD
+><P
+> ICMP timestamp reply </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>info req</TT
+></DT
+><DD
+><P
+> ICMP information request </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>info rep</TT
+></DT
+><DD
+><P
+> ICMP information reply </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>addr mask req</TT
+></DT
+><DD
+><P
+> ICMP address mask request </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>addr mask rep</TT
+></DT
+><DD
+><P
+> ICMP address mask reply </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>param prob</TT
+></DT
+><DD
+><P
+> ICMP parameter problem </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>bad/unknown</TT
+></DT
+><DD
+><P
+> An unrecognized ICMP packet was received, or the packet is corrupted.</P
+></DD
+></DL
+></DIV
+><P
+> The destination unreachable message also includes information on the
+ type of error encountered. Here are the destination unreachable codes:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>ntwk</TT
+></DT
+><DD
+><P
+> network unreachable </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>host</TT
+></DT
+><DD
+><P
+> host unreachable </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>proto</TT
+></DT
+><DD
+><P
+> protocol unreachable </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>port</TT
+></DT
+><DD
+><P
+> port unreachable </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>pkt fltrd</TT
+></DT
+><DD
+><P
+> packet filtered (normally by an access rule on a router or firewall) </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>DF set</TT
+></DT
+><DD
+><P
+> the packet has to be fragmented somewhere, but its don't fragment
+ (DF) bit is set.</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>src rte fail</TT
+></DT
+><DD
+><P
+> source route failed </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>src isltd</TT
+></DT
+><DD
+><P
+> source isolated (obsolete) </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>net comm denied</TT
+></DT
+><DD
+><P
+> network communication denied </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>host comm denied</TT
+></DT
+><DD
+><P
+> host communication denied </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>net unrch for TOS</TT
+></DT
+><DD
+><P
+> network unreachable for specified IP type-of-service </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>host unrch for TOS</TT
+></DT
+><DD
+><P
+> host unreachable for specified IP type-of-service </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>prec violtn</TT
+></DT
+><DD
+><P
+> precedence violation </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>prec cutoff</TT
+></DT
+><DD
+><P
+> precedence cutoff </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>dest net unkn</TT
+></DT
+><DD
+><P
+> destination network unknown </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>dest host unkn</TT
+></DT
+><DD
+><P
+> destination network unknown</P
+></DD
+></DL
+></DIV
+><P
+> For more information on ICMP, see RFC 792.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1010"
+>OSPF</A
+></H3
+><P
+>OSPF messages also include a little more information. The format of an
+OSPF message in the window is:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>OSPF <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+> (a=<TT
+CLASS="REPLACEABLE"
+><I
+>area</I
+></TT
+> r=<TT
+CLASS="REPLACEABLE"
+><I
+>router</I
+></TT
+>) (<TT
+CLASS="REPLACEABLE"
+><I
+>size</I
+></TT
+>bytes) from <TT
+CLASS="REPLACEABLE"
+><I
+>source</I
+></TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>destination</I
+></TT
+>
+[(src HWaddr <TT
+CLASS="REPLACEABLE"
+><I
+>srcMACaddress</I
+></TT
+>)] on <TT
+CLASS="REPLACEABLE"
+><I
+>interface</I
+></TT
+></PRE
+></TD
+></TR
+></TABLE
+><P
+> The type can be one of the following:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>hlo</TT
+></DT
+><DD
+><P
+> OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence. </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>DB desc</TT
+></DT
+><DD
+><P
+> OSPF Database Description </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>LSR</TT
+></DT
+><DD
+><P
+> OSPF Link State Request </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>LSU</TT
+></DT
+><DD
+><P
+> OSPF Link State Update. Messages indicating the states of the OSPF network links </P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>LSA</TT
+></DT
+><DD
+><P
+> OSPF Link State Acknowledgment</P
+></DD
+></DL
+></DIV
+><P
+> The entries in parentheses:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>a=<TT
+CLASS="REPLACEABLE"
+><I
+>area</I
+></TT
+></TT
+></DT
+><DD
+><P
+> The area number of the OSPF message</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>r=<TT
+CLASS="REPLACEABLE"
+><I
+>router</I
+></TT
+></TT
+></DT
+><DD
+><P
+> The IP address of the router that generated the message. It
+ is not necessarily the same as the source address
+ of the encapsulating IP packet.</P
+></DD
+></DL
+></DIV
+><P
+> Many times, the destination addresses for OSPF packets are class D
+ multicast addresses in standard dotted decimal notation or (if reverse
+ lookup is enabled), hosts under the <TT
+CLASS="COMPUTEROUTPUT"
+>MCAST.NET</TT
+> domain. Such multicast
+ addresses are defined as follows:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>224.0.0.5 (OSPF-ALL.MCAST.NET)</TT
+></DT
+><DD
+><P
+>OSPF all routers</P
+></DD
+><DT
+><TT
+CLASS="COMPUTEROUTPUT"
+>224.0.0.6 (OSPF-DSIG.MCAST.NET)</TT
+></DT
+><DD
+><P
+>OSPF all designated routers</P
+></DD
+></DL
+></DIV
+><P
+> See RFC 1247 for details on the OSPF protocol.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="itrafmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="x1077.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>The IP Traffic Monitor</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="itrafmon.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Additional Information</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/manual.aux b/Documentation/manual.aux
new file mode 100644
index 0000000..95195c6
--- /dev/null
+++ b/Documentation/manual.aux
@@ -0,0 +1,144 @@
+\relax
+\ifx\hyper@anchor\@undefined
+\global \let \oldcontentsline\contentsline
+\gdef \contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
+\global \let \oldnewlabel\newlabel
+\gdef \newlabel#1#2{\newlabelxx{#1}#2}
+\gdef \newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
+\AtEndDocument{\let \contentsline\oldcontentsline
+\let \newlabel\oldnewlabel}
+\else
+\global \let \hyper@last\relax
+\fi
+
+\pagelabel{PREFACE}{7}
+\pagelabel{ADDINFO}{7}
+\pagelabel{CONVENTIONS}{7}
+\pagelabel{GETTINGSTARTED}{9}
+\pagelabel{65}{9}
+\pagelabel{INSTALLATION}{9}
+\pagelabel{96}{9}
+\pagelabel{134}{10}
+\pagelabel{149}{10}
+\pagelabel{186}{11}
+\pagelabel{UPGRADING}{11}
+\pagelabel{STARTSTOP}{12}
+\pagelabel{CMDLINE}{12}
+\pagelabel{MENUS}{14}
+\pagelabel{EXITING}{14}
+\gdef \LT@i {\LT@entry
+ {2}{186.4pt}\LT@entry
+ {2}{186.4pt}}
+\pagelabel{PREPARINGTOUSE}{17}
+\pagelabel{NUMBERS}{17}
+\pagelabel{INSTANCES}{17}
+\pagelabel{UPDATES}{18}
+\pagelabel{IFACES}{18}
+\pagelabel{ITRAFMON}{21}
+\pagelabel{UPPERWIN}{21}
+\pagelabel{725}{25}
+\pagelabel{736}{25}
+\pagelabel{LOWERWIN}{26}
+\pagelabel{835}{27}
+\pagelabel{1076}{30}
+\pagelabel{NETSTATS}{33}
+\pagelabel{GENSTATS}{33}
+\pagelabel{DETSTATS}{33}
+\pagelabel{STATBREAKDOWNS}{37}
+\pagelabel{PKTSIZE}{37}
+\pagelabel{SERVMON}{37}
+\pagelabel{1230}{38}
+\pagelabel{1222}{38}
+\pagelabel{1230}{39}
+\pagelabel{HOSTMON}{41}
+\pagelabel{SORTINGLAN}{41}
+\pagelabel{MORELANMONINFO}{42}
+\pagelabel{FILTERS}{43}
+\pagelabel{IPFILTERS}{43}
+\pagelabel{1304}{43}
+\gdef \LT@ii {\LT@entry
+ {2}{186.0pt}\LT@entry
+ {2}{186.0pt}}
+\gdef \LT@iii {\LT@entry
+ {2}{186.0pt}\LT@entry
+ {2}{186.0pt}}
+\gdef \LT@iv {\LT@entry
+ {2}{186.0pt}\LT@entry
+ {2}{186.0pt}}
+\gdef \LT@v {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@vi {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@vii {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@viii {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@ix {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@x {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@xi {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@xii {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\gdef \LT@xiii {\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}\LT@entry
+ {2}{124.0pt}}
+\pagelabel{1902}{50}
+\pagelabel{1907}{50}
+\pagelabel{1922}{51}
+\pagelabel{1926}{51}
+\pagelabel{NONIPFILTERS}{51}
+\pagelabel{CONFIG}{53}
+\pagelabel{TOGGLES}{53}
+\pagelabel{1946}{53}
+\pagelabel{1950}{53}
+\pagelabel{1961}{53}
+\pagelabel{1971}{54}
+\pagelabel{1975}{54}
+\pagelabel{2012}{55}
+\pagelabel{2016}{55}
+\pagelabel{TIMERS}{55}
+\pagelabel{2029}{56}
+\pagelabel{2032}{56}
+\pagelabel{2037}{56}
+\pagelabel{2047}{57}
+\pagelabel{CUSTOMPORTS}{57}
+\pagelabel{2060}{57}
+\pagelabel{2065}{57}
+\pagelabel{2069}{57}
+\pagelabel{BACKOP}{59}
+\pagelabel{MESSAGES}{61}
+\pagelabel{IPTRAFMESSAGES}{61}
+\pagelabel{RVNAMEDMESSAGES}{67}
+\pagelabel{GFDL}{69}
+\pagelabel{GFDL-0}{69}
+\pagelabel{GFDL-1}{69}
+\pagelabel{GFDL-2}{70}
+\pagelabel{GFDL-3}{70}
+\pagelabel{GFDL-4}{71}
+\pagelabel{GFDL-6}{72}
+\pagelabel{GFDL-5}{72}
+\pagelabel{GFDL-6}{73}
+\pagelabel{GFDL-7}{73}
+\pagelabel{GFDL-8}{73}
+\pagelabel{GFDL-9}{73}
+\pagelabel{GFDL-10}{73}
+\pagelabel{GFDL-11}{74}
diff --git a/Documentation/manual.dvi b/Documentation/manual.dvi
new file mode 100644
index 0000000..2e69707
Binary files /dev/null and b/Documentation/manual.dvi differ
diff --git a/Documentation/manual.html b/Documentation/manual.html
new file mode 100644
index 0000000..2914e81
--- /dev/null
+++ b/Documentation/manual.html
@@ -0,0 +1,584 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>IPTraf User's Manual</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="NEXT"
+TITLE="About This Document"
+HREF="preface.html"></HEAD
+><BODY
+CLASS="BOOK"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="MANUAL"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+><A
+NAME="AEN2"
+>IPTraf User's Manual</A
+></H1
+><P
+CLASS="COPYRIGHT"
+><A
+HREF="ln9.html"
+>Copyright</A
+> © 1997, 2003 by Gerard Paul Java</P
+><SPAN
+CLASS="RELEASEINFO"
+>Version 3.0.0<BR></SPAN
+><HR></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+><A
+HREF="preface.html"
+>About This Document</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="preface.html#ADDINFO"
+>For Additional Information</A
+></DT
+><DT
+><A
+HREF="conventions.html"
+>Document Conventions</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="gettingstarted.html"
+>Getting Started</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="gettingstarted.html#AEN66"
+>About IPTraf</A
+></DT
+><DT
+><A
+HREF="installation.html"
+>Installation</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="installation.html#AEN97"
+>System Requirements</A
+></DT
+><DT
+><A
+HREF="installation.html#AEN135"
+>Availability</A
+></DT
+><DT
+><A
+HREF="installation.html#AEN150"
+>Installing Downloaded Packages</A
+></DT
+><DT
+><A
+HREF="installation.html#AEN187"
+>Installing a Floppy Distribution</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="upgrading.html"
+>Upgrading from Earlier Versions</A
+></DT
+><DT
+><A
+HREF="startstop.html"
+>Starting and Stopping IPTraf</A
+></DT
+><DT
+><A
+HREF="cmdline.html"
+>Command-line Options</A
+></DT
+><DT
+><A
+HREF="menus.html"
+>Using the Menus</A
+></DT
+><DT
+><A
+HREF="exiting.html"
+>Exiting IPTraf</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="preparingtouse.html"
+>Preparing to Use IPTraf</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="preparingtouse.html#NUMBERS"
+>Number Display Notations</A
+></DT
+><DT
+><A
+HREF="instances.html"
+>Instances and Logging</A
+></DT
+><DT
+><A
+HREF="updates.html"
+>Screen Update Delays</A
+></DT
+><DT
+><A
+HREF="ifaces.html"
+>Supported Network Interfaces</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="itrafmon.html"
+>The IP Traffic Monitor</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="itrafmon.html#UPPERWIN"
+>The Upper Window</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="itrafmon.html#AEN726"
+>Closed/Idle/Timed Out Connections</A
+></DT
+><DT
+><A
+HREF="itrafmon.html#AEN737"
+>Sorting TCP Entries</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="lowerwin.html"
+>Lower Window</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="lowerwin.html#AEN836"
+>Entry Details</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="x1077.html"
+>Additional Information</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="netstats.html"
+>Network Interface Statistics</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="netstats.html#GENSTATS"
+>General Interface Statistics</A
+></DT
+><DT
+><A
+HREF="detstats.html"
+>Detailed Interface Statistics</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="statbreakdowns.html"
+>Statistical Breakdowns</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="statbreakdowns.html#PKTSIZE"
+>Packet Sizes</A
+></DT
+><DT
+><A
+HREF="servmon.html"
+>TCP and UDP Traffic Statistics</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="servmon.html#AEN1223"
+>Sorting TCP/UDP Entries</A
+></DT
+><DT
+><A
+HREF="servmon.html#AEN1231"
+>Additional Information</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+><A
+HREF="hostmon.html"
+>LAN Station Statistics</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="hostmon.html#SORTINGLAN"
+>Sorting the LAN Station Monitor Entries</A
+></DT
+><DT
+><A
+HREF="morelanmoninfo.html"
+>Additional Information</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="filters.html"
+>Filters</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="filters.html#IPFILTERS"
+>IP Filters</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="filters.html#AEN1305"
+>Defining a New Filter</A
+></DT
+><DT
+><A
+HREF="filters.html#AEN1903"
+>Applying a Filter</A
+></DT
+><DT
+><A
+HREF="filters.html#AEN1908"
+>Editing a Defined Filter</A
+></DT
+><DT
+><A
+HREF="filters.html#AEN1923"
+>Deleting a Defined Filter</A
+></DT
+><DT
+><A
+HREF="filters.html#AEN1927"
+>Detaching a Filter</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="nonipfilters.html"
+>ARP, RARP, and other Non-IP Packet Filters</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="config.html"
+>Configuring IPTraf</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="config.html#TOGGLES"
+>Toggles</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="config.html#AEN1947"
+>Reverse DNS Lookups</A
+></DT
+><DT
+><A
+HREF="config.html#AEN1951"
+>TCP/UDP Service Names</A
+></DT
+><DT
+><A
+HREF="config.html#AEN1962"
+>Force promiscuous</A
+></DT
+><DT
+><A
+HREF="config.html#AEN1972"
+>Color</A
+></DT
+><DT
+><A
+HREF="config.html#AEN1976"
+>Logging</A
+></DT
+><DT
+><A
+HREF="config.html#AEN2013"
+>Activity mode</A
+></DT
+><DT
+><A
+HREF="config.html#AEN2017"
+>Source MAC addrs in traffic monitor</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="timers.html"
+>Timers</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="timers.html#AEN2030"
+>TCP Timeout</A
+></DT
+><DT
+><A
+HREF="timers.html#AEN2033"
+>Log Interval</A
+></DT
+><DT
+><A
+HREF="timers.html#AEN2038"
+>Screen Update Interval</A
+></DT
+><DT
+><A
+HREF="timers.html#AEN2048"
+>TCP closed/idle persistence</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="customports.html"
+>Custom Information</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="customports.html#AEN2061"
+>Additional ports</A
+></DT
+><DT
+><A
+HREF="customports.html#AEN2066"
+>Delete port/range</A
+></DT
+><DT
+><A
+HREF="customports.html#AEN2070"
+>LAN Station Identifiers</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+><A
+HREF="backop.html"
+>Background Operation</A
+></DT
+><DT
+><A
+HREF="messages.html"
+>Messages</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="messages.html#IPTRAFMESSAGES"
+>IPTraf Messages</A
+></DT
+><DT
+><A
+HREF="rvnamedmessages.html"
+>rvnamed Messages</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="gfdl.html"
+>GNU Free Documentation License</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="gfdl.html#GFDL-0"
+>PREAMBLE</A
+></DT
+><DT
+><A
+HREF="gfdl-1.html"
+>APPLICABILITY AND DEFINITIONS</A
+></DT
+><DT
+><A
+HREF="gfdl-2.html"
+>VERBATIM COPYING</A
+></DT
+><DT
+><A
+HREF="gfdl-3.html"
+>COPYING IN QUANTITY</A
+></DT
+><DT
+><A
+HREF="gfdl-4.html"
+>MODIFICATIONS</A
+></DT
+><DT
+><A
+HREF="gfdl-5.html"
+>COMBINING DOCUMENTS</A
+></DT
+><DT
+><A
+HREF="gfdl-6.html"
+>COLLECTIONS OF DOCUMENTS</A
+></DT
+><DT
+><A
+HREF="gfdl-7.html"
+>AGGREGATION WITH INDEPENDENT WORKS</A
+></DT
+><DT
+><A
+HREF="gfdl-8.html"
+>TRANSLATION</A
+></DT
+><DT
+><A
+HREF="gfdl-9.html"
+>TERMINATION</A
+></DT
+><DT
+><A
+HREF="gfdl-10.html"
+>FUTURE REVISIONS OF THIS LICENSE</A
+></DT
+><DT
+><A
+HREF="gfdl-11.html"
+>How to use this License for your documents</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="preface.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>About This Document</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/manual.rtf b/Documentation/manual.rtf
new file mode 100644
index 0000000..7ab5356
--- /dev/null
+++ b/Documentation/manual.rtf
@@ -0,0 +1,14 @@
+{\rtf1\ansi\deff0
+{\fonttbl{\f3\fnil\fcharset0 Courier New;}
+{\f2\fnil\fcharset0 Helvetica;}
+{\f4\fnil\fcharset0 Arial;}
+{\f1\fnil\fcharset0 Palatino;}
+{\f0\fnil\fcharset0 Times New Roman;}
+}
+{\colortbl;}{\stylesheet{\s1 Heading 1;}{\s2 Heading 2;}{\s3 Heading 3;}{\s4 Heading 4;}{\s5 Heading 5;}{\s6 Heading 6;}{\s7 Heading 7;}{\s8 Heading 8;}{\s9 Heading 9;}}
+\deflang1024\notabind\facingp\hyphauto1\widowctrl
+\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}\pard\sl20 {\*\bkmkstart ID_MANUAL}{\*\bkmkend ID_MANUAL}\fs20\f1 \hyphpar0\par\pard\sb242\sl354\qc \b\fs32\f2 IPTraf User's Manual\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}\pard\sl20 \fs20\f1 \keepn\hyphpar0\par\pard\sl-240 \b\f2 IPTraf User's Manual\hyphpar0\par\pard\sl220 \b0\f1 Copyright\~\'a9\~1997, 2003 by Gerard Paul Java\hyphpar0\par\pard\sb200\sl220 \fs16 This manual is released under the terms of the GNU Free Documentation License of March, 2000 as published by the Free Software Foundation, reproduced in this manual as Appendix B.\hyphpar0\par\pard\sl220 IPTraf is open-source software released under the terms of the GNU General Public License version 2 or any later version as published by the Free Software Foundation, reproduced in the LICENSE file in the distribution's top-level directory.\hyphpar0\par\pard\sl220 The accomanying software and the information contained in this document are provided "AS IS" without warranty of any kind, express or implied, including, without limitation, the implied warranties of mercantability or fitness for any particular purpose.\hyphpar0\par\pard\sl220 In no event shall the author be liable for any indirect, special, consequential, or incidental damages arising from the use of this manual or the accompanying software even if the author has been advised of the possibility of such damages.\hyphpar0\par\pard\sl220 Linux is a registered trademark of Linus Torvalds. Pentium is a registered trademark of Intel Corporation. All other trademarks are property of their respective owners.\hyphpar0\par\pard\sl220 Some structure declarations were based on code copyrighted by the Regents of the University of California.\hyphpar0\par\pard\sl220 Token Ring parsing code based on the Token Ring packet construction code in the Linux 2.2 kernel.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgnlcrm\pgnrestart\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 \b\fs29\f2 Table of Contents\keepn\hyphpar0\par\pard\sb146\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_PREFACE}{\fldrslt \fs20\f1 About This Document}}\fs20\f1 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_PREFACE}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_PREFACE}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_ADDINFO}{\fldrslt \b0 For Additional Information}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_ADDINFO}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_ADDINFO}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_CONVENTIONS}{\fldrslt Document Conventions}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_CONVENTIONS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_CONVENTIONS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GETTINGSTARTED}{\fldrslt \b 1. Getting Started}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GETTINGSTARTED}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GETTINGSTARTED}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _65 }{\fldrslt \b0 About IPTraf}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _65 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _65}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_INSTALLATION}{\fldrslt Installation}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_INSTALLATION}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_INSTALLATION}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _96 }{\fldrslt System Requirements}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _96 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _96}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _134 }{\fldrslt Availability}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _134 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _134}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _149 }{\fldrslt Installing Downloaded Packages}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _149 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _149}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _186 }{\fldrslt Installing a Floppy Distribution}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _186 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _186}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_UPGRADING}{\fldrslt Upgrading from Earlier Versions}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_UPGRADING}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_UPGRADING}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_STARTSTOP}{\fldrslt Starting and Stopping IPTraf}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_STARTSTOP}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_STARTSTOP}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Options}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_CMDLINE}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_MENUS}{\fldrslt Using the Menus}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_MENUS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_MENUS}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_EXITING}{\fldrslt Exiting IPTraf}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_EXITING}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_EXITING}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_PREPARINGTOUSE}{\fldrslt \b 2. Preparing to Use IPTraf}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_PREPARINGTOUSE}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_PREPARINGTOUSE}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_NUMBERS}{\fldrslt \b0 Number Display Notations}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_NUMBERS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_NUMBERS}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_INSTANCES}{\fldrslt Instances and Logging}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_INSTANCES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_INSTANCES}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_UPDATES}{\fldrslt Screen Update Delays}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_UPDATES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_UPDATES}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_IFACES}{\fldrslt Supported Network Interfaces}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_IFACES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_IFACES}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_ITRAFMON}{\fldrslt \b 3. The IP Traffic Monitor}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_ITRAFMON}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_ITRAFMON}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_UPPERWIN}{\fldrslt \b0 The Upper Window}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_UPPERWIN}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_UPPERWIN}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _725 }{\fldrslt Closed/Idle/Timed Out Connections}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _725 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _725}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _736 }{\fldrslt Sorting TCP Entries}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _736 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _736}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_LOWERWIN}{\fldrslt Lower Window}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_LOWERWIN}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_LOWERWIN}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _835 }{\fldrslt Entry Details}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _835 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _835}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1076 }{\fldrslt Additional Information}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1076 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1076}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_NETSTATS}{\fldrslt \b 4. Network Interface Statistics}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_NETSTATS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_NETSTATS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GENSTATS}{\fldrslt \b0 General Interface Statistics}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GENSTATS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GENSTATS}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_DETSTATS}{\fldrslt Detailed Interface Statistics}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_DETSTATS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_DETSTATS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_STATBREAKDOWNS}{\fldrslt \b 5. Statistical Breakdowns}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_STATBREAKDOWNS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_STATBREAKDOWNS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_PKTSIZE}{\fldrslt \b0 Packet Sizes}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_PKTSIZE}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_PKTSIZE}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_SERVMON}{\fldrslt TCP and UDP Traffic Statistics}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_SERVMON}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_SERVMON}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1222 }{\fldrslt Sorting TCP/UDP Entries}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1222 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1222}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1230 }{\fldrslt Additional Information}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1230 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1230}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_HOSTMON}{\fldrslt \b 6. LAN Station Statistics}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_HOSTMON}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_HOSTMON}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_SORTINGLAN}{\fldrslt \b0 Sorting the LAN Station Monitor Entries}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_SORTINGLAN}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_SORTINGLAN}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_MORELANMONINFO}{\fldrslt Additional Information}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_MORELANMONINFO}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_MORELANMONINFO}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt \b 7. Filters}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_FILTERS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_IPFILTERS}{\fldrslt \b0 IP Filters}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_IPFILTERS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_IPFILTERS}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1304 }{\fldrslt Defining a New Filter}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1304 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1304}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1902 }{\fldrslt Applying a Filter}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1902 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1902}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1907 }{\fldrslt Editing a Defined Filter}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1907 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1907}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1922 }{\fldrslt Deleting a Defined Filter}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1922 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1922}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1926 }{\fldrslt Detaching a Filter}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1926 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1926}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_NONIPFILTERS}{\fldrslt ARP, RARP, and other Non-IP Packet Filters}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_NONIPFILTERS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_NONIPFILTERS}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \b 8. Configuring IPTraf}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_CONFIG}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_TOGGLES}{\fldrslt \b0 Toggles}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_TOGGLES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_TOGGLES}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1946 }{\fldrslt Reverse DNS Lookups}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1946 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1946}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1950 }{\fldrslt TCP/UDP Service Names}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1950 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1950}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1961 }{\fldrslt Force promiscuous}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1961 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1961}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1971 }{\fldrslt Color}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1971 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1971}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _1975 }{\fldrslt Logging}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _1975 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _1975}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2012 }{\fldrslt Activity mode}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2012 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2012}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2016 }{\fldrslt Source MAC addrs in traffic monitor}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2016 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2016}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_TIMERS}{\fldrslt Timers}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_TIMERS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_TIMERS}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2029 }{\fldrslt TCP Timeout}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2029 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2029}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2032 }{\fldrslt Log Interval}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2032 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2032}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2037 }{\fldrslt Screen Update Interval}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2037 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2037}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2047 }{\fldrslt TCP closed/idle persistence}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2047 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2047}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_CUSTOMPORTS}{\fldrslt Custom Information}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_CUSTOMPORTS}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_CUSTOMPORTS}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2060 }{\fldrslt Additional ports}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2060 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2060}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2065 }{\fldrslt Delete port/range}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2065 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2065}{\fldrslt 000}}}}\hyphpar0\par\pard\li2400\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l _2069 }{\fldrslt LAN Station Identifiers}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l _2069 }{\fldrslt {\field\flddirty{\*\fldinst PAGEREF _2069}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_BACKOP}{\fldrslt \b 9. Background Operation}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_BACKOP}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_BACKOP}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_MESSAGES}{\fldrslt A. Messages}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_MESSAGES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_MESSAGES}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_IPTRAFMESSAGES}{\fldrslt \b0 IPTraf Messages}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_IPTRAFMESSAGES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_IPTRAFMESSAGES}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_RVNAMEDMESSAGES}{\fldrslt rvnamed Messages}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_RVNAMEDMESSAGES}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_RVNAMEDMESSAGES}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1440\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL}{\fldrslt \b B. GNU Free Documentation License}}\b \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL}{\fldrslt 000}}}}\hyphpar0\par\pard\sb48\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_0}{\fldrslt \b0 PREAMBLE}}\b0 \tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_0}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_0}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_1}{\fldrslt APPLICABILITY AND DEFINITIONS}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_1}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_1}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_2}{\fldrslt VERBATIM COPYING}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_2}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_2}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_3}{\fldrslt COPYING IN QUANTITY}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_3}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_3}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_4}{\fldrslt MODIFICATIONS}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_4}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_4}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_5}{\fldrslt COMBINING DOCUMENTS}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_5}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_5}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_6}{\fldrslt COLLECTIONS OF DOCUMENTS}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_6}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_6}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_7}{\fldrslt AGGREGATION WITH INDEPENDENT WORKS}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_7}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_7}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_8}{\fldrslt TRANSLATION}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_8}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_8}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_9}{\fldrslt TERMINATION}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_9}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_9}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_10}{\fldrslt FUTURE REVISIONS OF THIS LICENSE}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_10}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_10}{\fldrslt 000}}}}\hyphpar0\par\pard\li1920\sl220\fi-480 {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_11}{\fldrslt How to use this License for your documents}}\tqr\tldot\tx8400\tab {\field{\*\fldinst HYPERLINK \\l ID_GFDL_45_11}{\fldrslt {\field\flddirty{\*\fldinst PAGEREF ID_GFDL_45_11}{\fldrslt 000}}}}\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgnlcrm\pgnrestart\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 About This Document}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 About This Document}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_PREFACE}{\*\bkmkend ID_PREFACE}\b\fs29\f2 About This Document\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 This document contains the instructions on how to use the IPTraf network monitoring software version 3.0. This manual details the different statistical facilities, the user interface, and the important features of the software.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_ADDINFO}{\*\bkmkend ID_ADDINFO}\b\fs26\lang1024\f2 For Additional Information\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 See the included README file for summarized and late-breaking information. Also read the RELEASE-NOTES file for important new information about this new version. The CHANGES file contains a record of the changes made to the software since 1.0.0. README.rvnamed contains information on the rvnamed reverse resolution program. See the other README files for support and development information.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_CONVENTIONS}{\*\bkmkend ID_CONVENTIONS}\b\fs26\lang1024\f2 Document Conventions\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The following symbols and typefaces are used throughout this manual:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 [ ]\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab items in brackets are optional. Brackets also denote items that may or may not be displayed onscreen depending on settings or conditions.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 \{ \}\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab curly braces enclose items you choose from\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 |\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab the vertical bar separates choices in curly braces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 normal monospace\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab normal monospace text in syntax specifications should be typed in exactly as presented. Because UNIX and variants are case-sensitive, case must be preserved. Monospace is also used in presenting items that appear on the screen.\hyphpar0\par\pard\sb200\li960\sl220\qj \i\fs18\f3 monospace italics\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab italics in syntax specifications indicate items that are to be replaced with an actual item (e.g. \i\f3 interface\i0\f1 should be replaced with an actual interface name, like \fs18\f3 eth0\fs20\f1 ). \hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Additional information appears distinctively set apart from the main text. This information includes Notes, Tips, or Technical Notes.\hyphpar0\par\pard\sb100\li960\sl220\qj \i Notes\i0 are additional pieces of information that may be useful or may clarify the preceeding paragraphs of the manual.\hyphpar0\par\pard\sb100\li960\sl220\qj \i Tips\i0 provide shortcuts, clarify tasks that may not be immediately obvious, or provide references to additional sources of information.\hyphpar0\par\pard\sb100\li960\sl220\qj \i Technical notes\i0 are explanations of a more technical nature and may be of more use to programmers and advanced users.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\pgnrestart\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 1. Getting Started}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 1. Getting Started}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_GETTINGSTARTED}{\*\bkmkend ID_GETTINGSTARTED}\b\fs29\f2 Chapter 1. Getting Started\keepn\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart _65}{\*\bkmkend _65}\fs26 About IPTraf\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf is a network monitoring utility and traffic analyzer for IP networks. It intercepts packets and returns data about captured the network traffic in various statistical facilities.\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf comes with these major features:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 An IP traffic monitor that shows TCP connection information (hosts, packet/byte counts, flags, window sizes), and color-coded information about other IP packets\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Statistics (counts and load rates) for network interfaces in general and detailed views\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Statistics per TCP/UDP port\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Statistical breakdown according to packet sizes\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 A LAN host monitor that returns counts and loads per detected MAC address\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 A powerful filtering system for users to view only interesting traffic\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Logging\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 An asynchronous DNS resolver for the IP traffic monitor\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 A text-based, full-color, menu-driven user interface suitable for use on all Linux systems with terminals, especially Linux consoles and color xterms\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Easy configuration\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Fully software-based. No additional hardware required\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Basic knowledge of the important TCP/IP protocols (IP, TCP, UDP, ICMP, etc.) is necessary for you to best understand the information generated by the program.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_INSTALLATION}{\*\bkmkend ID_INSTALLATION}\b\fs26\lang1024\f2 Installation\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf is most readily available on the Internet, but some may receive it on a diskette. Here are the instructions for both types of distributions.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _96}{\*\bkmkend _96}\b\fs24\lang1024\f2 System Requirements\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf requires:\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 Hardware Requirements\keepn\hyphpar0\par\pard\sb110\li1160\sl220\fi-200\qj \tx1160 \b0\fs16\f1 \'95\tab \fs20 16 megabytes of physical RAM (more recommended, at least 64 MB for very busy networks)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 2 megabytes of free disk space for installation (more will be needed if you log high amounts of traffic over time)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Pentium-class processor or higher (Pentium-II 200 MHz or higher recommended) or equivalent.\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 One or more of the supported network interfaces.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\f2 Operating System Requirements\keepn\hyphpar0\par\pard\sb110\li1160\sl220\fi-200\qj \tx1160 \b0\fs16\f1 \'95\tab \fs20 Linux kernel 2.2.0 or higher\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 GNU C Library 2.1 or later\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 ncurses 4.2 or later with the complete terminfo database in \fs18\f3 /usr/share/terminfo\fs20\f1 . Support for \fs18\f3 linux\fs20\f1 , \fs18\f3 vt100\fs20\f1 , \fs18\f3 xterm\fs20\f1 , \fs18\f3 xterm-color\fs20\f1 recommended. \hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\f2 Compilation Requirements\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 The following components are required when compiling IPTraf from the source code.\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 gcc 2.7.2.3 or later\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 GNU C (glibc) development library 2.1 or later\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 ncurses development libraries 4.2 or later\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _134}{\*\bkmkend _134}\b\fs24\f2 Availability\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf can be downloaded from the Internet from the official FTP site at ftp://iptraf.seul.org/pub/iptraf/\up8\fs12 1\up0\fs20 .\hyphpar0\par\pard\sb100\li960\sl220\qj The software is available in source form in compressed \fs18\f3 .tar.gz\fs20\f1 files named \fs18\f3 iptraf-\i x.y.z\i0 .tar.gz\fs20\f1 where \i\fs18\f3 x.y.z\i0\fs20\f1 is the version number. Precompiled ready-to-run software is available in the \fs18\f3 iptraf-\i x.y.z.machinetype\i0 .bin.tar.gz\fs20\f1 files. (\i\fs18\f3 machinetype\i0\fs20\f1 indicates what platform the precompiled binaries run on. The official distribution will only be for the Intel x86 architecture indicated as \fs18\f3 i386\fs20\f1 .)\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _149}{\*\bkmkend _149}\b\fs24\lang1024\f2 Installing Downloaded Packages\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 You will need to have GNU tar and GNU zip installed. All modern Linux installations already have these utilities ready.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 1.\tab Decompress the \fs18\f3 .tar.gz\fs20\f1 file by entering\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\f3 tar zxvf iptraf-\i x.y.z\i0 .tar.gz\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 for the source code or\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\lang1024\f3 tar zxvf iptraf-\i x.y.z\i0 .i386.bin.tar.gz\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 for the precompiled x86 programs.\hyphpar0\par\pard\sb100\li1440\sl220\qj If your tar doesn't support the z option, you can separately decompress the \fs18\f3 .tar.gz\fs20\f1 file then extract the resulting \fs18\f3 .tar\fs20\f1 archive.\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\lang1024\f3 gunzip iptraf-\i x.y.z\i0 .tar.gz\sa0\par\fi0\sb0
+tar xvf iptraf-\i x.y.z\i0 .tar\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 This will decompress the sources into a directory called \fs18\f3 iptraf-\i x.y.z\i0\fs20\f1 (source code) or \fs18\f3 iptraf-\i x.y.z\i0 .bin\fs20\f1 (precompiled). (\i\f3 x.y.z\i0\f1 here should be the IPTraf version number you're installing, like \fs18\f3 3.0.0\fs20\f1 ).\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 2.\tab Change to the created top level directory.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab 3.\tab To compile and install the software, run the Setup program by entering\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\f3 ./Setup\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 while you are logged in as root. The Setup script will recognize the source distribution and compile the software before installing. It will immediately install a precompiled distribution.\hyphpar0\par\pard\sb100\li960\sl220\qj The resulting binaries will be placed in the \fs18\f3 /usr/local/bin\fs20\f1 directory. All needed directories will also be created.\hyphpar0\par\pard\sb100\li960\sl220\qj After installation, you will be asked if you want to read the \fs18\f3 RELEASE-NOTES\fs20\f1 file. It is recommended that you do so at that point, since the \fs18\f3 RELEASE-NOTES\fs20\f1 file contains important information about the new version.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _186}{\*\bkmkend _186}\b\fs24\lang1024\f2 Installing a Floppy Distribution\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 If you received IPTraf on a diskette, the sources are already decompressed. The diskette is in Second Extended filesystem format. Perform the following steps to install the software. \hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 1.\tab Insert the floppy in the drive.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab 2.\tab Mount the floppy on an empty directory. For example, to mount the floppy in the first floppy drive under a directory called \fs18\f3 /mnt\fs20\f1 , enter\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\f3 mount -t ext2 /dev/fd0 /mnt\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 This assumes your floppy is in \fs18\f3 /dev/fd0\fs20\f1 . You can use any empty directory in place of \fs18\f3 /mnt\fs20\f1 . With most Linux installations, this will work fine.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 3.\tab After mounting, change to the \fs18\f3 /mnt\fs20\f1 (or whatever) directory.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab 4.\tab Enter\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\f3 ./Setup\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 while logged in as root. Setup will determine whether the diskette contains a source code distribution or ready-to-run precompiled software. This will copy the binaries to \fs18\f3 /usr/local/bin\fs20\f1 , and create the necessary working directories.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 5.\tab Unmount the diskette by typing\hyphpar0\par\pard\sb100\li1440\sl198\qj \fs18\f3 umount /mnt\hyphpar0\par\pard\sb100\li1440\sl220\qj \fs20\lang1033\f1 (That's \i u\i0 mount, not \i un\i0 mount.)\hyphpar0\par\pard\sb100\li1440\sl220\qj You can then eject the diskette. Store it in a safe place.\hyphpar0\par\pard\sb100\li1440\sl220\qj You will also be asked if you want to view the \fs18\f3 RELEASE-NOTES\fs20\f1 file. It is recommended that you do so at that point.\hyphpar0\par\pard\sb100\li1440\sl220\qj In both cases (downloaded and floppy), the installation will store the program in \fs18\f3 /usr/local/bin\fs20\f1 with the binaries owned by user root, readable, writable, and executable by the owner, no permissions for the group, no permissions for all others. (700 octal, or \fs18\f3 -rwx------\fs20\f1 ).\hyphpar0\par\pard\sb200\li1840\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 You must be \fs16\f3 root\fs18\f4 to do the installation. The old style of installation (\b cd src;make install\b0 ) is still supported.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 Be sure \fs18\f3 /usr/local/bin\fs20\f1 is included in your environment's PATH variable. You can edit the appropriate command in your login customization file (\fs18\f3 .profile\fs20\f1 for the Bourne-type shells, \fs18\f3 .cshrc\fs20\f1 for the C shell and its relatives).\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_UPGRADING}{\*\bkmkend ID_UPGRADING}\b\fs26\lang1024\f2 Upgrading from Earlier Versions\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf 3.0 is a major revision from IPTraf 2.7. The filter subsystem has been completely redesigned and as such, is incompatible with previous filter formats. Therefore old IPTraf filters can no longer be used. The installation procedure for IPTraf 3.0 will rename the filter list files but not delete them.\hyphpar0\par\pard\sb100\li960\sl220\qj If you install a distribution package (e.g. RPM, dpkg), old filters may still appear in the filter selection list but the new IPTraf version will be unable to load them.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_STARTSTOP}{\*\bkmkend ID_STARTSTOP}\b\fs26\lang1024\f2 Starting and Stopping IPTraf\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 After installation, you can start the program by simply entering\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 at the shell prompt. You will see a copyright notice, with an instruction to press any key to get started. Just press any character key, and you will be immediately taken to the main menu. All major functions of the program are found there.\hyphpar0\par\pard\sb100\li960\sl220\qj Entering the IPTraf command without any command-line parameters brings up the program's main menu. From there, you can select the facilities you want.\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf determines and makes use of the maximum number of lines and columns on the terminal.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 IPTraf does not have a SIGWINCH handler; it does not adjust itself when an xterm or some other X terminal is resized.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\f2 Technical note: \b0\f4 IPTraf needs to refer to the terminfo database in \fs16\f3 /usr/share/terminfo\fs18\f4 . If the supplied executable program fails with \fs16\f3 Error opening terminal\fs18\f4 , your terminfo database may be located somewhere else. You can control the terminfo search path by using the TERMINFO environment variable. For example, if you're using the \b sh\b0 or \b bash\b0 shell, and your terminfo database is in \fs16\f3 /usr/lib/terminfo\fs18\f4 (typical for Slackware distributions), you can use the commands:\hyphpar0\par\pard\sb200\li1360\sl178\qj \fs16\f3 TERMINFO=/usr/lib/terminfo\sa0\par\fi0\sb0
+export TERMINFO\hyphpar0\par\pard\sb200\li1360\sl198\qj \fs18\f4 You can place these commands in your \fs16\f3 ~/.profile\fs18\f4 or the systemwide \fs16\f3 /etc/profile\fs18\f4 startup files.\hyphpar0\par\pard\sb100\li1360\sl198\qj You can also create a symbolic link named \fs16\f3 /usr/share/terminfo\fs18\f4 to let it point to your existing terminfo (assuming again your terminfo is in \fs16\f3 /usr/lib/terminfo\fs18\f4 ):\hyphpar0\par\pard\sb200\li1360\sl178\qj \fs16\f3 ln -s /usr/lib/terminfo /usr/share/terminfo\hyphpar0\par\pard\sb200\li1360\sl198\qj \fs18\f4 Or you can recompile your program to use your existing ncurses library installation. If you do this, make sure you have ncurses 4.2 or later.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_CMDLINE}{\*\bkmkend ID_CMDLINE}\b\fs26\f2 Command-line Options\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf has a few optional command-line parameters. As with most UNIX commands, IPTraf command-line parameters are case-sensitive (\fs18\f3 -l\fs20\f1 is NOT the same as \fs18\f3 -L\fs20\f1 ).\hyphpar0\par\pard\sb100\li960\sl220\qj The following command-line parameters can be supplied to the \b iptraf\b0 command:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 -i \i iface\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab causes the IP traffic monitor to start immediately on the specified interface. If -i all is specified, all interfaces are monitored.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -g\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab starts the general interface statistics\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -d \i iface\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab shows detailed statistics for the specified interface\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -s \i iface\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab starts the TCP/UDP traffic monitor for the specified interface\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -z \i iface\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab starts the packet size breakdown for the specified interface\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -l \i iface\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab starts the LAN station monitor on the specified interface. If \fs18\f3 -l all\fs20\f1 is specified, all LAN interfaces are monitored.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -t \i timeout\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab The \fs18\f3 -t\fs20\f1 parameter, when used with one of the other parameters that specify a facility to start, tells IPTraf to run the indicated facility for only timeout minutes, after which the facility exits. The \fs18\f3 -t\fs20\f1 parameter is ignored in menu mode.\hyphpar0\par\pard\sb100\li1360\sl220\qj \lang1033 If this parameter is not specified, the facility runs until the exit keystroke is pressed.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 -B\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab Redirects all terminal output to the "bit bucket" \fs18\f3 /dev/null\fs20\f1 , closes standard input, and places the program in the background. This parameter can be used only with one of the \fs18\f3 -i\fs20\f1 , \fs18\f3 -g\fs20\f1 , \fs18\f3 -d\fs20\f1 , \fs18\f3 -s\fs20\f1 , \fs18\f3 -z\fs20\f1 , or \fs18\f3 -l\fs20\f1 parameters. See {\field{\*\fldinst HYPERLINK \\l ID_BACKOP}{\fldrslt Background Operation}} in Chapter 9. \fs18\f3 -B\fs20\f1 is ignored in menu mode.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -L \i filename\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab Allows you to specify an alternate log file name when the any facility is directly started from the command line, whether in foreground or background mode. If specified in foreground mode, the log filename prompt is bypassed, even when logging is turned on in the \i Configure...\i0 menu. If this parameter is omitted in background mode, the default log filename is used.\hyphpar0\par\pard\sb100\li1360\sl220\qj \lang1033 This parameter always turns on logging.\hyphpar0\par\pard\sb100\li1360\sl220\qj If an absolute path is not specified, the log file will be created in the default log file directory\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 -I \i interval\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab Sets the logging interval (in minutes) when the \fs18\f3 -L\fs20\f1 parameter is used. This overrides the \i Log interval...\i0 setting in the \i Configure...\i0 menu. If omitted, the configured value is used. This parameter is ignored when the \fs18\f3 -L\fs20\f1 parameter is omitted and logging is disabled.\hyphpar0\par\pard\sb100\li1360\sl220\qj \lang1033 The value specified here will affect all facilities except for the IP traffic monitor.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 -q\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab Previously used to suppress the warning screen when IPTraf is run on kernels with IP masquerading. Since the masquerading code now processes packets in a way better suited to raw capture, this parameter is no longer needed and is retained only for compatibility.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 -f\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab Forces IPTraf to clear all lock files and reset all instance counters to zero before running any facilities. IPTraf will then think it's the first instance of itself.\hyphpar0\par\pard\sb100\li1360\sl220\qj \lang1033 The \fs18\f3 -f\fs20\f1 parameter overrides the existing locks and counters imposed by the IPTraf process and by the various facilities, causing this instance to think it is the first and that there are no other facilities running. Use this parameter with great caution. A common use for this parameter is to recover from abrupt or abnormal terminations which may leave stale locks and counters still lying around.\hyphpar0\par\pard\sb100\li1360\sl220\qj The \fs18\f3 -f\fs20\f1 parameter may be used together with the others.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 iptraf -h\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab displays a short help screen\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 While the command-line options are case-sensitive, interactive keystroke at the IPTraf full-screen interface are not.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_MENUS}{\*\bkmkend ID_MENUS}\b\fs26\lang1024\f2 Using the Menus\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 Menu items with a trailing ellipsis (\fs18\f3 ...\fs20\f1 ) either pop up a submenu with further items, or require additional information before it can complete the task and return to the menu. Menu items without an ellipsis execute immediately.\hyphpar0\par\pard\sb100\li960\sl220\qj Use the Up and Down arrow keys on your keyboard to move the selection bar. Press Enter to execute the selected item. Alternatively, you can also directly press the highlighted letter of the item you want. This will immediately execute the option.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-mmenu.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 1-1. The IPTraf Main Menu\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_EXITING}{\*\bkmkend ID_EXITING}\fs26\f2 Exiting IPTraf\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You can exit IPTraf with the Exit command in the main menu.\hyphpar0\par\pard\sb100\li960\sl220\qj When started with one of the command-line options to directly start a statistical facility, pressing X or Q will exit the facility directly, without any confirmation. The \fs18\f3 -t\fs20\f1 command-line parameter will automatically exit the facility after the specified length of time without any confirmation as well. Daemon facilities started with the \fs18\f3 -B\fs20\f1 parameter will immediately terminate after being sent a USR2 signal. See {\field{\*\fldinst HYPERLINK \\l ID_BACKOP}{\fldrslt background operation}} in chapter 9 for more information.\hyphpar0\par\pard\sb200\sl293 \b\fs26\lang1024\f2 Notes\keepn\hyphpar0\par\pard\sb133\li1280\sl220\fi-320\qj \tx1280 \b0\fs20\f1 1. \tab ftp://iptraf.seul.org/pub/iptraf/\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 2. Preparing to Use IPTraf}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 2. Preparing to Use IPTraf}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_PREPARINGTOUSE}{\*\bkmkend ID_PREPARINGTOUSE}\b\fs29\f2 Chapter 2. Preparing to Use IPTraf\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 This chapter provides information applicable to all of IPTraf's statistical monitors.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_NUMBERS}{\*\bkmkend ID_NUMBERS}\b\fs26\lang1024\f2 Number Display Notations\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf initially returns exact counts of bytes and packets. However, as they grow larger, IPTraf begins displaying them in increasingly higher denominations.\hyphpar0\par\pard\sb100\li960\sl220\qj A number standing alone with no suffix represents an exact count. A number with a K following is a kilo (thousand) figure. An M, G, and T suffix represents mega (million), giga (billion), and tera (trillion) respectively. The following table shows examples.\hyphpar0\par\pard\sb200\li960\sl220\qj \b\lang1024 Table 2-1. Numeric Display Notations\sa100\keepn\par\trowd\trleft960 \clvertalt\clbrdrt\brdrs\brdrw20\clbrdrl\brdrs\brdrw20\cellx4680\clvertalt\clbrdrt\brdrs\brdrw20\clbrdrr\brdrs\brdrw20\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 1024067\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 exactly 1024067\sa60\cell \row \trowd\trleft960 \clvertalt\clbrdrl\brdrs\brdrw20\cellx4680\clvertalt\clbrdrr\brdrs\brdrw20\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 1024K\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 approximately 1024000\sa60\cell \row \trowd\trleft960 \clvertalt\clbrdrl\brdrs\brdrw20\cellx4680\clvertalt\clbrdrr\brdrs\brdrw20\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 1024M\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 approximately 1024000000\sa60\cell \row \trowd\trleft960 \clvertalt\clbrdrl\brdrs\brdrw20\cellx4680\clvertalt\clbrdrr\brdrs\brdrw20\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 1024G\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 approximately 1024000000000\sa60\cell \row \trowd\trleft960 \clvertalt\clbrdrb\brdrs\brdrw20\clbrdrl\brdrs\brdrw20\cellx4680\clvertalt\clbrdrb\brdrs\brdrw20\clbrdrr\brdrs\brdrw20\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 1024T\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 approximately 1024000000000000\sa60\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 These notations apply to both packet and byte counts.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_INSTANCES}{\*\bkmkend ID_INSTANCES}\b\fs26\lang1024\f2 Instances and Logging\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 Since version 2.4, IPTraf allows multiple instances of the facilities at the same time in different processes (for example, you can now run two or more IP Traffic Monitors at the same time). However only one can listen on a specific interface or all interfaces at once. The only exception is the general interface statistics, which is still restricted to only one instance at a time.\hyphpar0\par\pard\sb100\li960\sl220\qj Because of this relaxation, each instance now generates log files with unique names for instances, depending on either their instance or the interface they're listening on. If the \i Logging\i0 option is turned on (see the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt Configuration}} chapter), IPTraf will prompt you for a log file name while presenting a default. You may accept this default or change it. Press Enter to accept, or Ctrl+X to cancel. Canceling will turn logging off for that particular session.\hyphpar0\par\pard\sb100\li960\sl220\qj If you don't specify an absolute path, the log file will be placed in \fs18\f3 /var/log/iptraf\fs20\f1 .\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-logprompt.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 2-1. The logfile prompt dialog\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 See the Logging section in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt Configuration}} chapter for detailed information on logging. See also the documentation on each statistical facility for the default log file names.\hyphpar0\par\pard\sb100\li960\sl220\qj The default log file names will also be used if the \fs18\f3 -B\fs20\f1 parameter is used to run IPTraf in the background. You can override the defaults with the \fs18\f3 -L\fs20\f1 parameter. See {\field{\*\fldinst HYPERLINK \\l ID_BACKOP}{\fldrslt Background Operation}} in Chapter 9.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_UPDATES}{\*\bkmkend ID_UPDATES}\b\fs26\lang1024\f2 Screen Update Delays\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 Older versions of IPTraf updated the screen as soon as a packet was received. However, screen update is one of the slowest operations the program performs. Since version 1.3, a configuration option has been available to control screen update speed.\hyphpar0\par\pard\sb100\li960\sl220\qj See the \i Screen update interval...\i0 configuration option under the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt Configuration}} chapter of this manual.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_IFACES}{\*\bkmkend ID_IFACES}\b\fs26\lang1024\f2 Supported Network Interfaces\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf currently supports the following network interface types and names.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 lo\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab The loopback interface. Every machine has one, and has an IP address of 127.0.0.1. \fs18\f3 lo\fs20\f1 is also indicated if data is detected on the \fs18\f3 dummy\i n\i0\fs20\f1 interface(s).\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 eth\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab An Ethernet interface. \i\f3 n\i0\f1 starts from 0. Therefore, \fs18\f3 eth0\fs20\f1 refers to the first Ethernet interface, \fs18\f3 eth1\fs20\f1 to the second, and so on. Most machines only have one.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 fddi\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab An FDDI interface. \i\f3 n\i0\f1 starts from 0.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 tr\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab A Token Ring interface, where \i\f3 n\i0\f1 starts from 0.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 ppp\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab A PPP interface. \i\f3 n\i0\f1 starts from 0.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 sli\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab A SLIP interface. \i\f3 n\i0\f1 starts from 0.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 ippp\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab A synchronous PPP interface using ISDN. \i\f3 n\i0\f1 starts from 0.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 isdn\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab ISDN interfaces can be given arbitrary names, but for them to work with IPTraf, they must be named \fs18\f3 isdn\i n\i0\fs20\f1 . IPTraf supports synchronous PPP (the \fs18\f3 ippp\i n\i0\fs20\f1 interfaces above), raw IP, and Cisco-HDLC encapsulation.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 plip\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab PLIP interfaces. These are point-to-point IP connections using the PC parallel port.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 ipsec\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab This refers to Free s/WAN (and possibly other) logical VPN interfaces.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 sbni\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab SBNI long-range modem interfaces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 dvb\i n\i0\fs20\f1 , \fs18\f3 sm200\fs20\f1 , \fs18\f3 sm300\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab DVB satellite-receive interfaces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 wlan\i n\i0\fs20\f1 , \fs18\f3 wvlan\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab Wireless LAN interfaces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 tun\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab general logical tunnel interfaces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 brg\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab general logical bridge interfaces\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 hdlc\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab Frame Relay base (FRAD) interfaces (non-PVC)\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 pvc\i n\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab Frame Relay Permanent Virtual Circuit interfaces\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Your system's network interfaces must be named according to the schemes specified above.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 3. The IP Traffic Monitor}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 3. The IP Traffic Monitor}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_ITRAFMON}{\*\bkmkend ID_ITRAFMON}\b\fs29\f2 Chapter 3. The IP Traffic Monitor\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 Executing the first menu item or specifying \fs18\f3 -i\fs20\f1 to the \b iptraf\b0 command takes you to the IP traffic monitor. The traffic monitor is a real-time monitoring system that intercepts all packets on all detected network interfaces, decodes the IP information on all IP packets and displays the appropriate information, most notably the source and destination addresses. It also determines the encapsulated protocol within the IP packet, and displays some important information about that as well.\hyphpar0\par\pard\sb100\li960\sl220\qj There are two windows in the traffic monitor, both of which can be scrolled with the Up and Down cursor keys. Just press W to move the \fs18\f3 Active\fs20\f1 indicator to the window you want to control.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-iptm1.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 3-1. The IP traffic monitor\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_UPPERWIN}{\*\bkmkend ID_UPPERWIN}\fs26\f2 The Upper Window\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The upper window of the traffic monitor displays the currently detected TCP connections. Information about TCP packets are displayed here. The window contains these pieces of information:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 Source address and port\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Packet count\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Byte count\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Source MAC address\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Packet Size\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Window Size\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 TCP flag statuses\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Interface\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\f2 Note: \b0\f4 Previous versions of IPTraf showed both the source and destination addresses on each line. IPTraf 2 and higher show only the \i\fs16\f3 source host\i0 :\i port\i0\fs18\f4 combination to save on screen real estate. TCP connection endpoints are still indicated with the green brackets (on color terminals) along the left edge of the screen.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The Up and Down cursor keys move an indicator bar between entries in the TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys display the previous and next screenfuls of entries respectively.\hyphpar0\par\pard\sb100\li960\sl220\qj The IP traffic monitor computes the data flow rate of the currently highlighted TCP flow and displays it on the lower-right corner of the screen. The flow rate is in kilobits or kilobytes per second depending on the \i Activity mode\i0 switch in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu.\hyphpar0\par\pard\sb100\li960\sl220\qj Because this monitoring system relies solely on packet information, it does not determine which endpoint initiated the connection. In other words, it does not know which endpoints are the client and server. This is necessary because it can operate in promiscuous mode, and as such cannot determine the socket statuses for other machines on the LAN. However, a little knowledge of the well-known TCP port numbers can give a good idea about which address is that of the server.\hyphpar0\par\pard\sb100\li960\sl220\qj The system therefore displays two entries for each connection, one for each direction of the TCP connection. To make it easier to determine the direction pairs of each connection, a bracket is used to "join" both together. This bracket appears at the leftmost part of each entry.\hyphpar0\par\pard\sb100\li960\sl220\qj Just because a host entry appears at the upper end of a connection bracket doesn't mean it was the initiator of the connection.\hyphpar0\par\pard\sb100\li960\sl220\qj Each entry in the window contains these fields:\hyphpar0\par\pard\sb200\li960\sl220\qj \i\lang1024 Source address and port\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The source address and port indicator is in \i\f3 address\i0\f1 :\i\f3 port\i0\f1 format. This indicates the source machine and TCP port on that machine from which this data is coming.\hyphpar0\par\pard\sb100\li1360\sl220\qj \lang1033 The destination is the host:port at the other end of the bracket.\hyphpar0\par\pard\sb200\li960\sl220\qj \i\lang1024 Packet count\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The number of packets received for this direction of the TCP connection\hyphpar0\par\pard\sb200\li960\sl220\qj \i Byte count\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The number of bytes received for this direction of the TCP connection. These bytes include total IP and TCP header information, in addition to the actual data. Data link header (e.g. Ethernet and FDDI) data are not included.\hyphpar0\par\pard\sb200\li960\sl220\qj \i Source MAC address\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The address of the host on your local LAN that delivered this packet. This can be viewed by pressing M once if \i Source MAC addrs\i0 in traffic monitor is enabled in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu.\hyphpar0\par\pard\sb200\li960\sl220\qj \i Packet Size\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The size of the most recently received packet. This item is visible if you press M for more TCP information. This is the size of the IP datagram only, not including the data link header.\hyphpar0\par\pard\sb200\li960\sl220\qj \i Window Size\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The advertised window size of the most recently received packet. This item is visible if you press M for more TCP information.\hyphpar0\par\pard\sb200\li960\sl220\qj \i Flag statuses\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0 \~\tab The flags of the most recently received packet. \hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 S\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab SYN. A synchronization is taking place in preparation for connection establishment. If only an \fs18\f3 S\fs20\f1 is present (\fs18\f3 S---\fs20\f1 ) the source is trying to initiate a connection. If an \fs18\f3 A\fs20\f1 is also present (\fs18\f3 S-A-\fs20\f1 ), this is an acknowledgment of a previous connection request, and is responding.\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 A\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab ACK. This is an acknowledgment of a previously received packet\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 P\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab PSH. A request to push all data to the top of the receiving queue\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 U\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab URG. This packet contains urgent data\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 RESET\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 DONE\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 CLOSED\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.\hyphpar0\par\pard\sb200\li1360\sl220\qj \fs18\f3 -\keepn\hyphpar0\par\pard\sb100\li1760\sl220\fi-400\qj \tx1760 \fs20\f1 \~\tab The flag is not set\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Some other pieces of information can be viewed as well. The M key displays more TCP information. Pressing M once displays the MAC addresses of the LAN hosts that delivered the packets (if the \i Source MAC addrs in traffic monitor\i0 option is enabled in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu). \fs18\f3 N/A\fs20\f1 is displayed if no packets have been received from the source yet, or if the interface doesn't support MAC addresses (such as PPP interfaces).\hyphpar0\par\pard\sb100\li960\sl220\qj If the \i Source MAC addrs in traffic monitor\i0 option is not enabled, pressing M simply toggles between the counts and the packet and window sizes.\hyphpar0\par\pard\sb100\li960\sl220\qj By default, only IP addresses are displayed, but if you have access to a name server or host table, you may enable reverse lookup for the IP addresses. Just enable reverse lookup in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu.\hyphpar0\par\pard\sb100\brdrt\brdrs\brdrw20\brsp200\li1000\ri40\brdrl\brdrs\brdrw20\brsp40\li1000\ri40\brdrb\brdrs\brdrw20\brsp0\li1000\ri40\brdrr\brdrs\brdrw20\brsp40\li1000\ri40\sl220\qj \b\lang1024 The rvnamed Process\keepn\hyphpar0\par\pard\sb100\brdrt\brdrs\brdrw20\brsp200\li1000\ri40\brdrl\brdrs\brdrw20\brsp40\li1000\ri40\brdrb\brdrs\brdrw20\brsp0\li1000\ri40\brdrr\brdrs\brdrw20\brsp40\li1000\ri40\sl220\qj \b0\lang1033 The IP traffic monitor starts a daemon called \b rvnamed\b0 to help speed up reverse lookups without sacrificing too much keyboard control and accuracy of the counts. While reverse lookup is being conducted in the background, IP addresses will be used until the resolution is complete.\hyphpar0\par\pard\sb100\brdrt\brdrs\brdrw20\brsp200\li1000\ri40\brdrl\brdrs\brdrw20\brsp40\li1000\ri40\brdrb\brdrs\brdrw20\brsp0\li1000\ri40\brdrr\brdrs\brdrw20\brsp40\li1000\ri40\sl220\qj If for some reason \b rvnamed\b0 cannot start (probably due to improper installation or lack of memory), and you are on the Internet, and you enable reverse lookup, your keyboard control can become very slow. This is because the standard lookup functions do not return until they have completed their tasks, and it can take several seconds for a name resolution in the foreground to complete.\hyphpar0\par\pard\sb100\brdrt\brdrs\brdrw20\brsp200\li1000\ri40\brdrl\brdrs\brdrw20\brsp40\li1000\ri40\brdrb\brdrs\brdrw20\brsp0\li1000\ri40\brdrr\brdrs\brdrw20\brsp40\li1000\ri40\sl220\qj \b rvnamed\b0 will spawn up to 200 children to process reverse DNS queries.\keepn\hyphpar0\par\pard\brdrt\brdrs\brdrw20\brsp200\li1000\ri40\brdrl\brdrs\brdrw20\brsp40\li1000\ri40\brdrb\brdrs\brdrw20\brsp0\li1000\ri40\brdrr\brdrs\brdrw20\brsp40\li1000\ri40\sl-200\keepn\par\pard\sl-1\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Tip: \b0\f4 If you notice unusual SYN activity (too many initial (\fs16\f3 S---\fs18\f4 ) but frozen SYN entries, or rapidly increasing initial SYN packets for a single connection), you may be under a SYN flooding attack or TCP port scan. Apply appropriate measures, or the targeted machines may begin denying network services.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 Entries not updated within a user-configurable amount of time may get replaced with new connections. The default time is 15 minutes. This is regardless of whether the connection is closed or not. (Some unclosed connections may be due to extremely slow links or crashes at either end of the connection.) This figure can be changed at the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu.\hyphpar0\par\pard\sb100\li960\sl220\qj Some early entries may have a > symbol in front of its packet count. This means the connection was already established when the monitor started. In other words, the figures indicated do not reflect the counts since the start of the TCP connection, but rather, since the start of the traffic monitor. Eventually, these > entries will close (or time out) and disappear. TCP entries without the > were initiated after the traffic monitor started, and the counts indicate the totals of the connection itself. Just consider entries with > partial.\hyphpar0\par\pard\sb100\li960\sl220\qj Some > entries may go idle if the traffic monitor was started when these connections were already half-closed (FIN sent by one host, but data still being sent by the other). This is because the traffic monitor cannot determine if a connection was already half-closed when it started. These entries will eventually time out. (To minimize these entries, an entry is not added by the monitor until a packet with data or a SYN packet is received.)\hyphpar0\par\pard\sb100\li960\sl220\qj Direction entries also become available for reuse if an ICMP Destination Unreachable message is received for the connection.\hyphpar0\par\pard\sb100\li960\sl220\qj The lower part of the screen contains a summary line showing the IP, TCP, UDP, ICMP, and non-IP byte counts since the start of the monitor. The IP, TCP, UDP, and ICMP counts include only the IP datagram header and data, not the data-link headers. The non-IP count includes the data-link headers.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Technical note: IP Forwarding and Masquerading: \b0\f4 Previous versions of IPTraf issued a warning if the kernel had IP masquerading enabled due to the way the kernel masqueraded and translated the IP addresses. The new kernels no longer do it as before and IPTraf now gives output properly on masquerading machines. The \fs16\f3 -q\fs18\f4 parameter is no longer required to suppress the warning screen.\hyphpar0\par\pard\sb100\li1360\sl198\qj On forwarding (non-masquerading) machines packets and TCP connections simply appear twice, one each for the incoming and outgoing interfaces if all interafaces are being monitored.\hyphpar0\par\pard\sb100\li1360\sl198\qj On masquerading machines, packets and connections from the internal network to the external network also appear twice, one for the internal and external interface. Packets coming from the internal network will be indicated as coming from the internal IP address that sourced them, and also as coming from the IP address of the external interface on your masquerading machine. In much the same way, packets coming in from the external network will look like they're destined for the external interface's IP address, and again as destined for the final host on the internal network.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _725}{\*\bkmkend _725}\b\fs24\f2 Closed/Idle/Timed Out Connections\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 A TCP connection entry that closes, gets reset, or stays idle too long normally gets replaced with new connections. However, if there are too many of these, active connections may become interspersed among closed, reset, or idle entries.\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf can be set to automatically remove all closed, reset, and idle entries with the \i TCP closed/idle persistence...\i0 configuration option. You can also press the F key to immediately clear them at any time.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 The \i TCP timeout...\i0 option only tells IPTraf how long it should take before a connection should be considered idle and open to replacement by new connections. This does not determine how long it remains on-screen. The \i TCP closed/idle persistence...\i0 parameter flushes entries that have been idle for the number of minutes defined by the \i TCP timeout...\i0 option.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _736}{\*\bkmkend _736}\b\fs24\f2 Sorting TCP Entries\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 The TCP connection entries can be sorted by pressing the S key, then by selecting a sort criterion. Pressing S will display a box showing the available sort criteria. Press P to sort by packet count, B to sort by byte count. Pressing any other key cancels the sort.\hyphpar0\par\pard\sb100\li960\sl220\qj The sort operation compares the larger values in each connection entry pair and sorts the counts in descending order.\hyphpar0\par\pard\sb100\li960\sl220\qj Over time, the entries will go out of order as counts proceed at varying rates. Sorting is not done automatically so as not to degrade performance and accuracy.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-iptmsort.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 3-2. The IP traffic monitor sort criteria\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_LOWERWIN}{\*\bkmkend ID_LOWERWIN}\fs26\f2 Lower Window\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The lower window displays information about the other types of traffic on your network. The following protocols are detected internally:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 User Datagram Protocol (UDP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Internet Control Message Protocol (ICMP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Open Shortest-Path First (OSPF)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Interior Gateway Routing Protocol (IGRP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Interior Gateway Protocol (IGP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Internet Group Management Protocol (IGMP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 General Routing Encapsulation (GRE)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Layer 2 Tunneling Protocol (L2TP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 IPSec AH and ESP protocols (IPSec AH and IPSec ESP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Address Resolution Protocol (ARP)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Reverse Address Resolution Protocol (RARP)\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Other IP protocols are looked up from the \fs18\f3 /etc/services\fs20\f1 file. If \fs18\f3 /etc/services\fs20\f1 doesn't contain information about that protocol, the protocol number is indicated.\hyphpar0\par\pard\sb100\li960\sl220\qj Non-IP packets are indicated as \fs18\f3 Non-IP\fs20\f1 in the lower window.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 The source and destination addresses for ARP and RARP entries are MAC addresses.\hyphpar0\par\pard\sb100\li1360\sl198\qj Strictly speaking, ARP and RARP packets aren't IP packets, since they are not encapsulated in an IP datagram. They're just indicated because they are integral to proper IP operation on LANs.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 For all packets in the lower window, only the first IP fragment is indicated (since that contains the header of the IP-encapsulated protocol) but with no further information from the encapsulated protocol.\hyphpar0\par\pard\sb100\li960\sl220\qj UDP packets are also displayed in \i\fs18\f3 address\i0 :\i port\i0\fs20\f1 format while ICMP entries also contain the ICMP message type. For easier location, each type of protocol is color-coded (only on color terminals such as the Linux console).\hyphpar0\par\pard\sb200\li960\sl220\qj \lang1024 UDP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Red on White\hyphpar0\par\pard\sb200\li960\sl220\qj ICMP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Yellow on Blue\hyphpar0\par\pard\sb200\li960\sl220\qj OSPF\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Black on Cyan\hyphpar0\par\pard\sb200\li960\sl220\qj IGRP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Bright white on Cyan\hyphpar0\par\pard\sb200\li960\sl220\qj IGP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Red on Cyan\hyphpar0\par\pard\sb200\li960\sl220\qj IGMP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Bright green on Blue\hyphpar0\par\pard\sb200\li960\sl220\qj GRE\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Blue on white\hyphpar0\par\pard\sb200\li960\sl220\qj ARP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Bright white on Red\hyphpar0\par\pard\sb200\li960\sl220\qj RARP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Bright white on Red\hyphpar0\par\pard\sb200\li960\sl220\qj Other IP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Yellow on red\hyphpar0\par\pard\sb200\li960\sl220\qj Non-IP\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \~\tab Yellow on Red\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 The lower window can hold up to 512 entries. You can scroll the lower window by using the W key to move the Active indicator to it, and by using the Up and Down cursor keys. The lower window automatically scrolls every time a new entry is added, and either the first entry or last entry is visible. Upon reaching 512 entries, old entries are thrown out as new entries are added.\hyphpar0\par\pard\sb100\li960\sl220\qj Some entries may be too long to completely fit in a screen line. You can use the Left and Right cursor keys to vertically scroll the lower window when it is marked \fs18\f3 Active\fs20\f1 . If your terminal can be resized (e.g. xterm), you may do so before starting IPTraf.\hyphpar0\par\pard\sb100\li960\sl220\qj Entries for packets received on LAN interfaces also include the source MAC address of the LAN host which delivered it. This behavior is enabled by turning on the Source MAC addrs in traffic monitor toggle in the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} menu.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _835}{\*\bkmkend _835}\b\fs24\lang1024\f2 Entry Details\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 In general, the entries in the lower window indicate the protocol, the IP datagram size (full frame size for non-IP, including ARP and RARP), the source address, the destination address, and the network interface the packet was detected on. However, some protocols have a little more information.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 ICMP\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 ICMP entries are displayed in this format:\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 ICMP \i type\i0 [(\i subtype\i0 )] (\i size\i0 bytes) from \i source\i0 to \i destination\i0 \sa0\par\fi0\sb0
+[(src HWaddr \i srcMACaddress\i0 )] on \i interface\hyphpar0\par\pard\sb200\li960\sl220\qj \i0\fs20\lang1033\f1 where type could be any of the following:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 echo req, echo rply\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 dest unrch\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper window to be made available for reuse by new connections. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 redirct\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP redirect. Usually generated by a router to tell a host that a better gateway is available. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 src qnch\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab The ICMP source quench is used to stop a host from transmitting. It's a flow control mechanism for IP. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 time excd\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab Indicates a packet's time-to-live value expired before it got to its destination. Mostly happens if a destination is too far away. Also used by the traceroute program.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 router adv\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP router advertisement \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 router sol\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP router solicitation \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 timestmp req\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP timestamp request\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 timestmp rep\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP timestamp reply \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 info req\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP information request \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 info rep\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP information reply \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 addr mask req\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP address mask request \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 addr mask rep\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP address mask reply \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 param prob\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab ICMP parameter problem \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 bad/unknown\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab An unrecognized ICMP packet was received, or the packet is corrupted.\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 The destination unreachable message also includes information on the type of error encountered. Here are the destination unreachable codes:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 ntwk\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab network unreachable \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 host\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab host unreachable \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 proto\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab protocol unreachable \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 port\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab port unreachable \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 pkt fltrd\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab packet filtered (normally by an access rule on a router or firewall) \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 DF set\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab the packet has to be fragmented somewhere, but its don't fragment (DF) bit is set.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 src rte fail\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab source route failed \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 src isltd\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab source isolated (obsolete) \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 net comm denied\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab network communication denied \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 host comm denied\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab host communication denied \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 net unrch for TOS\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab network unreachable for specified IP type-of-service \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 host unrch for TOS\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab host unreachable for specified IP type-of-service \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 prec violtn\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab precedence violation \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 prec cutoff\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab precedence cutoff \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 dest net unkn\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab destination network unknown \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 dest host unkn\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab destination network unknown\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 For more information on ICMP, see RFC 792.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 OSPF\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 OSPF messages also include a little more information. The format of an OSPF message in the window is:\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 OSPF \i type\i0 (a=\i area\i0 r=\i router\i0 ) (\i size\i0 bytes) from \i source\i0 to \i destination\i0 \sa0\par\fi0\sb0
+[(src HWaddr \i srcMACaddress\i0 )] on \i interface\hyphpar0\par\pard\sb200\li960\sl220\qj \i0\fs20\lang1033\f1 The type can be one of the following:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 hlo\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 DB desc\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF Database Description \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 LSR\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF Link State Request \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 LSU\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF Link State Update. Messages indicating the states of the OSPF network links \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 LSA\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF Link State Acknowledgment\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 The entries in parentheses:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 a=\i area\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab The area number of the OSPF message\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 r=\i router\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \i0\fs20\f1 \~\tab The IP address of the router that generated the message. It is not necessarily the same as the source address of the encapsulating IP packet.\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Many times, the destination addresses for OSPF packets are class D multicast addresses in standard dotted decimal notation or (if reverse lookup is enabled), hosts under the \fs18\f3 MCAST.NET\fs20\f1 domain. Such multicast addresses are defined as follows:\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1024\f3 224.0.0.5 (OSPF-ALL.MCAST.NET)\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF all routers\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 224.0.0.6 (OSPF-DSIG.MCAST.NET)\keepn\hyphpar0\par\pard\sb100\li1360\sl220\fi-400\qj \tx1360 \fs20\f1 \~\tab OSPF all designated routers\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 See RFC 1247 for details on the OSPF protocol.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart _1076}{\*\bkmkend _1076}\b\fs26\lang1024\f2 Additional Information\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 When started from the main menu and logging is enabled, the IP traffic monitor prompts you for a log file name. The default name is \fs18\f3 ip_traffic-\i n\i0 .log (where \i n\i0\fs20\f1 is what instance of the traffic monitor this is (1, 2, 3, and so on). (e.g. if this is the first instance, the default file name will be \fs18\f3 ip_traffic-1.log\fs20\f1 .)\hyphpar0\par\pard\sb100\li960\sl220\qj When started with the \fs18\f3 -i\fs20\f1 parameter, the log filename can be specified with the \fs18\f3 -L\fs20\f1 parameter. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\pard\sb100\li960\sl220\qj On busy networks, the display may become cluttered with traffic you're not interested in. To control the traffic monitor's output, you can apply a \i filter\i0 . See Chapter 7, {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt Filters}} for more information on IPTraf's filters.\hyphpar0\par\pard\sb100\li960\sl220\qj At any time, you can press X or Q to return to the main menu (or back to the shell if the monitor was started with \b iptraf -i\b0 ).\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 4. Network Interface Statistics}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 4. Network Interface Statistics}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_NETSTATS}{\*\bkmkend ID_NETSTATS}\b\fs29\f2 Chapter 4. Network Interface Statistics\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 There are two network interface statistics facilities: the general interface statistics, which displays a statistical summary of all attached interfaces, and the detailed interface statistics, which shows more statistical and load information about a single selected interface.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GENSTATS}{\*\bkmkend ID_GENSTATS}\b\fs26\lang1024\f2 General Interface Statistics\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The second menu option displays a list of attached network interfaces, and some general packet counts. Specifically, it displays counts of IP, non-IP, and bad IP packets (packets with IP checksum errors). It also includes an activity indicator, which shows the number of kilobits and packets the interface sees per second. All figures are for incoming and outgoing packets. (Again, considering promiscuous mode for LAN interfaces, which simply causes the machine to intercept all packets). This is useful for general monitoring of all attached interfaces. If byte counts and additional information are needed for a specific interface, the \i Detailed interface statistics\i0 option is also available.\hyphpar0\par\pard\sb100\li960\sl220\qj The activity indicators can be toggled between kbits/s and kbytes/s with the \i Activity mode\i0 configuration option.\hyphpar0\par\pard\sb100\li960\sl220\qj The general statistics window will dynamically add new entries as packets from newly-created interfaces (e.g. new PPP interfaces) are intercepted. Long lists can be scrolled with the Up, Down, PgUp, and PgDn keys.\hyphpar0\par\pard\sb100\li960\sl220\qj This monitor is affected by IPTraf's {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt filters}} as described in Chapter 7.\hyphpar0\par\pard\sb100\li960\sl220\qj Copies of the statistics are written to the log file \fs18\f3 iface_stats_general.log\fs20\f1 at regular intervals if logging is enabled. See the \i Logging\i0 option int the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt Configuration}} chapter.\hyphpar0\par\pard\sb100\li960\sl220\qj This facility can be started directly from the command line with the \b -g\b0 option to the \b iptraf\b0 command. When started from the command line, the log filename and log interval can be specified with the \fs18\f3 -L\fs20\f1 and \fs18\f3 -I\fs20\f1 parameters respectively. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-gstat1.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 4-1. The general interface statistics screen\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 You can press X or Q to return to the main menu. \hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_DETSTATS}{\*\bkmkend ID_DETSTATS}\b\fs26\lang1024\f2 Detailed Interface Statistics\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The third menu option displays packet statistics for any selected interface. It provides basically the same information as the \i General interface statistics\i0 option, with additional details. This facility provides the following information:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 Total packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 IP packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 TCP packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 UDP packet and byte count\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 ICMP packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Other IP-type packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Non-IP packet and byte counts\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Checksum error count\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Interface activity\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Broadcast packet and byte counts\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 All IP byte counts (IP, TCP, UDP, ICMP, other IP) include IP header data and payload. The data link header is not included. The full frame length (including data-link header) is included in the non-IP and Total byte count. All data-link headers are also included in the Total byte counts.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-dstat1.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 4-2. The detailed interface statistics screen\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 The upper portion of the screen contains the packet and byte counts for all IP and non-IP packets intercepted on the interface. The lower portion contains the total, incoming, and outgoing interface data rates.\hyphpar0\par\pard\sb100\li960\sl220\qj This facility also displays incoming and outgoing counts and data rates. The packet size breakdown in versions prior to 2.0.0 has been moved to its own facility under \i Statistical breakdowns.../By packet size\i0 as described in {\field{\*\fldinst HYPERLINK \\l ID_PKTSIZE}{\fldrslt Chapter 5}}.\hyphpar0\par\pard\sb100\li960\sl220\qj An outgoing packet is one that exits your interface, regardless of whether it originated from your machine or came from another machine and was routed through yours. An incoming packet is one that enters your interface, either addressed to you directly, broadcast, multicast, or captured promiscuously.\hyphpar0\par\pard\sb100\li960\sl220\qj The rate indicators can be set to display kbits/s or kbytes/s with the \i Activity mode\i0 configuration option.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 Buffering and some other factors may affect the data rates, notably the outgoing rate, causing it to reflect a higher figure than the actual rate at which the interface is sending.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The figures are logged at regular intervals if logging is enabled. The default log file name at the prompt is \fs18\f3 iface_stats_detailed-\i iface\i0 .log\fs20\f1 where iface is the selected interface for this session (for example, \fs18\f3 iface_stats_detailed-eth0.log\fs20\f1 ).\hyphpar0\par\pard\sb100\li960\sl220\qj If you wish to start this facility directly from the command line, you can specify the \fs18\f3 -d\fs20\f1 parameter and an interface to monitor. For example,\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf -d eth0\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 starts the statistics for \fs18\f3 eth0\fs20\f1 . The interface must be specified, or IPTraf will not start the facility.\hyphpar0\par\pard\sb100\li960\sl220\qj When started from the command line, the log filename and log interval can be specified with the \fs18\f3 -L\fs20\f1 and \fs18\f3 -I\fs20\f1 parameters respectively. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 In both the general and detailed statistics screens, as well as in the IP traffic monitor, the packet counts are for actual network packets (layer 2), not the logical IP packets (layer 3) that may be reconstructed after fragmentation. That means, if a packet was fragmented into four pieces, and these four fragments pass over your interface, the packet counts will indicate four separate packets.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The figure for the IP checksum errors is a packet count only, because the corrupted IP header cannot be relied upon to give a correct IP packet length value.\hyphpar0\par\pard\sb100\li960\sl220\qj This facility's output is also affected by IPTraf's {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt filters}}. See Chapter 7 for more information on filters.\hyphpar0\par\pard\sb100\li960\sl220\qj Pressing X or Q takes you back to the main menu (if this facility was started with the command-line option, X or Q drops you back to the shell).\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 5. Statistical Breakdowns}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 5. Statistical Breakdowns}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_STATBREAKDOWNS}{\*\bkmkend ID_STATBREAKDOWNS}\b\fs29\f2 Chapter 5. Statistical Breakdowns\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 Statistical breakdowns contain two facilities that break down traffic counts by either packet size or TCP/UDP port.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_PKTSIZE}{\*\bkmkend ID_PKTSIZE}\b\fs26\lang1024\f2 Packet Sizes\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The packet size breakdown facility used to be incorporated into the detailed interface statistics. It has since been moved to its own facility. It is entered by selecting \i Statistical Breakdowns/By packet size\i0 .\hyphpar0\par\pard\sb100\li960\sl220\qj The packet size breakdown takes the interface's Maximum Transmission Unit (MTU) size and divides it into 20 brackets, each bracket containing a range of sizes. As a packet is captured, its size is determined and the appropriate bracket is incremented.\hyphpar0\par\pard\sb100\li960\sl220\qj This facility provides an idea as to the packet sizes passing over your network, and can aid in network (re)design decisions.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-pktsize.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 5-1. The packet size statistical breakdown\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 If logging is enabled, copies of the statistics are written at regular intervals to a log file. The default log file name is \fs18\f3 packet_size-\i iface\i0 .log\fs20\f1 where \i\f3 iface\i0\f1 is the selected interface for this session (for example, \fs18\f3 packet_size-eth0.log\fs20\f1 ).\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf's filters do not affect this facility.\hyphpar0\par\pard\sb100\li960\sl220\qj The packet size breakdown can also be invoked straight from the command line by specifying the \fs18\f3 -z\fs20\f1 iface parameter. The interface parameter is required. For example, this command runs the facility on interface \fs18\f3 eth0\fs20\f1 .\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf -z eth0\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 When started from the command line, the log filename and log interval can be specified with the \fs18\f3 -L\fs20\f1 and \fs18\f3 -I\fs20\f1 parameters respectively. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\pard\sb100\li960\sl220\qj To exit, press X or Ctrl+X.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_SERVMON}{\*\bkmkend ID_SERVMON}\b\fs26\lang1024\f2 TCP and UDP Traffic Statistics\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf also includes a facility that generates statistics on TCP and UDP traffic. This facility displays counts of all TCP and UDP packets with source or destination ports numbered less than 1024. Ports 1 to 1023 are reserved for the TCP/IP application protocols (well-known ports).\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-tcpudp.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 5-2. The TCP/UDP service monitor\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 The statistics window indicates the protocol (TCP or UDP), the port number, the total packets and bytes counted for this particular protocol/port combination, the packets and bytes destined for that protocol and port, and the packets and bytes coming from that protocol and port.\hyphpar0\par\pard\sb100\li960\sl220\qj Byte counts include the IP header and payload only. The data link header is not included.\hyphpar0\par\pard\sb100\li960\sl220\qj The protocol/port indicators are color-coded for easier identification on color terminals. TCP indicators are in yellow, UDP in bright green.\hyphpar0\par\pard\sb100\li960\sl220\qj Some network applications or protocols may use port numbers higher than 1023. Examples of these include application proxy servers (HTTP proxy servers typically use values like 8000, 8080, 8888, and the like), and IRC (IRC servers commonly accept connections on ports 6660 to 6669). These ports are by default not included in the counts. If you do want to include a higher-numbered port in the statistics, you can add them yourself from the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}}\i /Additional ports...\i0 menu item. See the section below.\hyphpar0\par\pard\sb100\li960\sl220\qj If logging is enabled, The statistics are also written to a log file (the default name is \fs18\f3 tcp_udp_services-\i iface\i0 .log\fs20\f1 , where iface is the selected interface (for example, \fs18\f3 tcp_udp_services-eth0.log\fs20\f1 ).\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf computes the total, incoming, outgoing, and data rates of the protocol currently indicated by the facility's highlight bar. The data rates are indicated at the bottom of the screen. If logging is enabled, the average data rates since the start of the facility are placed in the log file.\hyphpar0\par\pard\sb100\li960\sl220\qj The Up and Down cursor keys move the highlight bar. Pressing X or Ctrl+X exits and returns to the main menu (or the shell if it was started from the command line).\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1222}{\*\bkmkend _1222}\b\fs24\lang1024\f2 Sorting TCP/UDP Entries\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Pressing the S key brings up a window which allows you to select the field by which the entries will be sorted. You can press R to sort by port, P to sort by total packets, B to sort by total bytes, T to sort by incoming packets (packets to), O to sort by incoming bytes (bytes to), F to sort by outgoing packets (packets from) and M to sort by outgoing bytes (bytes from). Pressing any other key cancels the sort.\hyphpar0\par\pard\sb100\li960\sl220\qj Port numbers are sorted in ascending order (least first) but statistics are sorted in descending order (largest counts first).\hyphpar0\par\pard\sb100\li960\sl220\qj As with the IP traffic monitor, sorting is performed only with this sequence. Automatic sorting is not performed so as not to affect performance.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-tcpudpsort.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 5-3. The TCP/UDP monitor's sort criteria\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1230}{\*\bkmkend _1230}\fs24\f2 Additional Information\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf's filters affect the output of this facility. See Chapter 7, {\field{\*\fldinst HYPERLINK \\l ID_FILTERS}{\fldrslt Filters}} for more information about filters.\hyphpar0\par\pard\sb100\li960\sl220\qj If you wish to start this facility from the command line, you can use the \fs18\f3 -s\fs20\f1 option followed by an interface to monitor. For example,\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf -s eth0\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 brings up this module for traffic on \fs18\f3 eth0\fs20\f1 . The interface must be specified, or IPTraf will drop back to the shell.\hyphpar0\par\pard\sb100\li960\sl220\qj When started from the command line, the log filename and log interval can be specified with the \fs18\f3 -L\fs20\f1 and \fs18\f3 -I\fs20\f1 parameters respectively. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 6. LAN Station Statistics}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 6. LAN Station Statistics}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_HOSTMON}{\*\bkmkend ID_HOSTMON}\b\fs29\f2 Chapter 6. LAN Station Statistics\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 The LAN station monitor (Ethernet station monitor on versions prior to 1.3.0) discovers MAC addresses and displays statistics on the number of incoming, and outgoing packets. It also includes figures for incoming and outgoing kilobits per second for each discovered station.\hyphpar0\par\pard\sb100\li960\sl220\qj The entry above each line of statistics is the station's LAN type (Ethernet, PLIP, Token Ring, or FDDI) and the hardware MAC address. Each statistics line consists of the following information:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 Total packets incoming\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 IP packets incoming\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Total bytes incoming\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Incoming rate\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Total packets outgoing\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 IP packets outgoing\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Total bytes outgoing\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Outgoing rate\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 The byte counts include the data link header. The activity indicators can be set to display kbits/s or kbytes/s with the \i Activity mode\i0 configuration option.\hyphpar0\par\pard\sb100\li960\sl220\qj This facility works only for Ethernet, PLIP, Token Ring, and FDDI frames. Loopback. ISDN, and SLIP/PPP networks are not monitored here.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-hw.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 6-1. The LAN station monitor\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 Copies of the statistics are written to a log file at regular intervals if logging is enabled. The default log file name is \fs18\f3 lan_statistics-\i n\i0 .log\fs20\f1 , where n is the instance number of this facility (for example, if this is the first instance, the generated default log file name is \fs18\f3 lan_statistics-1.log\fs20\f1 ).\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_SORTINGLAN}{\*\bkmkend ID_SORTINGLAN}\b\fs26\lang1024\f2 Sorting the LAN Station Monitor Entries\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 Press S to sort the entries. A box will pop up and display the keys you can press to select the field by which the entries will be sorted. Press P to sort by total incoming packets, I to sort by incoming IP packets, B to sort by total incoming bytes, K to sort by total outgoing packets, O to sort by outgoing IP packets, and Y to sort by total outgoing bytes. Pressing any other key cancels the sort.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-hwsort.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 6-2. The LAN station monitor's sort criteria\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 When started from the command line, the log filename and log interval can be specified with the \fs18\f3 -L\fs20\f1 and \fs18\f3 -I\fs20\f1 parameters respectively. See the {\field{\*\fldinst HYPERLINK \\l ID_CMDLINE}{\fldrslt Command-line Parameters}} section above for more information.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_MORELANMONINFO}{\*\bkmkend ID_MORELANMONINFO}\b\fs26\lang1024\f2 Additional Information\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The window can be scrolled with the Up and Down cursor keys. Press X or Q to return to the main menu (or the shell if this facility was started with the \fs18\f3 -l\fs20\f1 command-line option).\hyphpar0\par\pard\sb100\li960\sl220\qj The output of this facility is affected by any applied IPTraf filter.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 7. Filters}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 7. Filters}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_FILTERS}{\*\bkmkend ID_FILTERS}\b\fs29\f2 Chapter 7. Filters\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 Filters are used to control the information displayed by all facilities. You may want to view statistics only on particular traffic so you must restrict the information displayed. The filters also apply to logging activity.\hyphpar0\par\pard\sb100\li960\sl220\qj The IPTraf filter management system is accessible through the \i Filters...\i0 submenu.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-filtermenu.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 7-1. The Filters submenu\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_IPFILTERS}{\*\bkmkend ID_IPFILTERS}\fs26\f2 IP Filters\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The \i Filters/IP...\i0 menu option allows you to define a set of rules that determine what IP traffic to pass to the monitors. Selecting this option pops up another menu with the tasks used to define and apply custom IP filters.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-ipfltmenu.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 7-2. The IP filter menu\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1304}{\*\bkmkend _1304}\fs24\f2 Defining a New Filter\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 A freshly installed program will have no filters defined, so before anything else, you will have to define a filter. You can do this by selecting the \i Define new filter...\i0 option.\hyphpar0\par\pard\sb100\li960\sl220\qj Selecting this option displays a box asking you to enter a short description of the filter you are going to define. Just enter any text that clearly identifies the nature of the filter.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-ipfltnamedlg.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 7-3. The IP filter name dialog\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 Press Enter when you're done with that box. As an alternative, you can also press Ctrl+X to cancel the operation.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 The Filter Rule Selection Screen\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 After you enter the filter's description, you will be taken to a blank rule selection box. At this screen you manage the various rules you define for this filter. You can opt to insert, append, edit, or delete rules.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-ipfltlist.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 7-4. The filter rule selection screen. Selecting an entry displays that set for editing\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\lang1033 Any rules defined will appear here. You will see the source and destination addresses, masks and ports (long addresses and masks may be truncated) and whether this rule includes or excludes matching packets.\hyphpar0\par\pard\sb100\li960\sl220\qj Between the source and destination parameters is an arrow that indicates whether the rule matches packets (single-headed) only exactly or whether it matches packets flowing in the opposite direction (double-headed).\hyphpar0\par\pard\sb100\li960\sl220\qj At this screen, press I to insert at the current position of the selection bar, A to append a rule to the end of the list, Enter to edit the highlighted rule and D to delete the selected rule. With an empty list, A or I can be used to add the first rule.\hyphpar0\par\pard\sb100\li960\sl220\qj To add the first rule, press A or I. You will then be presented with a dialog box that allows you to enter the rule's parameters.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 Entering Filter Rules\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 You can enter addresses of individual hosts, networks, or a catch-all address. The nature of the address will be determined by the wildcard mask.\hyphpar0\par\pard\sb100\li960\sl220\qj You'll notice two sets of fields, marked \fs18\f3 Source\fs20\f1 and \fs18\f3 Destination\fs20\f1 . You fill these out with the information about your source and targets.\hyphpar0\par\pard\sb100\li960\sl220\qj Fill out the host name or IP address of the hosts or networks in the first field marked \fs18\f3 Host name/IP Address\fs20\f1 . Enter it in standard dotted-decimal notation. When done, press Tab to move to the \fs18\f3 Wildcard mask\fs20\f1 field. The wildcard mask is similar but not exactly identical to the standard IP subnet mask. The wildcard mask is used to determine which bits to ignore when processing the filter. In most cases, it will work very closely like a subnet mask. Place ones (1) under the bits you want the filter to recognize, and keep zeros (0) under the bits you want the filter to ignore. For example:\hyphpar0\par\pard\sb100\li960\sl220\qj To recognize the host 207.0.115.44\sa200\par\trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 207.0.115.44\sa60\cell \row \trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To recognize all hosts belonging to network 202.47.132.\i\f3 x\sa200\par\trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 202.47.132.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.0\sa60\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To recognize all hosts with any address:\sa200\par\trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx4680\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The IP address/wildcard mask mechanism of the display filter doesn't recognize IP address class. It uses a simple bit- pattern matching algorithm.\hyphpar0\par\pard\sb100\li960\sl220\qj The wildcard mask also does not have to end on a byte boundary; you may mask right into a byte itself. For example, 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in binary).\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf also accepts host names in place of the IP addresses. IPTraf will resolve the host name when the filter is loaded. When the filter is interpreted, the wildcard mask will also be applied. This can be useful in cases where a single host name may resolve to several IP addresses.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Tip: \b0\f4 See the \i Linux Network Administrator's Guide\i0 if you need more information on IP addresses and subnet masking.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\f2 Tip: \b0\f4 IPTraf allows you to specify the wildcard mask in Classless Interdomain Routing (CIDR) format. This format allows you to specify the number of 1-bits that mask the address. CIDR notation is the form \i\fs16\f3 address/bits\i0\fs18\f4 where the \i\fs16\f3 address\i0\fs18\f4 is the IP address or host name and \i\fs16\f3 bits\i0\fs18\f4 is the number of 1-bits in the mask. For example, if you want to mask 10.1.1.0 with \fs16\f3 255.255.255.0\fs18\f4 , note that \fs16\f3 255.255.255.0\fs18\f4 has 24 1-bits, so instead of specifying \fs16\f3 255.255.255.0\fs18\f4 in the wildcard mask field, you can just enter \fs16\f3 10.1.1.0/24\fs18\f4 in the address field. IPTraf will translate the mask bits into an appropriate wildcard mask and fill in the mask field the next time you edit the filter rule.\hyphpar0\par\pard\sb100\li1360\sl198\qj If you specify the mask in CIDR notation, leave the wildcard mask fields blank. If you fill them up, the wildcard mask fields will take precedence.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The \fs18\f3 Port\fs20\f1 fields should contain a port number or range of any TCP or UDP service you may be interested in. If you want to match only a single port number, fill in the first field, while leaving the second blank or set to zero. Fill in the second field if you want to match a range of ports (e.g. 80 to 90). Leave the first field blank or set to zero to let the filter ignore the ports altogether. You will most likely be interested in target ports rather than source ports (which are usually unpredictable anyway, perhaps with the exception of FTP data).\hyphpar0\par\pard\sb100\li960\sl220\qj Non-TCP and non-UDP packets are not affected by these fields, and these are used only when filtering TCP or UDP packets.\hyphpar0\par\pard\sb100\li960\sl220\qj Fill out the second set of fields with the parameters of the opposite end of the connection.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Tip: \b0\f4 Any address or mask fields left blank default to 0.0.0.0 while blank \fs16\f3 Port\fs18\f4 fields default to 0. This makes it easy to define filter rules if you're interested only in either the source or destination, but not the other. For example, you may be interested in traffic originating from network 61.9.88.0, in which case you just enter the source address, mask and port in the \fs16\f3 Source\fs18\f4 fields, while leaving the \fs16\f3 Destination\fs18\f4 fields blank.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 The next fields let you specify which IP-type protocols you want matched by this filter rule. Any packet whose protocol's corresponding field is marked with a \fs18\f3 Y\fs20\f1 is matched against the filter's defined IP addresses and ports, otherwise they don't pass through this filter rule.\hyphpar0\par\pard\sb100\li960\sl220\qj If you want to evaluate all IP packets just mark with \fs18\f3 Y\fs20\f1 the \fs18\f3 All IP\fs20\f1 field.\hyphpar0\par\pard\sb100\li960\sl220\qj For example, if you want to see only all TCP traffic, mark the \fs18\f3 TCP\fs20\f1 field with \fs18\f3 Y\fs20\f1 .\hyphpar0\par\pard\sb100\li960\sl220\qj The long field marked \fs18\f3 Additional protocols\fs20\f1 allows you to specify other protocols by their IANA number. (You can view the common IP protocol number in the \fs18\f3 /etc/protocols\fs20\f1 file). You can specify a list of protocol numbers or ranges separated by commas, Ranges have the beginning and ending protocol numbers separated with a hyphen.\hyphpar0\par\pard\sb100\li960\sl220\qj For example, to see the RSVP (46), IP mobile (55), and protocols (101 to 104), you use an entry that looks like this:\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 46, 55, 101-104\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 It's certainly possible to specify any of the protocols listed above in this field. Entering \fs18\f3 1-255\fs20\f1 is functionally identical to marking \fs18\f3 All IP\fs20\f1 with a \fs18\f3 Y\fs20\f1 .\hyphpar0\par\pard\sb100\li960\sl220\qj The next field is marked \fs18\f3 Include/Exclude\fs20\f1 . This field allows you to decide whether to include or filter out matching packets. Setting this field to \fs18\f3 I\fs20\f1 causes the filter to pass matching packets, while setting it to \fs18\f3 E\fs20\f1 causes the filter to drop them. This field is set to \fs18\f3 I\fs20\f1 by default.\hyphpar0\par\pard\sb100\li960\sl220\qj The last field in the dialog is labeled \fs18\f3 Match opposite\fs20\f1 . When set to \fs18\f3 Y\fs20\f1 , the filter will match packets flowing in the opposite direction. Previous versions of IPTraf used to match TCP packets flowing in either direction, so the source and destination address/mask/port combinations were actually interchangeable. Starting with IPTraf 3.0, when filters extended to more than just the IP traffic monitor, this behavior is no longer the default throughout IPTraf except in the IP traffic monitor's TCP window.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 For TCP packets, this field is used in all facilities except the IP traffic monitor. Because the IP traffic monitor must capture TCP packets in both directions to properly determine a closed connection, the filter automatically matches packets in the opposite direction, regardless of this field's setting. However iin all other facilities, automatic matching of the reverse packets is not performed unless you set this field to \fs16\f3 Y\fs18\f4 .\hyphpar0\par\pard\sb100\li1360\sl198\qj Filters for UDP and other IP protocols do not automatically match packets in the opposite direction unless you set the field to \fs16\f3 Y\fs18\f4 , even in the IP traffic monitor.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 Press Enter to accept all parameters when done. The parameters will be accepted and you'll be taken back to the rule selection box. You can then add more rules by pressing A or you can insert new rules at any point by pressing I. Should you make a mistake, you can press Enter to edit the selected filter. You may enter as many sets of parameters as you wish. Press Ctrl+X when done.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 Because of the major changes in the filtering system since IPTraf 2.7, old filters will no longer work and will have to be redefined.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-ipfltdlg.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\fs20\f1 Figure 7-5. The IP filter parameters dialog\hyphpar0\par\pard\sb200\s4\li960\sl242 \fs22\f2 Examples\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 202.47.132.2\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 207.0.115.44\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see all traffic from host 207.0.115.44 to all hosts on network 202.47.132.x\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 207.0.115.44\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 202.47.132.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 All IP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 N\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see all Web traffic (to and from port 80) regardless of source or destination\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 80\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see all IRC traffic from port 6666 to 6669\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 6666\fs20\f1 to \fs18\f3 6669\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see all DNS traffic, (TCP and UDP, destination port 53) regardless of source or destination\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 53\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y UDP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 202.47.132.2\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 25\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 N\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To see traffic from from/to host sunsite.unc.edu to/from cebu.mozcom.com\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 sunsite.unc.edu\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 cebu.mozcom.com\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 All IP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To omit display of traffic to/from 140.66.5.x from/to anywhere\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP Address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 140.66.5.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 All IP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 E\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 You can enter as many parameters as you wish. All of them will be interpreted until the first match is found.\hyphpar0\par\pard\sb200\s4\li960\sl242 \b\fs22\lang1024\f2 Excluding Certain Sites\keepn\hyphpar0\par\pard\sb110\li960\sl220\qj \b0\fs20\lang1033\f1 Filters follow an implicit "no-match" policy, that is, only packets matching defined rules will be matched, others will be filtered out. This is similar to the access-list policy "whatever is not explicitly permitted is denied". If you want to show all traffic to/from everywhere, except certain places, you can specify the sites you wish to exclude, mark them with \fs18\f3 E\fs20\f1 in the \fs18\f3 Include/Exclude field\fs20\f1 , and define a general catch-all entry with source address \fs18\f3 0.0.0.0\fs20\f1 , mask \fs18\f3 0.0.0.0\fs20\f1 , port \fs18\f3 0\fs20\f1 , and destination \fs18\f3 0.0.0.0\fs20\f1 , mask \fs18\f3 0.0.0.0\fs20\f1 , port \fs18\f3 0\fs20\f1 , tagged with an \fs18\f3 I\fs20\f1 in the \fs18\f3 Include/Exclude\fs20\f1 field as the last entry.\hyphpar0\par\pard\sb100\li960\sl220\qj For example:\hyphpar0\par\pard\sb100\li960\sl220\qj To see all traffic except all SMTP (both directions), Web (both directions), and traffic (only) from 207.0.115.44\sa200\par\trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 25\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 E\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 80\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 TCP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 E\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 207.0.115.44\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 255.255.255.255\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 All IP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 E\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 N\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Host name/IP address\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Wildcard mask\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0.0.0.0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Port\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 0\sa60\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Protocols\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 All IP: Y\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Include/Exclude\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 I\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \trowd\trleft960 \clvertalt\cellx3440\clvertalt\cellx5920\clvertalt\cellx8400 \plain \pard\intbl\sb60\li40\ri100\sl220 \fs20\f1 Match opposite\sa60\cell \plain \pard\intbl\sb60\li40\ri100\sl220 \fs18\f3 N\sa60\cell \plain \pard\intbl\sl-120\par\cell \row \pard\plain\sl-1\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\f2 Tip: \b0\f4 To filter out all TCP, define a filter with a single entry, with a source of \fs16\f3 0.0.0.0\fs18\f4 mask \fs16\f3 0.0.0.0\fs18\f4 port \fs16\f3 0\fs18\f4 , and a destination of \fs16\f3 0.0.0.0\fs18\f4 mask \fs16\f3 0.0.0.0\fs18\f4 port \fs16\f3 0\fs18\f4 , with the \fs16\f3 Include/Exclude\fs18\f4 field marked \fs16\f3 E\fs18\f4 (exclude). Then apply this filter.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1902}{\*\bkmkend _1902}\b\fs24\f2 Applying a Filter\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 The above steps only add the filter to a defined list. To actually apply the filter, you must select \i Apply filter...\i0 from the menu. You will be presented with a list of filters you already defined. Select the one you want to apply, and press Enter.\hyphpar0\par\pard\sb100\li960\sl220\qj The applied filter stays in effect over exits and restarts of the IPTraf program until it is detached.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1907}{\*\bkmkend _1907}\b\fs24\lang1024\f2 Editing a Defined Filter\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Select \i Edit filter...\i0 to modify an existing filter. Once you select this option, you will be presented with the list of defined filters. Select the filter you want to edit by moving the selection bar and press Enter.\hyphpar0\par\pard\sb100\li960\sl220\qj Edit the description if you wish. Pressing Ctrl+X at this point will abort the operation, and the filter will remain unmodified. Press Enter to accept any changes to the filter description.\hyphpar0\par\pard\sb100\li960\sl220\qj After pressing Enter, you will see the filter's rules. To edit an existing filter rule, move the selection bar to the desired entry and press Enter. A prefilled dialog box will appear. Edit its contents as desired. Press Enter to accept the changes or Ctrl+X to discard.\hyphpar0\par\pard\sb100\li960\sl220\qj You can add a new filter rule by pressing I to insert at the selection bar's current position. When you press I, you will be presented with a dialog box asking you to enter the new rule data. Pressing A results in a similar operation, except the rule will be appended as the last entry in the rule list.\hyphpar0\par\pard\sb100\li960\sl220\qj Pressing D deletes the currently pointed entry.\hyphpar0\par\pard\sb100\li960\sl220\qj Press X or Ctrl+X to end the edit and save the changes.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 If you're editing the currently applied filter, you will need to re-apply the filter for the changes to take effect.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\f2 Note: \b0\f4 Be aware that the filter processes the rules in order. In other words, if a packet matches more than one rule, only the first matching rule is followed.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1922}{\*\bkmkend _1922}\b\fs24\f2 Deleting a Defined Filter\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Select \i Delete filter...\i0 from the menu to remove a filter from the list. Just move the selection bar to the filter you want to delete, and press Enter.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1926}{\*\bkmkend _1926}\b\fs24\lang1024\f2 Detaching a Filter\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 The \i Detach filter\i0 option deactivates the filter currently in use. Selecting this option causes all TCP traffic to be passed to the monitors.\hyphpar0\par\pard\sb100\li960\sl220\qj When you're done with the menu, just select the Exit menu option.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_NONIPFILTERS}{\*\bkmkend ID_NONIPFILTERS}\b\fs26\lang1024\f2 ARP, RARP, and other Non-IP Packet Filters\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The \i Non-IP\i0 filter option toggles the display and logging of all non-IP packets, except ARP and RARP, which are toggled separately.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 8. Configuring IPTraf}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 8. Configuring IPTraf}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_CONFIG}{\*\bkmkend ID_CONFIG}\b\fs29\f2 Chapter 8. Configuring IPTraf\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf can be easily configured with the {\field{\*\fldinst HYPERLINK \\l ID_CONFIG}{\fldrslt \i Configure...}} item in the main menu. The configuration is stored in the \fs18\f3 /var/local/iptraf/iptraf.cfg\fs20\f1 file. If the file is not found, IPTraf uses the default settings. Any changes to the configuration immediately get stored in the configuration file.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-configmenu.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 8-1. The IPTraf configuration menu\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_TOGGLES}{\*\bkmkend ID_TOGGLES}\fs26\f2 Toggles\keepn\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1946}{\*\bkmkend _1946}\fs24 Reverse DNS Lookups\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Activating reverse lookup causes IPTraf to find out the name of the hosts with the addresses in the IP packets. When this option is enabled, IPTraf's IP traffic monitor starts the rvnamed DNS lookup server to help resolve IP addresses in the background while allowing IPTraf to continue capturing packets.\hyphpar0\par\pard\sb100\li960\sl220\qj This option is off by default.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1950}{\*\bkmkend _1950}\b\fs24\lang1024\f2 TCP/UDP Service Names\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 This option, when on, causes IPTraf to display the TCP/UDP service names (\fs18\f3 smtp\fs20\f1 , \fs18\f3 www\fs20\f1 , \fs18\f3 pop3\fs20\f1 , etc.) instead of their numeric ports (25, 80, 110, etc). The number-to-name mappings will depend on the systems services database file (usually \fs18\f3 /etc/services\fs20\f1 ). Should there be no corresponding service name for the port number, the numeric form will still be displayed. \hyphpar0\par\pard\sb100\li960\sl220\qj This setting is off by default.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 Reverse lookup and service name lookup take some time and may impact performance and increase the chances of dropped packets. Performance and results are best (albeit more cryptic) with both these settings off.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1961}{\*\bkmkend _1961}\b\fs24\f2 Force promiscuous\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 If this option is enabled, your LAN interfaces will capture all packets on your LAN. Using this option enables you to see all TCP connections and packets passing your LAN segment, even if they're not from or for your machine. When this option is active in the statistics windows, the Activity indicators will show a good estimate of the load on your LAN segment.\hyphpar0\par\pard\sb100\li960\sl220\qj When this option is disabled, you'll only receive information about packets coming from and entering your machine.\hyphpar0\par\pard\sb100\li960\sl220\qj The setting of this option affects all LAN ( Ethernet, FDDI, some Token Ring) interfaces on your machine, if you have more than one.\hyphpar0\par\pard\sb100\li960\sl220\qj The interface's promiscuous flag is set only when a facility is started, and turned off when it exits. However, if promiscuous mode was already set when a facility was started, it remains set on exit.\hyphpar0\par\pard\sb100\li960\sl220\qj If multiple instances of IPTraf are started, the promiscuous setting is restored only upon exit of the last facility.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 Do not use other programs that change the interface's promiscuous flag at the same time you're using IPTraf. The programs can interfere with each other's expected operations. While IPTraf tries to obtain the initial setting of any promiscuous flags for restoration upon exit, other programs may not be as well-behaved, and they may turn off the promiscuous flags while IPTraf is still monitoring.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1971}{\*\bkmkend _1971}\b\fs24\f2 Color\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Turn this on with color monitors. Turn it off with black-and- white monitors or non-color terminals (like xterms). Changes to this setting will take effect the next time the program is started.\hyphpar0\par\pard\sb100\li960\sl220\qj Color is on by default on consoles and color xterms, off on non-color terminals like xterms and VT100s.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _1975}{\*\bkmkend _1975}\b\fs24\lang1024\f2 Logging\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 When this option is active, IPTraf will log information to a disk file, which can be examined or analyzed later. Since IPTraf 2.4.0, IPTraf prompts you for the name of the file to which to write the logs. It will provide a default name, which you are free to accept or change. The IP traffic monitor and LAN station monitor will generate a log file name that is based on what instance they are (first, second, and so on). The general interface statistics' default log file name is constant, because it listens to all interfaces at once, and only one instance can run at one time.\hyphpar0\par\pard\sb100\li960\sl220\qj The other facilities generate a log file name based on the interface they're listening on.\hyphpar0\par\pard\sb100\li960\sl220\qj See the descriptions on the facilities above for the default log file names.\hyphpar0\par\pard\sb100\li960\sl220\qj Press Enter to accept the log file name, or Ctrl+X to cancel. Canceling will turn logging off for that session.\hyphpar0\par\pard\sb100\li960\sl220\qj The IP traffic monitor will write the following pieces of information to its log file:\hyphpar0\par\pard\sb100\li1160\sl220\fi-200\qj \tx1160 \fs16\lang1024 \'95\tab \fs20 Start of the traffic monitor\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Receipt of the first TCP packet for a connection. If that packet is a SYN, (SYN) will be indicated in the log entry. (Of course, the traffic monitor may start in the middle of established connections. It will still count those packets. This also explains why some connection entries may become idle if the traffic monitor is started in the middle of a half-closed connection, and miss the first FIN. Such entries time out in a while.)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Receipt of a FIN (with average flow rate)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 ACK of a FIN\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Timeouts of TCP entries (with average flow rate)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Reset connections (with average flow rate)\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Everything that appears in the bottom window of the traffic monitor\hyphpar0\par\pard\li1160\sl220\fi-200\qj \tx1160 \fs16 \'95\tab \fs20 Stopping of the traffic monitor\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 Each log entry includes the date and time the entry was written. Logging is also affected by the defined filters.\hyphpar0\par\pard\sb100\li960\sl220\qj Log files can grow very fast, so be prepared with plenty of free space and delete unneeded logs. Log write errors are not indicated.\hyphpar0\par\pard\sb100\li960\sl220\qj Copies of the interface statistics, TCP/UDP statistics, packet size statistics, and LAN host statistics are also written to the log files at regular intervals. See \i Log Interval...\i0 in this chapter.\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf closes and reopens the active log file when it receives a \fs18\f3 USR1\fs20\f1 signal. This is useful in cases where a facility is run for long periods of time but the log files have to be cleared or moved.\hyphpar0\par\pard\sb100\li960\sl220\qj To clear or move an active log file, rename it first. IPTraf will continue to write to the file despite the new name. Then use the UNIX kill command to send the running IPTraf process a \fs18\f3 USR1\fs20\f1 signal. IPTraf will then close the log file and open another with the original name. You can then safely remove or delete the renamed file.\hyphpar0\par\pard\sb100\li960\sl220\qj Do not delete an open log file. Doing so will only result in a file just as large but filled with null characters (ASCII code 0).\hyphpar0\par\pard\sb100\li960\sl220\qj Logging comes disabled by default. The \fs18\f3 USR1\fs20\f1 signal is caught only if logging is enabled, it is ignored otherwise.\hyphpar0\par\pard\sb100\li960\sl220\qj A valid specification of \fs18\f3 -L\fs20\f1 on the command line with automatically enable logging for that particular session. The saved configuration setting is not affected.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2012}{\*\bkmkend _2012}\b\fs24\lang1024\f2 Activity mode\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Toggles activity indicators in the interface and LAN statistics facilities between kilobits per second (kbits/s) or kilobytes per second (kbytes/s).\hyphpar0\par\pard\sb100\li960\sl220\qj The default setting is kilobits per second.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2016}{\*\bkmkend _2016}\b\fs24\lang1024\f2 Source MAC addrs in traffic monitor\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 When enabled, the IP traffic monitor retrieves the packets' source MAC addresses if they came in on an Ethernet, FDDI, or PLIP interface. The addresses appear in the lower window for non-TCP packets, while for TCP connections, they can be viewed by pressing M.\hyphpar0\par\pard\sb100\li960\sl220\qj No such information is displayed if the network interface doesn't use MAC addresses (such as PPP interfaces).\hyphpar0\par\pard\sb100\li960\sl220\qj This can be used to determine the actual source of the packets on your local LAN.\hyphpar0\par\pard\sb100\li960\sl220\qj The traffic monitor also logs the MAC addresses with this option enabled. The default setting is off.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_TIMERS}{\*\bkmkend ID_TIMERS}\b\fs26\lang1024\f2 Timers\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The \i Timers...\i0 submenu allows you to IPTraf's interval and timeout functions.\hyphpar0\par\pard\sb200\li960{\field\flddirty{\*\fldinst INCLUDEPICTURE "iptraf-timermenu.eps" }{\fldrslt }}\keepn\par\pard\sb200\li960\sl220\qj \b\lang1024 Figure 8-2. The Timers configuration submenu\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2029}{\*\bkmkend _2029}\fs24\f2 TCP Timeout\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 This figure determines the amount of time (in minutes) a connection entry may remain idle before it becomes eligible for replacement by a new connection. The default is 15 minutes. You may want to reduce this on an isolated (not connected to the Internet) LAN or a LAN connected to the Internet with high-speed links. Just enter the new value and press Enter. You can press Ctrl+X to leave the current value unchanged.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2032}{\*\bkmkend _2032}\b\fs24\lang1024\f2 Log Interval\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 This figure determines the number of minutes between logging of interface statistics, TCP/UDP figures, and LAN host statistics. The default is 60 minutes. This figure is meaningless if logging is disabled.\hyphpar0\par\pard\sb100\li960\sl220\qj This configuration item can be overridden with the \fs18\f3 -I\fs20\f1 when a facility is directly invoked from the command line (not accessed via the main menu), and remains effective for that particular session. The configured value is not affected.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2037}{\*\bkmkend _2037}\b\fs24\lang1024\f2 Screen Update Interval\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 This value determines the rate in seconds at which the screen is updated. The default is 0, which means the screen is updated as fast as possible, giving close-to-realtime reflection of network activity. However, this high-speed update can cause incredible amounts of traffic if IPTraf is run on a remote terminal (e.g. a Telnet or Secure Shell session). You can set this to a higher value, such as 1 or 2 seconds to slow down the updates.\hyphpar0\par\pard\sb100\li960\sl220\qj This figure does not affect the rate of data capture. Only the screen refresh is affected. The figures are still updated as fast as possible, although the figure display will no longer be as close to realtime.\hyphpar0\par\pard\sb100\li960\sl220\qj The default setting is 0, which shouldn't be a problem on the console. Set it to a slightly higher value on remote terminals or slow links. The setting affects all monitoring facilities.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 Updating the screen is one of the slowest operations in a program. Older versions of IPTraf had a problem once network activity became very high. Because each packet caused a screen update, IPTraf began spending more time with the screen updates, causing a loss of packets once network activity reached a certain point.\hyphpar0\par\pard\sb100\li1360\sl198\qj However, since many users like rapid counts on their screen, a compromise was incorporated. Even when the screen update interval is set to 0, there is still a 50ms delay between screen updates (except the LAN station monitor, which has a 100 ms delay). This is still visually fast, but provides more time to the packet capture routine. Higher delays may result in better accuracy of counts and activity.\hyphpar0\par\pard\sb100\li1360\sl198\qj In any case, this setting only affects screen updates. Capture still proceeds as fast as possible.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2047}{\*\bkmkend _2047}\b\fs24\f2 TCP closed/idle persistence\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 This parameter determines the interval (in minutes) at which the IP Traffic Monitor clears from the TCP display window all closed, idle, and timed out entries. Enter \fs18\f3 0\fs20\f1 to keep such entries on the screen indefinitely, disappearing only when replaced by new connections.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 The \i TCP timeout...\i0 option only tells IPTraf how long it should take before a connection should be considered idle and open to replacement by new connections. This does not determine how long it remains onscreen. The \i TCP closed/idle persistence...\i0 parameter flushes entries that have been closed or reset, or idle for the number of minutes defined by the \i TCP timeout...\i0 option.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_CUSTOMPORTS}{\*\bkmkend ID_CUSTOMPORTS}\b\fs26\f2 Custom Information\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The remaining configuration items allow you to enter information which IPTraf uses for its displays and logs.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2060}{\*\bkmkend _2060}\b\fs24\lang1024\f2 Additional ports\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Select this item to enter a port number to be included in the TCP/UDP counts in the TCP/UDP service statistics main menu item described above. By default, port numbers above 1023 are not monitored. If you do have a higher-numbered port to monitor, enter it here.\hyphpar0\par\pard\sb100\li960\sl220\qj You will see two fields. If you have only one port to enter, just fill up the first field. To specify a range, fill both fields, the first port in the first field, the last port in the second field.\hyphpar0\par\pard\sb100\li960\sl220\qj You can select this option multiple times to add more values or ranges.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2065}{\*\bkmkend _2065}\b\fs24\lang1024\f2 Delete port/range\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 Select this item to remove a higher-numbered port number or port range you entered earlier with the \i Additional ports...\i0 option. A window will come up containing the entered ports and ranges. Select the entry you want delete and press Enter.\hyphpar0\par\pard\sb200\s3\sl266 {\*\bkmkstart _2069}{\*\bkmkend _2069}\b\fs24\lang1024\f2 LAN Station Identifiers\keepn\hyphpar0\par\pard\sb121\li960\sl220\qj \b0\fs20\lang1033\f1 The LAN station statistics facility monitors stations based on their respective MAC addresses. The hexadecimal notation of these addresses make them even more difficult to remember than the dotted-decimal IP addresses, so these facilities were added to help you better determine which station is which.\hyphpar0\par\pard\sb100\li960\sl220\qj Selecting the \i Ethernet/PLIP host descriptions...\i0 or \i FDDI/Token Ring host descriptions...\i0 options brings up a submenu asking you to add, edit, or delete descriptions.\hyphpar0\par\pard\sb100\li960\sl220\qj To add a new description, select the \i Add description...\i0 option. A dialog box will appear, asking you for the MAC address and an appropriate description. Type in the address in hexadecimal notation with no punctuation of any kind. The dialog box is case-insensitive for the address; the alphabetical digits A to F will be stored in lowercase.\hyphpar0\par\pard\sb100\li960\sl220\qj Use the Tab key to move between fields and Enter to accept. Press Ctrl+X to discard this dialog and return to the main menu.\hyphpar0\par\pard\sb100\li960\sl220\qj The description may be anything: the IP address, a fully-qualified domain name, or a description of your liking as long as the field can hold.\hyphpar0\par\pard\sb100\li960\sl220\qj Enter as many descriptions as you need. Press Ctrl+X at a blank dialog after you have entered the last entry\hyphpar0\par\pard\sb100\li960\sl220\qj These descriptions will be displayed alongside the MAC addresses in the LAN station monitor, together with the type of frame (Ethernet, PLIP, or FDDI).\hyphpar0\par\pard\sb100\li960\sl220\qj An existing address or description may be edited by selecting the \i Edit description...\i0 option from the submenu. A panel will appear with a list of existing address descriptions. Select the one you wish to edit and press Enter. A dialog box identical to that when you add a description will appear with prefilled fields. Just backspace over and edit the fields. Press Enter to accept or Ctrl+X to cancel.\hyphpar0\par\pard\sb100\li960\sl220\qj Selecting the \i Delete description...\i0 submenu item brings up the selection panel. Select the description you want to delete and press Enter. You can also press Ctrl+X to cancel the operation.\hyphpar0\par\pard\sb100\li960\sl220\qj IPTraf 2.4 and later also recognizes the \fs18\f3 /etc/ethers\fs20\f1 file. Should a hardware address be present in the IPTraf definition files and in \fs18\f3 /etc/ethers\fs20\f1 , the IPTraf definition will be used.\hyphpar0\par\pard\sb200\li1360\sl198\qj \b\fs18\lang1024\f2 Note: \b0\f4 The description file for Ethernet and PLIP is \fs16\f3 ethernet.desc\fs18\f4 , while the FDDI and Token Ring mappings are stored in \fs16\f3 fddi.desc\fs18\f4 in the IPTraf working directory. These files are in colon-delimited text format. Database engines or custom scripts can be told to append data lines to those files. Each line follows this simple format:\hyphpar0\par\pard\sb200\li1360\sl178\qj \i\fs16\f3 address\i0 :\i description\hyphpar0\par\pard\sb200\li1360\sl198\qj \i0\fs18\f4 For example\hyphpar0\par\pard\sb200\li1360\sl178\qj \fs16\f3 00201e457e:Cisco 3640 gateway\hyphpar0\par\pard\sb200\li1360\sl198\qj \fs18\f4 Do not put colons, periods, or any invalid characters in the MAC address.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Chapter 9. Background Operation}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Chapter 9. Background Operation}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_BACKOP}{\*\bkmkend ID_BACKOP}\b\fs29\f2 Chapter 9. Background Operation\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf's facilities can be placed in the background solely for logging. When running in the background, it doesn't display any output on the screen, and doesn't receive input from the keyboard, and drops you back to the shell.\hyphpar0\par\pard\sb100\li960\sl220\qj Before starting a statistical facility in the background, configure IPTraf in the usual way (set filters, add TCP/UDP ports, etc).\hyphpar0\par\pard\sb100\li960\sl220\qj Once that's done, exit all instances of IPTraf on the system, then invoke IPTraf from the command line with the parameter to start the facility you want, the timeout (\fs18\f3 -t\fs20\f1 ) parameter if you wish, and the \fs18\f3 -B\fs20\f1 parameter to actually daemonize the program. For example, to run the IP traffic monitor in the background for all interfaces, issue the command\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf -i all -B\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 To run the detailed interface statistics on interface \fs18\f3 eth0\fs20\f1 for 5 minutes in the background:\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 iptraf -d eth0 -t 5 -B\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 If the timeout parameter is not specified, the facility will run until the process receives a USR2 signal. To stop a facility in the background, do a\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 ps x\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 at the command line, and find the process id (pid) of the iptraf process you're looking for. Then send that process a USR2 signal with the kill command:\hyphpar0\par\pard\sb200\li960\sl198\qj \fs18\lang1024\f3 kill -USR2 pid\hyphpar0\par\pard\sb200\li960\sl220\qj \fs20\lang1033\f1 Since IPTraf cannot send error messages to the terminal, all messages are written to the file daemon.log in the IPTraf logging directory.\hyphpar0\par\pard\sb100\li960\sl220\qj The \fs18\f3 -B\fs20\f1 parameter automatically enables logging regardless of its configured setting. The parameter is ignored if not used with one of the parameters to start a facility from the command line.\hyphpar0\par\pard\sb100\li960\sl220\qj The log file can be specified with the \fs18\f3 -L\fs20\f1 command-line parameter. If this parameter is not specified, the default log file name for the facility will be used (see the descriptions of the facilities above for the default log name patterns). If you don't specify an path, the log file will be placed in \fs18\f3 /var/log/iptraf\fs20\f1 .\hyphpar0\par\pard\sb100\li960\sl220\qj The logging interval for all facilities (except the IP traffic monitor) can also be overriden with the \fs18\f3 -I\fs20\f1 command-line parameter.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Appendix A. Messages}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Appendix A. Messages}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_MESSAGES}{\*\bkmkend ID_MESSAGES}\b\fs29\f2 Appendix A. Messages\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 IPTraf's messages are presented in two ways. In interactive mode, messages are displayed in a distictive message box. In daemon (background) mode, appropriate messages are written to the \fs18\f3 iptraf.log\fs20\f1 file in the IPTraf log directory (normally \fs18\f3 /var/log/iptraf\fs20\f1 .\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_IPTRAFMESSAGES}{\*\bkmkend ID_IPTRAFMESSAGES}\b\fs26\lang1024\f2 IPTraf Messages\keepn\hyphpar0\par\pard\sb200\li960\sl220\qj \b0\fs18\lang1033\f3 Unable to create config file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot create the configuration file. The most likely cause of this is that you didn't properly install the program, and the necessary directory \fs18\f3 /var/local/iptraf\fs20\f1 does not exist. Can also be generated if you have a disk problem or if you have too many files open.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to read config file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The configuration record cannot be read. You most likely have a disk problem.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to write config file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The configuration file cannot be written. You either have a disk problem, or (more likely), your disk is full.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Enter an appropriate description for this filter\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 Enter something to clearly describe the filter you are defining. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error loading filter list file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot access the list of defined TCP or UDP filters. Can also be an indicator of a bad disk.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error writing filter list file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The filter list file cannot be written to. You may have trouble accessing your filters. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to read TCP/UDP/misc IP filter file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot read the filter data off the file. Could be caused by a bad disk. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error opening filter data file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot open the filter file. Could be caused by a shortage of file descriptors or a bad disk.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to write filter data\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot add the newly defined filter to the filter list. This may be due to a bad disk.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Cannot create filter data file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot create the filter record file. The defined filter is lost.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to save filter changes\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot save the changes you made to the filter. You probably have a disk error.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to write filter state information\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The current state of the filters cannot be saved. IPTraf will be unable to correctly reload the filters the next time it's started. This can be caused by a bad disk or improper installation.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to save interface flags\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to save the flags of the network interfaces. This is probably due to a bad installation or full filesystem.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to retrieve saved interface flags\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to retrieve the save interface flags. Probably again due to a bad installation or full filesystem.\hyphpar0\par\pard\sb200\li960\sl220\qj \i\fs18\lang1033\f3 protocol\i0 filter data file in use; try again later\hyphpar0\par\pard\sb100\li960\sl220\qj Filter state file in use; try again later\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 Another IPTraf process is modifying the TCP, UDP or miscellaneous IP filter data or the filter state file and has locked the files or file. Try again once the other IPTraf process has terminated or completed its modifications and unlocked the files.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to resolve hostname\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The indicated host name in the filter cannot be resolved into an IP address. Check the local hosts database \fs18\f3 /etc/hosts\fs20\f1 or your machine's DNS configuration or DNS server. The filter parameters will not be used.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to open host description file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot open the file containing the descriptions for Ethernet or FDDI addresses. Could be due to a bad disk or a hit on the file descriptor limit. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to write host description\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to write the description record for this Ethernet or FDDI address. Could be due to a bad disk or corrupted filesystem. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 No descriptions \hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 You tried to edit or delete a description with no previous descriptions defined. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Cannot open log file\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 There is a problem opening the log file. There is most likely a problem with the disk, or there are too many open files. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to obtain interface list\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to retrieve the list of network interfaces from the \fs18\f3 /proc\fs20\f1 filesystem. This may be due to a badly configured kernel. IPTraf needs \fs18\f3 /proc\fs20\f1 filesystem support. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 No active interfaces. Check their status or the /proc filesystem.\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf found no active interfaces. Either all interfaces are down or the \fs18\f3 /proc/net/dev\fs20\f1 file was empty or unavailable. Activate at least one interface or check the \fs18\f3 /proc/net/dev\fs20\f1 file. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to obtain interface parameters for interface\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The system call to retrieve the interface's flags failed. Check your interface or kernel driver. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Promisc change failed for interface\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The system call to change the promiscuous flag failed. Check your interface or its kernel driver. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to open raw socket for flag change\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to open the necessary socket for the promiscuous change operation. May be due to a shortage of file descriptors. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to open socket for MTU determination\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 Returned by the facility for detailed interface statistics if the raw socket's opening sequence failed. The facility will abort.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to open raw socket\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to open the raw socket for packet capture. May be due to a shortage of file descriptors.\hyphpar0\par\pard\sb200\li1760\sl198\qj \b\fs18\f2 Reminder: \b0\f4 IPTraf 2.x.x requires Linux kernel 2.2.x, with the Packet Socket option compiled in or installed as a module. IPTraf 2.x will return this error on a pre-2.2 kernel or on a 2.2 kernel without Packet Socket.\hyphpar0\par\pard\sb200\li960\sl220\qj \lang1033\f3 Unable to obtain interface MTU\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The detailed statistics facility was unable to obtain the maximum transmission unit (MTU) for the selected interface. The facility will abort. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Specified interface not supported\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The interface specified with the \fs18\f3 -i\fs20\f1 , \fs18\f3 -d\fs20\f1 , \fs18\f3 -s\fs20\f1 , \fs18\f3 -l\fs20\f1 , or \fs18\f3 -z\fs20\f1 command-line parameters is not supported by IPTraf.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Specified interface not active\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The interface specified with the \fs18\f3 -i\fs20\f1 , \fs18\f3 -d\fs20\f1 , \fs18\f3 -s\fs20\f1 , \fs18\f3 -l\fs20\f1 , or \fs18\f3 -z\fs20\f1 command-line parameters is supported, but not currently activated. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Fatal: memory allocation error\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 May occur if you have too little memory to allocate for windows, the menu system, or dialog boxes. IPTraf tries to prevent further allocations if memory runs out during a monitor. However, this could also mean a bug if you're reasonably sure you're not out of memory. An instructional message on bug reporting follows this message.\hyphpar0\par\pard\sb200\li1760\sl198\qj \b\fs18\f2 Technical note: \b0\f4 This is actually a response to the segmentation fault error (SIGSEGV).\hyphpar0\par\pard\sb200\li960\sl220\qj \lang1033\f3 This program can be run only by the system administrator\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf normally does not allow anybody but uid 0 (root) to run it. This measure is included for safety reasons. See the section on recompiling the program below if you want to override this. This feature is built in, and not part of the configuration \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Your TERM variable is not set\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The TERM (terminal type) environment variable must be set to a valid terminal type so that the screen management routines can function properly. Set it to the appropriate terminal type. Linux consoles typically have their TERM variables set to \fs18\f3 linux\fs20\f1 . \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Received TERM signal\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 Not related to the previous message. The \fs18\f3 TERM\fs20\f1 (terminate) signal is normally used to gracefully shut down a program. This message simply indicates that the \fs18\f3 TERM\fs20\f1 signal was caught and IPTraf is attempting to shut down as gracefully as possible.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Invalid option or missing parameter, use iptraf -h for help\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The \fs18\f3 -i\fs20\f1 , \fs18\f3 -d\fs20\f1 , \fs18\f3 -s\fs20\f1 , \fs18\f3 -l\fs20\f1 , or \fs18\f3 -z\fs20\f1 options were specified but no interface was specified on the command line. These parameters require a valid interface name (or \fs18\f3 all\fs20\f1 for \fs18\f3 -i\fs20\f1 or \fs18\f3 -l\fs20\f1 ). This message also appears if an unknown option is passed to the \b iptraf\b0 command. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Warning: unable to tag this process\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf normally tags itself when it runs to prevent multiple instances of the statistical facilities from running. This message means the program was unable to create the necessary tag file. This may be due to a bad or improper installation. Try running the \b make install\b0 procedure or the \b Setup\b0 in the distribution's top-level directory. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Warning: unable to tag facility\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to create the tag file for the facility you started. The facility will still run, but other instances of IPTraf that may be running simultaneously will allow the same facility to run. This may cause both instances of the facility to malfunction. This could be due to a bad disk or bad installation. \hyphpar0\par\pard\sb200\li960\sl220\qj \i\fs18\lang1033\f3 facility\i0 already running/listening on interface\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 The facility you tried to start is currently running on the indicated interface in another IPTraf process on the machine. This restriction is placed to prevent conflicts involving internal sockets or the log files. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 General interface statistics already active in another process\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 Only one instance of the general interface statistics can run at a time. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Duplicate port/range entry \hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 You entered a port number or range that was already added to the list of additional ports to be monitored by the TCP/UDP service monitor \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 No custom ports\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 There are no ports or port ranges earlier added. There's nothing to delete. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Can't start rvnamed; lookups will block\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot start the \b rvnamed\b0 daemon; probably due to a bad installation. IPTraf will fall back to blocking lookups. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Can't spawn new process; lookups will block\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot start a new process. This may be due to memory shortage. IPTraf will fall back to blocking lookups. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Fork error, IPTraf cannot run in background\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf cannot start a new process, and can go into the background. This may be due to memory shortage. IPTraf aborts. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 No memory for new filter entry\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 IPTraf was unable to allocate memory for a new filter entry. Most likely due to memory shortage. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Memory Low\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 This indicator appears if memory runs low due to a lot of entries in a facility. Should critical functions fail (window creation, internal allocation), the program could terminate with a segmentation violation.\hyphpar0\par\pard\sb200\li1760\sl198\qj \b\fs18\f2 Note: \b0\f4 Any message or indicator about low memory means that your system does not have enough memory to handle the entries. It is almost certain that sooner or later, IPTraf or other applications will abort due to the failure of important system calls or library functions. Memory must be added right away.\hyphpar0\par\pard\sb200\li960\sl220\qj \lang1033\f3 IPC Error\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 This indicator appears if an error occurs receiving data from the \b rvnamed\b0 program (IPC stands for Interprocess Communication). This indication should not occur under normal circumstances. Report instances of this condition and the circumstances under which it happens. You may also include data from the \fs18\f3 rvnamed.log\fs20\f1 file. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error opening terminal: \i terminal\hyphpar0\par\pard\sb100\li1360\sl220\qj \i0\fs20\lang1024\f1 The screen management routines cannot find the \fs18\f3 terminfo\fs20\f1 entry for your terminal. IPTraf expects the terminfo database located in \fs18\f3 /usr/share/terminfo\fs20\f1 . This error could occur when your terminfo database is located somewhere else. See the section on controlling the \fs18\f3 terminfo\fs20\f1 search path.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 This will end your IPTraf session \hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 In interactive mode IPTraf asks you to confirm your exit command. Press Enter to return to the shell or any other key to cancel your command and return to the main menu.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_RVNAMEDMESSAGES}{\*\bkmkend ID_RVNAMEDMESSAGES}\b\fs26\f2 rvnamed Messages\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 As a daemon, rvnamed does not send messages to the screen. It writes its messages to the file \fs18\f3 rvnamed.log\fs20\f1 in the IPTraf log directory.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\f3 Unable to open child communication socket\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed was unable to open the communication endpoint for data reception from the children it creates. This is highly unusual, and should it occur, report the circumstances.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Unable to open client communication socket\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed was unable to open the communication endpoint for data exchange with the IPTraf program. This is highly unusual, and should it occur, report the circumstances.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error binding client communication socket Error binding child communication socket\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed was unable to assign a name to the indicated communication socket. This may be due to a bad, full, or corrupted filesystem. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Fatal error: no memory for descriptor monitoring\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed ran out of memory. IPTraf will resort to blocking, and may freeze. \hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Error on fork, returning IP address\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed had a problem spawning a copy of itself to resolve the IP address. rvnamed will simply return the IP address in its literal, dotted-decimal notation. IPTraf will still function normally. This may be due to lack of memory or a process limit hit.\hyphpar0\par\pard\sb200\li960\sl220\qj \fs18\lang1033\f3 Maximum child process limit reached\hyphpar0\par\pard\sb100\li1360\sl220\qj \fs20\lang1024\f1 rvnamed has reached its maximum number of child processes. This is intended as a "brake" to prevent too many rvnamed children from hogging your computer's resources and possibly crashing it. Unless IPTraf is monitoring an extremely busy network without filters, this shouldn't happen, at least, not that often. If you notice this message, try applying filters or check your DNS server. Many times, this can happen when the DNS server goes down for whatever reason, and you have rvnamed children taking too long to resolve.\hyphpar0\par\sect\sectd\plain\pgwsxn12240\pghsxn15840\marglsxn1920\margrsxn1920\margtsxn960\margbsxn480\headery0\footery0\pgndec\titlepg{\headerf\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {}\par}{\footerf\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}{\headerl\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 Appendix B. GNU Free Documentation License}\tab {}\tab {}\par}{\footerl\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {\i\fs20\f1 \chpgn }\tab {}\tab {}\par}{\headerr\pard\sl-240\sb770\sa-50\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 Appendix B. GNU Free Documentation License}\par}{\footerr\pard\sl-240\sb-670\sa910\plain\tqc\tx4200\tqr\tx8400 {}\tab {}\tab {\i\fs20\f1 \chpgn }\par}\pard\sb220\s1\sl322 {\*\bkmkstart ID_GFDL}{\*\bkmkend ID_GFDL}\b\fs29\f2 Appendix B. GNU Free Documentation License\keepn\hyphpar0\par\pard\sb146\li960\sl220\qj \b0\fs20\lang1033\f1 Version 1.1, March 2000\hyphpar0\par\pard\sb100\li1160\ri200\sl198\qj \fs18 Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_0}{\*\bkmkend ID_GFDL_45_0}\b\fs26\lang1024\f2 PREAMBLE\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.\hyphpar0\par\pard\sb100\li960\sl220\qj This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.\hyphpar0\par\pard\sb100\li960\sl220\qj We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_1}{\*\bkmkend ID_GFDL_45_1}\b\fs26\lang1024\f2 APPLICABILITY AND DEFINITIONS\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".\hyphpar0\par\pard\sb100\li960\sl220\qj A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.\hyphpar0\par\pard\sb100\li960\sl220\qj A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.\hyphpar0\par\pard\sb100\li960\sl220\qj The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.\hyphpar0\par\pard\sb100\li960\sl220\qj The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.\hyphpar0\par\pard\sb100\li960\sl220\qj A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".\hyphpar0\par\pard\sb100\li960\sl220\qj Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.\hyphpar0\par\pard\sb100\li960\sl220\qj The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_2}{\*\bkmkend ID_GFDL_45_2}\b\fs26\lang1024\f2 VERBATIM COPYING\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.\hyphpar0\par\pard\sb100\li960\sl220\qj You may also lend copies, under the same conditions stated above, and you may publicly display copies.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_3}{\*\bkmkend ID_GFDL_45_3}\b\fs26\lang1024\f2 COPYING IN QUANTITY\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.\hyphpar0\par\pard\sb100\li960\sl220\qj If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.\hyphpar0\par\pard\sb100\li960\sl220\qj If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.\hyphpar0\par\pard\sb100\li960\sl220\qj It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_4}{\*\bkmkend ID_GFDL_45_4}\b\fs26\lang1024\f2 MODIFICATIONS\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab \lang1024 A.\tab Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab B.\tab List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab C.\tab State on the Title page the name of the publisher of the Modified Version, as the publisher.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab D.\tab Preserve all the copyright notices of the Document.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab E.\tab Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab F.\tab Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab G.\tab Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab H.\tab Include an unaltered copy of this License.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab I.\tab Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab J.\tab Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab K.\tab In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab L.\tab Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab M.\tab Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.\hyphpar0\par\pard\sb100\li1440\sl220\fi-480\qj \tqr\tx1390\tx1440\tab N.\tab Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.\hyphpar0\par\pard\sb100\li960\sl220\qj \lang1033 If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.\hyphpar0\par\pard\sb100\li960\sl220\qj You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.\hyphpar0\par\pard\sb100\li960\sl220\qj You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.\hyphpar0\par\pard\sb100\li960\sl220\qj The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_5}{\*\bkmkend ID_GFDL_45_5}\b\fs26\lang1024\f2 COMBINING DOCUMENTS\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.\hyphpar0\par\pard\sb100\li960\sl220\qj The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.\hyphpar0\par\pard\sb100\li960\sl220\qj In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_6}{\*\bkmkend ID_GFDL_45_6}\b\fs26\lang1024\f2 COLLECTIONS OF DOCUMENTS\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.\hyphpar0\par\pard\sb100\li960\sl220\qj You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_7}{\*\bkmkend ID_GFDL_45_7}\b\fs26\lang1024\f2 AGGREGATION WITH INDEPENDENT WORKS\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.\hyphpar0\par\pard\sb100\li960\sl220\qj If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_8}{\*\bkmkend ID_GFDL_45_8}\b\fs26\lang1024\f2 TRANSLATION\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_9}{\*\bkmkend ID_GFDL_45_9}\b\fs26\lang1024\f2 TERMINATION\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_10}{\*\bkmkend ID_GFDL_45_10}\b\fs26\lang1024\f2 FUTURE REVISIONS OF THIS LICENSE\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/\up8\fs12 1\up0\fs20 .\hyphpar0\par\pard\sb100\li960\sl220\qj Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.\hyphpar0\par\pard\sb200\s2\sl293 {\*\bkmkstart ID_GFDL_45_11}{\*\bkmkend ID_GFDL_45_11}\b\fs26\lang1024\f2 How to use this License for your documents\keepn\hyphpar0\par\pard\sb133\li960\sl220\qj \b0\fs20\lang1033\f1 To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:\hyphpar0\par\pard\sb100\li1160\ri200\sl198\qj \fs18 Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".\hyphpar0\par\pard\sb100\li960\sl220\qj \fs20 If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.\hyphpar0\par\pard\sb100\li960\sl220\qj If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.\hyphpar0\par\pard\sb200\sl293 \b\fs26\lang1024\f2 Notes\keepn\hyphpar0\par\pard\sb133\li1280\sl220\fi-320\qj \tx1280 \b0\fs20\f1 1. \tab http://www.gnu.org/copyleft/\hyphpar0\par}
diff --git a/Documentation/manual.sgml b/Documentation/manual.sgml
new file mode 100644
index 0000000..77c8fd9
--- /dev/null
+++ b/Documentation/manual.sgml
@@ -0,0 +1,4772 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
+]>
+<book id="manual">
+<bookinfo>
+<title>IPTraf User's Manual</title>
+
+<releaseinfo>
+Version 3.0.0
+</releaseinfo>
+
+<copyright>
+<year>1997</year>
+<year>2003</year>
+<holder>Gerard Paul Java</holder>
+</copyright>
+
+<legalnotice id="legalinfo">
+<para>
+This manual is released under the terms of the GNU
+Free Documentation License of March, 2000 as published by the
+Free Software Foundation, reproduced in this manual as Appendix B.
+</para>
+<para>
+IPTraf is open-source software released under the terms of the GNU General
+Public License version 2 or any later version as published by the Free
+Software Foundation, reproduced in the LICENSE file in the distribution's
+top-level directory.
+</para>
+<para>
+The accomanying software and the information contained in this
+document are provided "AS IS" without warranty of any kind, express or
+implied, including, without limitation, the implied warranties
+of mercantability or fitness for any particular purpose.
+</para>
+<para>
+In no event shall the author be liable for any indirect,
+special, consequential, or incidental damages arising from the use of this
+manual or the accompanying software even if the author has been advised of
+the possibility of such damages.
+</para>
+<para>
+Linux is a registered trademark of Linus Torvalds. Pentium is a
+registered trademark of Intel Corporation. All other trademarks are
+property of their respective owners.
+</para>
+<para>
+Some structure declarations were based on code copyrighted by the Regents
+of the University of California.
+</para>
+<para>
+Token Ring parsing code based on the Token Ring packet construction code
+in the Linux 2.2 kernel.
+</para>
+</legalnotice>
+</bookinfo>
+<toc></toc>
+<lot></lot>
+<preface id="preface">
+<title>About This Document</title>
+<para>
+This document contains the instructions on how to use the IPTraf network
+monitoring software version 3.0. This manual details the
+different statistical facilities, the user
+interface, and the important features of the software.
+</para>
+
+<sect1 id="addinfo">
+<title>For Additional Information</title>
+<para>
+See the included README file for summarized and late-breaking information.
+Also read the RELEASE-NOTES file for important new information about
+this new version. The CHANGES file contains a record of the changes made
+to the software since 1.0.0. README.rvnamed contains information on the
+rvnamed reverse resolution program. See the other
+README files for support and development information.
+</para>
+</sect1>
+
+<sect1 id="conventions">
+<title>Document Conventions</title>
+<para>
+ The following symbols and typefaces are used throughout this manual:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>[ ]</computeroutput></term>
+<listitem>
+<para>
+items in brackets are optional. Brackets also denote items that may or may
+not be displayed onscreen depending on settings or conditions.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>{ }</computeroutput></term>
+<listitem><para>
+ curly braces enclose items you choose from
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>|</computeroutput></term>
+<listitem><para>
+ the vertical bar separates choices in curly braces
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>normal monospace</computeroutput></term>
+<listitem><para>
+ normal monospace text in syntax specifications should be typed in exactly as presented. Because UNIX and variants are case-sensitive, case must be preserved. Monospace is also used in presenting items that appear on the screen.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput><replaceable>
+ monospace italics
+</replaceable></computeroutput></term>
+<listitem><para>
+
+ italics in syntax specifications indicate items that are to be
+ replaced with an actual item (e.g.
+ <replaceable>interface</replaceable> should be replaced with an
+ actual interface name, like <computeroutput>eth0</computeroutput>).
+
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+Additional information appears distinctively set apart from the main text.
+This information includes Notes, Tips, or Technical Notes.
+</para>
+
+<para>
+<emphasis>Notes</emphasis> are additional pieces of information that may be useful or may
+ clarify the preceeding paragraphs of the manual.
+</para>
+<para>
+ <emphasis>Tips</emphasis> provide shortcuts, clarify tasks that may not
+ be immediately obvious, or provide references to additional sources of information.
+</para>
+<para>
+<emphasis>Technical notes</emphasis> are explanations of a
+ more technical nature and may be of more use to programmers and advanced
+ users.
+</para>
+</sect1>
+</preface>
+
+<chapter id="gettingstarted"><title>
+Getting Started
+</title>
+<sect1>
+<title>About IPTraf</title>
+<para>
+IPTraf is a network monitoring utility and traffic analyzer for IP networks. It
+intercepts packets and returns data about captured the network traffic
+in various statistical facilities.
+</para>
+<para>
+IPTraf comes with these major features:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>An IP traffic monitor that shows TCP
+connection information (hosts, packet/byte counts, flags,
+window sizes), and color-coded information about other
+IP packets</para></listitem>
+<listitem><para>Statistics (counts and load rates) for network interfaces
+in general and detailed views</para></listitem>
+<listitem><para>Statistics per TCP/UDP port</para></listitem>
+<listitem><para>Statistical breakdown according to packet sizes</para></listitem>
+<listitem><para>A LAN host monitor that returns counts and loads per
+detected MAC address</para></listitem>
+<listitem><para>A powerful filtering system for users to view
+only interesting traffic</para></listitem>
+<listitem><para>Logging</para></listitem>
+<listitem><para>An asynchronous DNS resolver for the
+IP traffic monitor</para></listitem>
+<listitem><para>A text-based, full-color, menu-driven user interface
+suitable for use on all Linux systems with terminals, especially Linux
+consoles and color xterms</para></listitem>
+<listitem><para>Easy configuration</para></listitem>
+<listitem><para>Fully software-based. No additional
+hardware required</para></listitem>
+</itemizedlist>
+<para>
+ Basic knowledge of the important TCP/IP protocols (IP, TCP, UDP, ICMP,
+ etc.) is necessary for you to best understand the information generated
+ by the program.
+</para>
+
+</sect1>
+<sect1 id="installation">
+<title>
+ Installation
+</title>
+<para>
+ IPTraf is most readily available on the Internet, but some may receive
+ it on a diskette. Here are the instructions for both types
+ of distributions.
+</para>
+<sect2>
+<title>System Requirements</title>
+<para>
+IPTraf requires:
+</para>
+
+<sect3>
+<title>Hardware Requirements</title>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ 16 megabytes of physical RAM (more recommended, at least 64 MB for very busy networks)
+</para></listitem>
+<listitem><para>
+ 2 megabytes of free disk space for installation (more will be needed if you log high amounts of traffic over time)
+</para></listitem>
+<listitem><para>
+ Pentium-class processor or higher (Pentium-II 200 MHz or higher recommended) or equivalent.
+</para></listitem>
+<listitem><para>
+ One or more of the supported network interfaces.
+</para></listitem>
+</itemizedlist>
+</sect3>
+<sect3>
+ <title>Operating System Requirements</title>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ Linux kernel 2.2.0 or higher
+</para></listitem>
+<listitem><para>
+ GNU C Library 2.1 or later
+</para></listitem>
+<listitem><para>
+
+ ncurses 4.2 or later with the complete terminfo database in
+ <filename>/usr/share/terminfo</filename>. Support for
+ <computeroutput>linux</computeroutput>, <computeroutput>vt100</computeroutput>,
+ <computeroutput>xterm</computeroutput>,
+ <computeroutput>xterm-color</computeroutput> recommended.
+
+</para></listitem>
+</itemizedlist>
+</sect3>
+<sect3>
+ <title>Compilation Requirements</title>
+<para>
+The following components are required when compiling IPTraf from the
+source code.
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ gcc 2.7.2.3 or later
+</para></listitem>
+<listitem><para>
+
+ GNU C (glibc) development library 2.1 or later
+</para></listitem>
+<listitem><para>
+
+ ncurses development libraries 4.2 or later
+</para>
+</listitem>
+</itemizedlist>
+</sect3>
+</sect2>
+
+<sect2>
+<title>Availability</title>
+<para>
+ IPTraf can be downloaded from the Internet from the official FTP site at
+ <ulink url="ftp://iptraf.seul.org/pub/iptraf/">
+ftp://iptraf.seul.org/pub/iptraf/
+</ulink>.
+</para>
+<para>
+
+ The software is available in source form in
+ compressed
+<filename>.tar.gz</filename> files named
+<filename>iptraf-<replaceable>x.y.z</replaceable>.tar.gz</filename> where
+<filename><replaceable>x.y.z</replaceable></filename>
+ is the version number. Precompiled ready-to-run software is available in
+ the
+<filename>iptraf-<replaceable>x.y.z.machinetype</replaceable>.bin.tar.gz</filename>
+ files. (<filename><replaceable>machinetype</replaceable></filename> indicates
+ what platform the precompiled binaries run on. The official distribution
+ will only be for the Intel x86 architecture indicated as
+<filename>i386</filename>.)
+</para>
+</sect2>
+
+<sect2>
+<title>Installing Downloaded Packages</title>
+
+<para>
+ You will need to have GNU tar and GNU zip installed. All
+ modern Linux installations already have these utilities ready.
+</para>
+<orderedlist>
+<listitem>
+<para>
+ Decompress the <filename>.tar.gz</filename> file by entering
+</para>
+<synopsis>
+tar zxvf iptraf-<replaceable>x.y.z</replaceable>.tar.gz
+</synopsis>
+<para>
+ for the source code or
+</para>
+<synopsis>
+tar zxvf iptraf-<replaceable>x.y.z</replaceable>.i386.bin.tar.gz
+</synopsis>
+<para>
+for the precompiled x86 programs.
+</para>
+<para>
+If your tar doesn't support the z option, you can separately
+decompress the <filename>.tar.gz</filename> file
+then extract the resulting <filename>.tar</filename> archive.
+</para>
+<synopsis>
+gunzip iptraf-<replaceable>x.y.z</replaceable>.tar.gz
+tar xvf iptraf-<replaceable>x.y.z</replaceable>.tar
+</synopsis>
+<para>
+This will decompress the sources into a directory called
+<filename>iptraf-<replaceable>x.y.z</replaceable></filename> (source code)
+or
+<filename>iptraf-<replaceable>x.y.z</replaceable>.bin</filename>
+(precompiled).
+ (<replaceable>x.y.z</replaceable> here should be the IPTraf version number
+you're installing, like <filename>3.0.0</filename>).
+</para>
+</listitem>
+<listitem>
+<para>
+Change to the created top level directory.
+</para></listitem>
+<listitem><para>
+To compile and install the software, run the Setup program by entering
+</para>
+<synopsis>
+./Setup
+</synopsis>
+<para>
+ while you are logged in as root. The Setup script will recognize the
+ source distribution and compile the software before installing. It
+ will immediately install a precompiled distribution.
+</para>
+</listitem>
+</orderedlist>
+
+<para>
+ The resulting binaries will be placed in the
+<filename>/usr/local/bin</filename> directory.
+ All needed directories will also be created.
+</para>
+<para>
+ After installation, you will be asked if you want to
+ read the <filename>RELEASE-NOTES</filename> file. It is recommended that you do so at
+ that point, since the <filename>RELEASE-NOTES</filename> file
+ contains important information about the new version.
+</para>
+</sect2>
+<sect2>
+<title>Installing a Floppy Distribution</title>
+<para>
+ If you received IPTraf
+ on a diskette, the sources are already decompressed. The diskette is
+ in Second Extended filesystem format. Perform the following steps to
+ install the software. </para> <orderedlist> <listitem><para>
+Insert the floppy in the drive.
+</para></listitem>
+<listitem><para>
+Mount the floppy on an empty directory. For example, to
+mount the floppy in the first floppy drive under a directory
+called <filename>/mnt</filename>, enter
+</para>
+<synopsis>
+mount -t ext2 /dev/fd0 /mnt
+</synopsis>
+<para>
+ This assumes your floppy is in
+ <filename>/dev/fd0</filename>. You can use any empty directory in place
+ of <filename>/mnt</filename>. With most Linux installations, this will work fine.
+</para></listitem>
+<listitem<para>
+
+After mounting, change
+to the <filename>/mnt</filename> (or whatever) directory.
+</para></listitem>
+<listitem><para>
+Enter</para>
+<synopsis>
+./Setup
+</synopsis>
+<para>
+ while logged in as root. Setup will determine whether the diskette
+ contains a source code distribution or
+ ready-to-run precompiled software. This will copy the binaries to
+ <filename>/usr/local/bin</filename>, and
+ create the necessary working directories.
+</para></listitem>
+<listitem>
+<para>
+Unmount the diskette by typing
+</para>
+<synopsis>
+umount /mnt
+</synopsis>
+<para>
+ (That's <emphasis>u</emphasis>mount, not <emphasis>un</emphasis>mount.)
+</para>
+<para>
+ You can then eject the diskette. Store it in a safe place.
+</para>
+<para>
+ You will also be asked if you want to view the
+<filename>RELEASE-NOTES</filename> file. It is
+ recommended that you do so at that point.
+</para>
+<para>
+ In both cases (downloaded and floppy), the installation will store the
+ program in <filename>/usr/local/bin</filename> with the binaries owned by
+ user root, readable, writable, and executable by the owner,
+ no permissions for the group, no permissions for all others. (700 octal,
+ or <computeroutput>-rwx------</computeroutput>).
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ You must be <filename>root</filename> to
+ do the installation. The old style of installation (<command>cd src;make
+ install</command>)
+ is still supported.
+</para>
+</note>
+</listitem>
+</orderedlist>
+
+<para>
+ Be sure <filename>/usr/local/bin</filename> is included in
+ your environment's <envar>PATH</envar> variable. You can
+ edit the appropriate command in your login customization
+ file (<filename>.profile</filename> for the Bourne-type shells,
+ <filename>.cshrc</filename> for the C shell and its relatives).
+</para>
+</sect2>
+</sect1>
+<sect1 id="upgrading">
+<title>
+ Upgrading from Earlier Versions
+</title>
+<para>
+IPTraf 3.0 is a major revision from IPTraf 2.7. The
+filter subsystem has been completely redesigned and as such, is
+incompatible with previous filter formats. Therefore old
+IPTraf filters can no longer be used. The installation procedure for
+IPTraf 3.0 will rename the filter list files but not delete them.
+</para>
+<para>
+If you install a distribution package (e.g. RPM,
+dpkg), old filters may still appear in the filter selection
+list but the new IPTraf version will be unable to load them.
+</para>
+</sect1>
+<sect1 id="startstop">
+<title>Starting and Stopping IPTraf</title>
+<para>
+ After installation, you can start the program by simply entering
+</para>
+<synopsis>
+iptraf
+</synopsis>
+<para>
+ at the shell prompt. You will see a copyright notice, with
+ an instruction to press any key to get started. Just press any character
+ key, and you will be immediately taken to the main menu. All major
+ functions of the program are found there.
+</para>
+<para>
+ Entering the IPTraf command without any command-line parameters brings
+ up the program's main menu. From there, you can select the
+ facilities you want.
+</para>
+<para>
+ IPTraf determines and makes use of the maximum number
+ of lines and columns on the terminal.
+</para>
+
+<note>
+
+ <title>Note</title><para>
+ IPTraf does not have a SIGWINCH handler; it does not
+ adjust itself when an xterm or some other X terminal is resized.
+</para></note>
+
+
+<note>
+ <title>Technical note</title>
+ <para>
+
+ IPTraf needs to refer to the terminfo database
+in <filename>/usr/share/terminfo</filename>.
+ If the supplied executable program fails with <computeroutput>Error
+opening
+ terminal</computeroutput>, your terminfo database may be located somewhere else. You can
+ control the terminfo search path
+by using the <envar>TERMINFO</envar> environment
+ variable. For example, if you're using the <command>sh</command>
+or <command>bash</command> shell, and
+ your terminfo database is in <filename>/usr/lib/terminfo</filename>
+ (typical for Slackware distributions), you can use the commands:
+
+</para>
+<synopsis>
+TERMINFO=/usr/lib/terminfo
+export TERMINFO
+</synopsis>
+<para>
+ You can place these commands in your <filename>~/.profile</filename> or the
+ systemwide <filename>/etc/profile</filename> startup files.
+</para>
+<para>
+ You can also create a symbolic
+ link named <filename>/usr/share/terminfo</filename> to let
+ it point to your existing terminfo (assuming again your terminfo is in
+ <filename>/usr/lib/terminfo</filename>):
+</para>
+<synopsis>
+ln -s /usr/lib/terminfo /usr/share/terminfo
+</synopsis>
+<para>
+ Or you can recompile your program to use your existing ncurses library
+ installation. If you do this, make sure you have ncurses 4.2 or later.
+</para>
+</note>
+</sect1>
+<sect1 id="cmdline">
+<title>Command-line Options</title>
+<para>
+ IPTraf has a few optional command-line parameters. As with most UNIX
+ commands, IPTraf command-line parameters are
+case-sensitive (<computeroutput>-l</computeroutput>
+ is NOT the same as <computeroutput>-L</computeroutput>).
+</para>
+<para>
+ The following command-line parameters can be supplied
+to the <command>iptraf</command> command:
+</para>
+<variablelist>
+<varlistentry>
+<term><computeroutput>-i <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ causes the IP traffic monitor to start immediately on the specified interface.
+ If -i all is specified, all interfaces are monitored.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-g</computeroutput></term>
+<listitem><para>
+ starts the general interface statistics
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-d <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ shows detailed statistics for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-s <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the TCP/UDP traffic monitor for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-z <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the packet size breakdown for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-l <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the LAN station monitor on the specified interface. If
+<computeroutput>-l all</computeroutput> is specified, all LAN interfaces are monitored.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-t <replaceable>timeout</replaceable></computeroutput></term>
+<listitem><para>
+ The <computeroutput>-t</computeroutput> parameter, when used with one
+ of the other parameters that specify a facility to start, tells
+ IPTraf to run the indicated facility for only timeout
+ minutes, after which the facility
+ exits. The <computeroutput>-t</computeroutput> parameter is ignored in menu
+ mode.
+</para>
+<para>
+ If this parameter is not specified, the facility runs until the
+ exit keystroke is pressed.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-B</computeroutput></term>
+<listitem><para>
+ Redirects all terminal output to the "bit bucket"
+<filename>/dev/null</filename>, closes standard input, and
+places the program in the background. This parameter can be used only with
+one of the <computeroutput>-i</computeroutput>, <computeroutput>-g</computeroutput>,
+<computeroutput>-d</computeroutput>,
+<computeroutput>-s</computeroutput>, <computeroutput>-z</computeroutput>, or
+<computeroutput>-l</computeroutput> parameters. See
+<link linkend="backop">Background Operation</link> in Chapter 9. <computeroutput>-B</computeroutput> is ignored in menu
+mode.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-L <replaceable>filename</replaceable></computeroutput></term>
+<listitem><para>
+ Allows you to specify an alternate log file name when the
+ any facility is directly started from the command line, whether in foreground or
+ background mode. If specified in foreground mode, the log filename prompt is
+ bypassed, even when logging is turned on in the <emphasis>Configure...</emphasis>
+ menu. If this parameter is omitted in background mode, the default log filename
+ is used.
+</para>
+<para>
+ This parameter always turns on logging.
+</para>
+<para>
+ If an absolute path is not specified, the log
+ file will be created in the default log file directory
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-I <replaceable>interval</replaceable></computeroutput></term>
+<listitem><para>
+ Sets the logging interval (in minutes) when the <computeroutput>-L</computeroutput> parameter is
+ used. This overrides the <emphasis>Log interval...</emphasis> setting in the <emphasis>Configure...</emphasis>
+ menu. If omitted, the configured value is used. This parameter is ignored when the
+ <computeroutput>-L</computeroutput> parameter is omitted and logging is disabled.
+</para>
+<para>
+ The value specified here will affect all facilities except for the IP traffic monitor.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-q</computeroutput></term>
+<listitem><para>
+ Previously used to suppress the warning screen when IPTraf is run
+ on kernels with IP masquerading. Since the masquerading
+ code now processes packets in a way better suited to raw capture,
+ this parameter is no longer needed and is retained only for
+ compatibility.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><computeroutput>-f</computeroutput></term>
+<listitem><para>
+ Forces IPTraf to clear all lock files and reset all instance counters
+ to zero before running any facilities. IPTraf will then think
+ it's the first instance of itself.
+</para>
+<para>
+ The <computeroutput>-f</computeroutput> parameter overrides the
+ existing locks and counters imposed by the IPTraf process and
+ by the various facilities, causing this instance to think it is the
+ first and that there are no other facilities running. Use
+ this parameter with great caution. A common use for this parameter is
+ to recover from abrupt or abnormal terminations which may leave stale
+ locks and counters still lying around.
+</para>
+<para>
+ The <computeroutput>-f</computeroutput> parameter may be used together with the others.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>iptraf -h</computeroutput></term>
+<listitem><para>
+ displays a short help screen
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+<para>
+ While the command-line options are case-sensitive, interactive keystroke
+ at the IPTraf full-screen interface are not.
+</para>
+</sect1>
+
+<sect1 id="menus">
+<title>Using the Menus</title>
+<para>
+ Menu items with a trailing ellipsis (<computeroutput>...</computeroutput>) either
+ pop up a submenu with further items, or require additional information
+ before it can complete the task and return to the menu.
+ Menu items without an ellipsis execute immediately.
+</para>
+<para>
+ Use the Up and Down arrow keys on your keyboard to move the selection
+ bar. Press Enter to execute the selected item. Alternatively, you can
+ also directly press the highlighted letter of the item you want. This
+ will immediately execute the option.
+</para>
+<figure>
+<title>The IPTraf Main Menu</title>
+<graphic format="png" fileref="iptraf-mmenu">
+</figure>
+</sect1>
+<sect1 id="exiting">
+<title>Exiting IPTraf</title>
+<para>
+ You can exit IPTraf with the Exit command in the main menu.
+</para>
+<para>
+ When started with one of the command-line options to
+ directly start a statistical facility, pressing X or Q will exit the
+ facility directly, without any confirmation. The
+<computeroutput>-t</computeroutput>
+ command-line parameter will automatically exit the
+ facility after the specified length of time without any confirmation
+ as well. Daemon facilities started with the <computeroutput>-B</computeroutput> parameter
+ will immediately terminate after being sent a
+ USR2 signal. See <link linkend="backop">background
+ operation</link> in chapter 9 for more information.
+</para>
+</sect1>
+</chapter>
+
+<chapter id="preparingtouse">
+<title>Preparing to Use IPTraf</title>
+<para>
+This chapter provides information applicable to all of IPTraf's statistical
+monitors.
+</para>
+<sect1 id="numbers">
+<title>Number Display Notations</title>
+<para>
+ IPTraf initially returns exact counts of bytes and packets. However, as they
+ grow larger, IPTraf begins displaying them in increasingly higher denominations.
+</para>
+<para>
+ A number standing alone with no suffix represents an exact count. A
+ number with a K following is a kilo (thousand) figure. An M,
+ G, and T suffix represents mega (million), giga (billion), and
+ tera (trillion) respectively. The following table shows examples.
+</para>
+
+<table frame="all">
+<title>Numeric Display Notations</title>
+<tgroup cols="2" align="left" colsep="0" rowsep="0">
+<tbody>
+<row>
+<entry>1024067</entry><entry>exactly 1024067</entry>
+</row>
+<row>
+<entry>1024K</entry><entry>approximately 1024000</entry>
+</row>
+<row>
+<entry>1024M</entry><entry>approximately 1024000000</entry>
+</row>
+<row>
+<entry>1024G</entry><entry>approximately 1024000000000</entry>
+</row>
+<row>
+<entry>1024T</entry><entry>approximately 1024000000000000</entry>
+</row>
+</tbody>
+</tgroup>
+</table>
+
+<para>
+ These notations apply to both packet and byte counts.
+</para>
+</sect1>
+<sect1 id="instances">
+<title>Instances and Logging</title>
+<para>
+ Since version 2.4, IPTraf allows multiple instances of the
+ facilities at the same time in different processes (for example, you can
+ now run two or more IP Traffic Monitors at the same time).
+ However only one can listen on a specific interface or all interfaces
+ at once. The only exception is the general interface
+ statistics, which is still restricted to only one instance at a time.
+</para>
+<para>
+ Because of this relaxation, each instance now generates log files with
+ unique names for instances, depending on either their instance
+ or the interface they're listening on. If the <emphasis>Logging</emphasis> option is turned
+ on (see the <link linkend="config">Configuration</link> chapter), IPTraf
+ will prompt you for a log file name while presenting a
+ default. You may accept this default or change it. Press Enter
+ to accept, or Ctrl+X to cancel. Canceling will turn logging off for that
+ particular session.
+</para>
+<para>
+ If you don't specify an absolute path, the log file will be placed
+ in <filename>/var/log/iptraf</filename>.
+</para>
+<figure>
+<title>The logfile prompt dialog</title>
+<graphic format="png" fileref="iptraf-logprompt">
+</figure>
+<para>
+ See the Logging section
+in the <link linkend="config">Configuration</link> chapter for
+detailed information on logging. See also the documentation on
+each statistical facility for the default log file names.
+</para>
+<para>
+ The default log file names will also be used
+if the <computeroutput>-B</computeroutput> parameter is used
+ to run IPTraf in the background. You can override the defaults with the
+ <computeroutput>-L</computeroutput> parameter. See
+<link linkend="backop">Background Operation</link> in Chapter 9.
+</para>
+</sect1>
+<sect1 id="updates">
+<title>Screen Update Delays</title>
+<para>
+ Older versions of IPTraf updated the screen as soon as a
+ packet was received. However, screen update is one
+ of the slowest operations the program performs. Since version 1.3, a
+ configuration option has been available to control screen update speed.
+</para>
+<para>
+ See the <emphasis>Screen update interval...</emphasis> configuration option under the
+ <link linkend="config">Configuration</link> chapter of this manual.
+</para>
+</sect1>
+<sect1 id="ifaces">
+<title>Supported Network Interfaces</title>
+<para>
+ IPTraf currently supports the following network interface types and names.
+</para>
+<variablelist>
+<varlistentry>
+<term><filename>lo</filename></term>
+<listitem><para>
+ The loopback interface. Every machine has one, and has an IP address
+ of 127.0.0.1. <filename>lo</filename> is also indicated if data
+ is detected on the
+<filename>dummy<replaceable>n</replaceable></filename> interface(s).
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>eth<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ An Ethernet interface. <replaceable>n</replaceable> starts from 0.
+ Therefore, <filename>eth0</filename> refers to the first
+ Ethernet interface, <filename>eth1</filename> to the second, and
+ so on. Most machines only have one.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>fddi<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ An FDDI interface. <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>tr<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ A Token Ring interface, where <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>ppp<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ A PPP interface. <replaceable>n</replaceable> starts from 0.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>sli<replaceable>n</replaceable></filename></term>
+<listitem><para>
+A SLIP interface. <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>ippp<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ A synchronous PPP interface using ISDN.
+<replaceable>n</replaceable> starts from 0.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>isdn<replaceable>n</replaceable</filename></term>
+<listitem><para>
+ ISDN interfaces can be given arbitrary names, but for them to work
+ with IPTraf, they must
+ be named <filename>isdn<replaceable>n</replaceable></filename>.
+ IPTraf supports synchronous PPP
+ (the <filename>ippp<replaceable>n</replaceable></filename>
+ interfaces above), raw IP, and Cisco-HDLC encapsulation.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>plip<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ PLIP interfaces. These are point-to-point IP connections using the PC
+ parallel port.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>ipsec<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ This refers to Free s/WAN (and possibly other) logical VPN interfaces.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>sbni<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ SBNI long-range modem interfaces
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>dvb<replaceable>n</replaceable></filename>,
+<filename>sm200</filename>, <filename>sm300</filename></term>
+<listitem><para>
+ DVB satellite-receive interfaces
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>wlan<replaceable>n</replaceable></filename>,
+<filename>wvlan<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Wireless LAN interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>tun<replaceable>n</replaceable></filename></term>
+<listitem><para>
+general logical tunnel interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>brg<replaceable>n</replaceable></filename></term>
+<listitem><para>
+general logical bridge interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>hdlc<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Frame Relay base (FRAD) interfaces (non-PVC)
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>pvc<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Frame Relay Permanent Virtual Circuit interfaces
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+<para>
+ Your system's network interfaces must be named according
+ to the schemes specified above.
+</para>
+</sect1>
+</chapter>
+<chapter id="itrafmon">
+<title>The IP Traffic Monitor</title>
+<para>
+ Executing the first menu item or specifying <computeroutput>-i</computeroutput>
+ to the <command>iptraf</command> command takes you to the IP traffic monitor. The traffic
+ monitor is a real-time monitoring system that intercepts all packets
+ on all detected network interfaces, decodes the IP information on all IP packets and
+ displays the appropriate information, most notably the
+ source and destination addresses. It also
+ determines the encapsulated protocol within the IP packet, and
+ displays some important information about that as well.
+</para>
+<para>
+ There are two windows in the traffic monitor, both of which can be
+ scrolled with the Up and Down cursor keys. Just press W to
+ move the <computeroutput>Active</computeroutput> indicator to the window you
+ want to control.
+</para>
+<figure>
+<title>The IP traffic monitor</title>
+<graphic format="png" fileref="iptraf-iptm1">
+</figure>
+
+<sect1 id="upperwin">
+<title>The Upper Window</title>
+<para>
+ The upper window of the traffic monitor displays the currently
+ detected TCP
+ connections. Information about TCP packets are displayed here. The
+ window contains these pieces of information:
+</para>
+
+<itemizedlist spacing="compact">
+<listitem><para>Source address and port</para></listitem>
+<listitem><para>Packet count</para></listitem>
+<listitem><para>Byte count</para></listitem>
+<listitem><para>Source MAC address</para></listitem>
+<listitem><para>Packet Size</para></listitem>
+<listitem><para>Window Size</para></listitem>
+<listitem><para>TCP flag statuses</para></listitem>
+<listitem><para>Interface</para></listitem>
+</itemizedlist>
+
+<note> <title>Note</title>
+<para> Previous versions of IPTraf showed
+ both the source and destination addresses on each line. IPTraf 2 and
+higher show
+only the <computeroutput><replaceable>source
+host</replaceable>:<replaceable>port</replaceable></computeroutput> combination to save
+on screen real estate. TCP
+ connection endpoints are still indicated with the green
+ brackets (on color terminals) along the left edge of the screen.
+</para>
+</note>
+
+<para>
+ The Up and Down cursor keys move an indicator bar between entries in the
+ TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys
+ display the previous and next screenfuls of entries respectively.
+</para>
+<para>
+ The IP traffic monitor computes the data flow rate
+ of the currently highlighted TCP flow and displays it on the lower-right
+ corner of the screen. The flow rate is in kilobits or kilobytes per
+ second depending on the <emphasis>Activity mode</emphasis> switch
+in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+<para>
+ Because this monitoring system relies solely on packet information, it
+ does not determine which endpoint initiated the connection. In other
+ words, it does not know which endpoints are the client and server.
+ This is necessary because it can operate in promiscuous
+ mode, and as such cannot determine the socket statuses for other
+ machines on the LAN. However, a little knowledge of the well-known TCP
+port numbers can give a good idea about which address is that of the server.
+</para>
+<para>
+ The system therefore displays two entries for each connection, one for
+ each direction of the TCP connection. To make it easier to determine the
+ direction pairs of each connection, a bracket is used to "join" both
+ together. This bracket appears at the leftmost part of each entry.
+</para>
+<para>
+ Just because a host entry appears at the upper end of a
+ connection bracket doesn't mean it was the initiator of the connection.
+</para>
+<para>
+ Each entry in the window contains these fields:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><emphasis role="bold">Source address and port</emphasis></term>
+<listitem><para>
+ The source address and port indicator is
+in <replaceable>address</replaceable>:<replaceable>port</replaceable> format.
+ This indicates the source machine and TCP port on that machine
+ from which this data is coming.
+</para>
+<para>
+ The destination is the host:port at the other end of the bracket.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Packet count</emphasis></term>
+<listitem><para>
+ The number of packets received for this direction of the TCP connection
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Byte count</emphasis></term>
+<listitem><para>
+ The number of bytes received for this direction
+ of the TCP connection. These bytes include total IP and TCP header
+ information, in addition to the actual data. Data link
+ header (e.g. Ethernet and FDDI) data are not included.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Source MAC address</emphasis></term>
+<listitem><para>
+ The address of the host on your local LAN that delivered this packet.
+ This can be viewed by pressing M once if <emphasis>Source MAC
+addrs</emphasis> in traffic
+ monitor is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Packet Size</emphasis></term>
+<listitem><para>
+ The size of the most recently received packet. This item
+ is visible if you press M for more TCP information. This is the size
+ of the IP datagram only, not including the data link header.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Window Size</emphasis></term>
+<listitem><para>
+ The advertised window size of the most recently received packet. This
+ item is visible if you press M for more TCP information.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Flag statuses</emphasis></term>
+<listitem><para>
+ The flags of the most recently received packet.
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>S</computeroutput></term>
+<listitem><para>
+ SYN. A synchronization is taking place in preparation for
+ connection establishment. If only an <computeroutput>S</computeroutput>
+ is present (<computeroutput>S---</computeroutput>) the source is trying
+ to initiate a connection. If an <computeroutput>A</computeroutput> is
+ also present (<computeroutput>S-A-</computeroutput>), this is an
+ acknowledgment of a previous connection request, and is responding.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><computeroutput>A</computeroutput></term>
+<listitem><para>
+ ACK. This is an acknowledgment of a previously received packet
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>P</computeroutput></term>
+<listitem><para>
+ PSH. A request to push all data to the top of the receiving queue
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>U</computeroutput></term>
+<listitem><para>
+ URG. This packet contains urgent data
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>RESET</computeroutput></term>
+<listitem><para>
+ RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>DONE</computeroutput></term>
+<listitem><para>
+ The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>CLOSED</computeroutput></term>
+<listitem><para>
+ The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-</computeroutput></term>
+<listitem><para>
+ The flag is not set
+</para></listitem>
+</varlistentry>
+</variablelist>
+</para></listitem>
+</varlistentry>
+</variablelist>
+
+<para>
+ Some other pieces of information can be viewed as well. The M key
+ displays more TCP information. Pressing M once
+ displays the MAC addresses of the LAN hosts
+ that delivered the packets (if the <emphasis>Source MAC addrs in traffic
+monitor</emphasis>
+ option is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis>
+menu). <computeroutput>N/A</computeroutput> is displayed if
+ no packets have been received from the source yet, or if the interface
+ doesn't support MAC addresses (such as PPP interfaces).
+</para>
+<para>
+ If the <emphasis>Source MAC addrs in traffic monitor</emphasis> option is not enabled,
+ pressing M simply toggles between the counts and the packet and window
+ sizes.
+</para>
+<para>
+ By default, only IP addresses are displayed, but if you have access to a
+ name server or host table, you may enable reverse lookup for the
+ IP addresses. Just enable reverse lookup
+in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+
+<sidebar>
+<title>The rvnamed Process</title>
+<para>
+ The IP traffic monitor starts a daemon called
+ <command>rvnamed</command> to help speed
+ up reverse lookups without sacrificing too much keyboard control and
+ accuracy of the counts. While reverse lookup is being conducted in the
+ background, IP addresses will be used until the resolution is complete.
+</para>
+<para>
+ If for some reason <command>rvnamed</command> cannot start (probably due to
+ improper installation or lack of memory), and you are
+ on the Internet, and you enable reverse lookup, your
+ keyboard control can become very slow. This is because the standard
+ lookup functions do not return until they have completed their
+ tasks, and it can take several seconds for a name resolution
+ in the foreground to complete.
+</para>
+<para>
+ <command>rvnamed</command> will spawn up to 200 children to process reverse DNS queries.
+</para>
+</sidebar>
+
+<tip>
+<title>Tip</title>
+<para>If you notice unusual SYN activity (too many
+initial (<computeroutput>S---</computeroutput>) but frozen SYN entries, or rapidly
+increasing initial SYN packets for a single connection), you may
+be under a SYN flooding attack or TCP port scan. Apply appropriate measures, or the
+targeted machines may begin denying network services.
+</para>
+</tip>
+
+<para>
+ Entries not updated within a user-configurable amount of
+ time may get replaced with new connections. The default time is 15
+ minutes. This is regardless of whether the connection is closed or
+ not. (Some unclosed connections may be due to extremely slow links
+ or crashes at either end of the connection.) This figure can be changed
+ at the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+<para>
+ Some early entries may have a > symbol in front of its packet
+ count. This means the connection was already established
+ when the monitor started. In other words, the figures indicated do not
+ reflect the counts since the start
+ of the TCP connection, but rather, since the start of the traffic
+ monitor. Eventually, these > entries will close (or time out) and
+ disappear. TCP entries without the >
+ were initiated after the traffic monitor started, and the counts
+ indicate the totals of the connection itself. Just consider entries
+ with > partial.
+</para>
+<para>
+ Some > entries may go idle if the traffic monitor was started
+ when these connections were already half-closed (FIN sent
+ by one host, but data still being sent by the other). This
+ is because the traffic monitor cannot determine if a
+ connection was already half-closed when it started. These entries will
+ eventually time out. (To minimize these entries, an entry is not added
+ by the monitor until a packet with data or a SYN packet is received.)
+</para>
+<para>
+ Direction entries also become available for reuse if an ICMP Destination
+ Unreachable message is received for the connection.
+</para>
+<para>
+ The lower part of the screen contains a summary line showing the IP,
+ TCP, UDP, ICMP, and non-IP byte counts since the start of the
+ monitor. The IP, TCP, UDP, and ICMP counts include only the IP
+ datagram header and data, not the data-link headers. The
+ non-IP count includes the data-link headers.
+</para>
+
+<note>
+<title>
+ Technical note: IP Forwarding and Masquerading
+</title>
+<para>
+ Previous versions of IPTraf issued a warning if the kernel had
+ IP masquerading enabled due to the way the
+ kernel masqueraded and translated the IP addresses. The new kernels no
+ longer do it as before and IPTraf now gives output properly on
+ masquerading machines. The <computeroutput>-q</computeroutput> parameter is no
+ longer required to suppress the warning screen.
+</para>
+<para>
+ On forwarding (non-masquerading)
+ machines packets and TCP connections simply appear twice, one
+ each for the incoming and outgoing interfaces if all interafaces
+ are being monitored.
+</para>
+<para>
+ On masquerading machines, packets and connections from the
+ internal network to the external network also appear
+ twice, one for the internal and external interface. Packets coming
+ from the internal network will be indicated as coming from the internal
+ IP address that sourced them, and also as coming from the IP address
+ of the external interface on your masquerading machine. In much the same
+ way, packets coming in from the external network will look
+ like they're destined for the external interface's IP address, and again
+ as destined for the final host on the internal network.
+</para>
+</note>
+
+<sect2>
+ <title>Closed/Idle/Timed Out Connections</title>
+<para>
+ A TCP connection entry that closes, gets reset, or stays idle too long
+ normally gets replaced with new connections. However,
+ if there are too many of these, active connections may become
+ interspersed among closed, reset, or idle entries.
+</para>
+<para>
+ IPTraf can be set to automatically remove all closed, reset, and
+ idle entries with the <emphasis>TCP closed/idle
+ persistence...</emphasis> configuration option. You can also press the F key to
+ immediately clear them at any time.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+The <emphasis>TCP timeout...</emphasis> option only tells
+IPTraf how long it should take before a connection should be considered
+idle and open to replacement by new connections. This
+does not determine how long it remains on-screen. The <emphasis>TCP closed/idle
+persistence...</emphasis> parameter flushes entries that have been idle for the
+number of minutes defined by the <emphasis>TCP timeout...</emphasis> option.
+</para> </note>
+</sect2>
+<sect2>
+<title>Sorting TCP Entries</title>
+<para>
+ The TCP connection entries can be sorted by pressing the S key, then
+ by selecting a sort criterion. Pressing S will display a box showing the
+ available sort criteria. Press P to sort by packet count, B to sort by
+ byte count. Pressing any other key cancels the sort.
+</para>
+<para>
+ The sort operation compares the larger values in each connection entry
+ pair and sorts the counts in descending order.
+</para>
+<para>
+ Over time, the entries will go out of order as counts proceed at varying
+ rates. Sorting is not done automatically so as not to degrade performance
+and accuracy.
+</para>
+<figure>
+<title>The IP traffic monitor sort criteria</title>
+<graphic format="png" fileref="iptraf-iptmsort">
+</figure>
+</sect2>
+</sect1>
+<sect1 id="lowerwin">
+<title>Lower Window</title>
+<para>
+ The lower window displays information about the other types of traffic
+ on your network. The following protocols are detected internally:
+</para>
+<itemizedlist spacing="compact">
+<listitem><para>User Datagram Protocol (UDP)</para></listitem>
+
+<listitem><para>Internet Control Message Protocol (ICMP)</para></listitem>
+
+<listitem><para>Open Shortest-Path First (OSPF)</para></listitem>
+
+<listitem><para>Interior Gateway Routing Protocol (IGRP)</para></listitem>
+
+<listitem><para>Interior Gateway Protocol (IGP)</para></listitem>
+
+<listitem><para>Internet Group Management Protocol (IGMP)</para></listitem>
+
+<listitem><para>General Routing Encapsulation (GRE)</para></listitem>
+
+<listitem><para>Layer 2 Tunneling Protocol (L2TP)</para></listitem>
+
+<listitem><para>IPSec AH and ESP protocols (IPSec AH and IPSec ESP)</para></listitem>
+
+<listitem><para>Address Resolution Protocol (ARP)</para></listitem>
+
+<listitem><para>Reverse Address Resolution Protocol (RARP)</para></listitem>
+</itemizedlist>
+
+<para>
+ Other IP protocols are looked up from the <filename>/etc/services</filename>
+ file. If <filename>/etc/services</filename> doesn't contain information about
+ that protocol, the protocol number is indicated.
+</para>
+<para>
+ Non-IP packets are indicated as
+<computeroutput>Non-IP</computeroutput> in the lower window.
+</para>
+
+<note>
+<title>Note</title>
+<para>The source and destination addresses for ARP and
+RARP entries are MAC addresses.
+</para>
+<para>
+ Strictly speaking, ARP and RARP packets aren't IP packets, since
+ they are not encapsulated in an IP datagram. They're
+ just indicated because they are integral to proper IP operation on LANs.
+</para>
+</note>
+
+<para>
+ For all packets in the lower window, only the first IP fragment is
+ indicated (since that contains the header
+ of the IP-encapsulated protocol) but with no further information
+ from the encapsulated protocol.
+</para>
+<para>
+UDP packets are also displayed
+in
+<computeroutput><replaceable>address</replaceable>:<replaceable>port</replaceable>
+</computeroutput> format while ICMP entries also contain the
+ICMP message type. For easier location, each type of protocol
+is color-coded (only on color terminals such as the Linux console).
+</para>
+
+<variablelist>
+<varlistentry><term>UDP</term><listitem><para>Red on White</para></listitem></varlistentry>
+<varlistentry><term>ICMP</term><listitem><para>Yellow on Blue</para></listitem></varlistentry>
+<varlistentry><term>OSPF</term><listitem><para>Black on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGRP</term><listitem><para>Bright white on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGP</term><listitem><para>Red on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGMP</term><listitem><para>Bright green on Blue</para></listitem></varlistentry>
+<varlistentry><term>GRE</term><listitem><para>Blue on white</para></listitem></varlistentry>
+<varlistentry><term>ARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
+<varlistentry><term>RARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
+<varlistentry><term>Other IP</term><listitem><para>Yellow on red</para></listitem></varlistentry>
+<varlistentry><term>Non-IP</term><listitem><para>Yellow on Red</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ The lower window can hold up to 512 entries. You can
+ scroll the lower window by using the W key to move the Active indicator
+ to it, and by using the Up and Down cursor keys. The lower
+ window automatically scrolls every time a new entry is added, and either
+ the first entry or last entry is visible. Upon reaching 512 entries, old
+ entries are thrown out as new entries are added.
+</para>
+<para>
+ Some entries may be too long to completely fit in a screen line. You can
+ use the Left and Right cursor keys to vertically scroll the lower window
+ when it is marked <computeroutput>Active</computeroutput>. If your
+terminal can be resized (e.g. xterm), you may do so before starting
+IPTraf.
+</para>
+<para>
+ Entries for packets received on LAN interfaces also include the
+ source MAC address of the LAN host which delivered it. This behavior
+ is enabled by turning on the Source MAC addrs in traffic monitor toggle
+ in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+
+<sect2>
+<title>Entry Details</title>
+<para>
+ In general, the entries in the lower window indicate the protocol, the
+ IP datagram size (full frame size for non-IP, including ARP and
+ RARP), the source address, the destination
+ address, and the network interface the packet was detected on.
+ However, some protocols have a little more information.
+</para>
+<sect3>
+<title>ICMP</title>
+<para>
+ ICMP entries are displayed in this format:
+</para>
+<synopsis>
+ICMP <replaceable>type</replaceable> [(<replaceable>subtype</replaceable>)] (<replaceable>size</replaceable> bytes) from <replaceable>source</replaceable> to <replaceable>destination</replaceable>
+[(src HWaddr <replaceable>srcMACaddress</replaceable>)] on <replaceable>interface</replaceable>
+</synopsis>
+<para>
+ where type could be any of the following:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>echo req, echo rply</computeroutput></term>
+<listitem><para>
+ ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest unrch</computeroutput></term>
+<listitem><para>
+ ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper
+ window to be made available for reuse by new connections.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>redirct</computeroutput></term>
+<listitem><para>
+ ICMP redirect. Usually generated by a router to tell a host that a better gateway is available.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src qnch</computeroutput></term>
+<listitem><para>
+ The ICMP source quench is used to stop a host from transmitting. It's a
+flow control mechanism for IP.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>time excd</computeroutput></term>
+<listitem><para>
+ Indicates a packet's time-to-live value expired before it got
+to its destination. Mostly happens if a destination is too far away.
+Also used by the traceroute program.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>router adv</computeroutput></term>
+<listitem><para>
+ ICMP router advertisement
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>router sol</computeroutput></term>
+<listitem><para>
+ ICMP router solicitation
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>timestmp req</computeroutput></term>
+<listitem><para>
+ ICMP timestamp request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>timestmp rep</computeroutput></term>
+<listitem><para>
+ ICMP timestamp reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>info req</computeroutput></term>
+<listitem><para>
+ ICMP information request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>info rep</computeroutput></term>
+<listitem><para>
+ ICMP information reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>addr mask req</computeroutput></term>
+<listitem><para>
+ ICMP address mask request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>addr mask rep</computeroutput></term>
+<listitem><para>
+ ICMP address mask reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>param prob</computeroutput></term>
+<listitem><para>
+ ICMP parameter problem
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>bad/unknown</computeroutput></term>
+<listitem><para>
+ An unrecognized ICMP packet was received, or the packet is corrupted.
+</para></listitem></varlistentry>
+</variablelist>
+<para>
+ The destination unreachable message also includes information on the
+ type of error encountered. Here are the destination unreachable codes:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>ntwk</computeroutput></term>
+<listitem><para>
+ network unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host</computeroutput></term>
+<listitem><para>
+ host unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>proto</computeroutput></term>
+<listitem><para>
+ protocol unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>port</computeroutput></term>
+<listitem><para>
+ port unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>pkt fltrd</computeroutput></term>
+<listitem><para>
+ packet filtered (normally by an access rule on a router or firewall)
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>DF set</computeroutput></term>
+<listitem><para>
+ the packet has to be fragmented somewhere, but its don't fragment
+ (DF) bit is set.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src rte fail</computeroutput></term>
+<listitem><para>
+ source route failed
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src isltd</computeroutput></term>
+<listitem><para>
+ source isolated (obsolete)
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>net comm denied</computeroutput></term>
+<listitem><para>
+ network communication denied
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host comm denied</computeroutput></term>
+<listitem><para>
+ host communication denied
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>net unrch for TOS</computeroutput></term>
+<listitem><para>
+ network unreachable for specified IP type-of-service
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host unrch for TOS</computeroutput></term>
+<listitem><para>
+ host unreachable for specified IP type-of-service
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>prec violtn</computeroutput></term>
+<listitem><para>
+ precedence violation
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>prec cutoff</computeroutput></term>
+<listitem><para>
+ precedence cutoff
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest net unkn</computeroutput></term>
+<listitem><para>
+ destination network unknown
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest host unkn</computeroutput></term>
+<listitem><para>
+ destination network unknown
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ For more information on ICMP, see RFC 792.
+</para>
+</sect3>
+
+<sect3>
+<title>OSPF</title>
+
+<para>
+OSPF messages also include a little more information. The format of an
+OSPF message in the window is:
+</para>
+
+<synopsis>
+OSPF <replaceable>type</replaceable> (a=<replaceable>area</replaceable> r=<replaceable>router</replaceable>) (<replaceable>size</replaceable>bytes) from <replaceable>source</replaceable> to <replaceable>destination</replaceable>
+[(src HWaddr <replaceable>srcMACaddress</replaceable>)] on <replaceable>interface</replaceable>
+</synopsis>
+
+<para>
+ The type can be one of the following:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>hlo</computeroutput></term>
+<listitem><para>
+ OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>DB desc</computeroutput></term>
+<listitem><para>
+ OSPF Database Description
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSR</computeroutput></term>
+<listitem><para>
+ OSPF Link State Request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSU</computeroutput></term>
+<listitem><para>
+ OSPF Link State Update. Messages indicating the states of the OSPF network links
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSA</computeroutput></term>
+<listitem><para>
+ OSPF Link State Acknowledgment
+</para></listitem></varlistentry>
+</variablelist>
+<para>
+ The entries in parentheses:
+</para>
+<variablelist>
+<varlistentry>
+<term><computeroutput>a=<replaceable>area</replaceable></computeroutput></term>
+<listitem><para>
+ The area number of the OSPF message
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>r=<replaceable>router</replaceable></computeroutput></term>
+<listitem><para>
+ The IP address of the router that generated the message. It
+ is not necessarily the same as the source address
+ of the encapsulating IP packet.
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ Many times, the destination addresses for OSPF packets are class D
+ multicast addresses in standard dotted decimal notation or (if reverse
+ lookup is enabled), hosts under the <computeroutput>MCAST.NET</computeroutput> domain. Such multicast
+ addresses are defined as follows:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>224.0.0.5 (OSPF-ALL.MCAST.NET)</computeroutput></term>
+<listitem><para>OSPF all routers</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>224.0.0.6 (OSPF-DSIG.MCAST.NET)</computeroutput></term>
+<listitem><para>OSPF all designated routers</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ See RFC 1247 for details on the OSPF protocol.
+</para>
+</sect3>
+</sect2>
+</sect1>
+<sect1>
+<title>Additional Information</title>
+<para>
+ When started from the main menu and logging is enabled, the IP traffic
+ monitor prompts you for a log file name. The default name is
+<filename>ip_traffic-<replaceable>n</replaceable>.log (where
+<replaceable>n</replaceable></filename> is what
+ instance of the traffic monitor this is (1, 2, 3, and so on). (e.g. if
+ this is the first instance, the default file name will
+ be <filename>ip_traffic-1.log</filename>.)
+</para>
+<para>
+ When started with the <computeroutput>-i</computeroutput> parameter,
+ the log filename can be specified with the <computeroutput>-L</computeroutput>
+ parameter. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<para>
+On busy networks, the display may become cluttered with traffic you're not
+interested in. To control the traffic monitor's output, you can apply a
+<emphasis>filter</emphasis>. See Chapter 7, <link
+linkend="filters">Filters</link> for more information on IPTraf's filters.
+</para>
+<para>
+ At any time, you can press X or Q to return to the main menu (or back to
+ the shell if the monitor was started with <command>iptraf -i</command>).
+</para>
+</sect1>
+</chapter>
+
+<chapter id="netstats">
+<title>Network Interface Statistics</title>
+<para>
+There are two network interface
+statistics facilities: the general interface statistics, which
+displays a statistical summary of all attached interfaces, and the
+detailed interface statistics, which shows more statistical and
+load information about a single selected interface.
+</para>
+<sect1 id="genstats">
+
+<title>General Interface Statistics</title>
+<para>
+ The second menu option displays a list of
+ attached network interfaces, and some general
+ packet counts. Specifically, it displays counts of IP, non-IP, and bad
+ IP packets (packets with IP checksum errors). It also includes an
+ activity indicator, which shows the number of kilobits and packets the
+ interface sees per second. All figures are for incoming and outgoing
+ packets. (Again, considering promiscuous
+ mode for LAN interfaces, which simply causes the machine
+ to intercept all packets). This is useful for general monitoring
+ of all attached interfaces. If byte counts and
+ additional information are needed for a specific interface, the <emphasis>Detailed
+ interface statistics</emphasis> option is also available.
+</para>
+<para>
+ The activity indicators can be toggled between kbits/s and kbytes/s with
+ the <emphasis>Activity mode</emphasis> configuration option.
+</para>
+<para>
+ The general statistics window will dynamically add new entries
+ as packets from newly-created interfaces (e.g. new PPP interfaces) are
+ intercepted. Long lists can be scrolled with the Up, Down, PgUp, and
+ PgDn keys.
+</para>
+<para>
+This monitor is affected by IPTraf's <link
+linkend="filters">filters</link> as described in Chapter 7.
+</para>
+<para>
+ Copies of the statistics are written to the log file
+ <filename>iface_stats_general.log</filename> at regular intervals if logging is
+ enabled. See the <emphasis>Logging</emphasis>
+option int the <link linkend="config">Configuration</link> chapter.
+</para>
+<para>
+ This facility can be started directly from the command line with the
+ <command>-g</command> option to the <command>iptraf</command> command.
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<figure>
+<title>The general interface statistics screen</title>
+<graphic format="png" fileref="iptraf-gstat1">
+</figure>
+<para>
+ You can press X or Q to return to the main menu.
+</para>
+</sect1>
+<sect1 id="detstats">
+<title>Detailed Interface Statistics</title>
+<para>
+ The third menu option displays packet statistics for any
+ selected interface. It provides basically the same information
+ as the <emphasis>General interface statistics</emphasis>
+ option, with additional details.
+ This facility provides the following information:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ Total packet and byte counts
+</para></listitem>
+<listitem><para>
+ IP packet and byte counts
+</para></listitem>
+<listitem><para>
+ TCP packet and byte counts
+</para></listitem>
+<listitem><para>
+ UDP packet and byte count
+</para></listitem>
+<listitem><para>
+ ICMP packet and byte counts
+</para></listitem>
+<listitem><para>
+ Other IP-type packet and byte counts
+</para></listitem>
+<listitem><para>
+ Non-IP packet and byte counts
+</para></listitem>
+<listitem><para>
+ Checksum error count
+</para></listitem>
+<listitem><para>
+ Interface activity
+</para></listitem>
+<listitem><para>
+ Broadcast packet and byte counts
+</para></listitem>
+</itemizedlist>
+<para>
+ All IP byte counts (IP, TCP, UDP, ICMP, other IP) include IP header data
+ and payload. The data link header is not included. The full frame length
+ (including data-link header) is included in the non-IP and Total
+ byte count. All data-link headers are also included in the Total byte
+ counts.
+</para>
+<figure>
+<title>The detailed interface statistics screen</title>
+<graphic format="png" fileref="iptraf-dstat1">
+</figure>
+<para>
+ The upper portion of the screen
+ contains the packet and byte counts for all IP and
+ non-IP packets intercepted on the interface. The lower portion
+ contains the total, incoming, and outgoing interface data rates.
+</para>
+<para>
+ This facility also displays incoming and outgoing counts and data rates.
+ The packet size breakdown in versions prior to 2.0.0 has been moved
+ to its own facility under <emphasis>Statistical breakdowns.../By packet
+ size</emphasis> as described in <link linkend="pktsize">Chapter 5</link>.
+</para>
+<para>
+ An outgoing packet is one that exits your interface, regardless
+ of whether it originated from your machine or came
+ from another machine and was routed through yours. An incoming packet is
+ one that enters your interface, either addressed
+ to you directly, broadcast, multicast, or captured promiscuously.
+</para>
+<para>
+ The rate indicators can be set to display kbits/s or kbytes/s with the
+ <emphasis>Activity mode</emphasis> configuration option.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>
+ Buffering and some other factors may affect the data rates, notably
+ the outgoing rate, causing it to reflect a higher figure than the actual
+ rate at which the interface is sending.
+</para>
+</note>
+<para>
+ The figures are logged at regular intervals if logging is enabled. The
+ default log file name at the prompt is
+ <filename>iface_stats_detailed-<replaceable>iface</replaceable>.log</filename>
+ where iface is the selected interface for this session (for example,
+ <filename>iface_stats_detailed-eth0.log</filename>).
+</para>
+<para>
+ If you wish to start this facility directly
+ from the command line, you can specify the
+<computeroutput>-d</computeroutput> parameter and an interface
+ to monitor. For example,
+</para>
+<synopsis>
+iptraf -d eth0
+</synopsis>
+<para>
+ starts the statistics for <filename>eth0</filename>. The interface must be specified, or
+ IPTraf will not start the facility.
+</para>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<note>
+ <title>Note</title>
+ <para>
+ In both the general and detailed statistics screens, as well as
+ in the IP traffic monitor, the packet counts are for
+ actual network packets (layer 2), not the logical IP packets (layer 3)
+ that may be reconstructed after fragmentation. That means, if a
+ packet was fragmented into four pieces, and these four fragments pass
+ over your interface, the packet counts will indicate four separate
+ packets.
+ </para>
+</note>
+<para>
+ The figure for the IP checksum errors is a packet count only, because the
+ corrupted IP header cannot be relied upon to give a correct IP
+ packet length value.
+</para>
+<para>
+ This facility's output is also affected by IPTraf's <link
+linkend="filters">filters</link>. See Chapter 7 for more information
+on filters.
+</para>
+<para>
+ Pressing X or Q takes you back to the main menu (if this
+ facility was started with the command-line option, X or Q drops you back
+ to the shell).
+</para>
+</sect1>
+</chapter>
+
+<chapter id="statbreakdowns">
+<title>Statistical Breakdowns</title>
+<para>
+ Statistical breakdowns contain two facilities that break
+ down traffic counts by either packet size or TCP/UDP port.
+</para>
+<sect1 id="pktsize">
+<title>Packet Sizes</title>
+
+<para>
+ The packet size breakdown facility used to be incorporated
+ into the detailed interface statistics. It has since been moved
+ to its own facility. It is entered
+ by selecting <emphasis>Statistical Breakdowns/By packet size</emphasis>.
+</para>
+<para>
+ The packet size breakdown takes the interface's Maximum Transmission
+ Unit (MTU) size and divides it into 20 brackets, each bracket
+ containing a range of sizes. As a packet is captured, its size
+ is determined and the appropriate bracket is incremented.
+</para>
+<para>
+ This facility provides an idea as to the packet sizes passing over
+ your network, and can aid in network (re)design decisions.
+</para>
+<figure>
+<title>The packet size statistical breakdown</title>
+<graphic format="png" fileref="iptraf-pktsize">
+</figure>
+<para>
+ If logging is enabled, copies of the statistics are written at regular
+ intervals to a log file. The default log file name
+ is
+ <filename>packet_size-<replaceable>iface</replaceable>.log</filename> where
+ <replaceable>iface</replaceable>
+ is the selected interface for this session (for example,
+ <filename>packet_size-eth0.log</filename>).
+</para>
+<para>
+IPTraf's filters do not affect this facility.
+</para>
+<para>
+ The packet size breakdown can also be invoked straight
+ from the command line by specifying the <computeroutput>-z</computeroutput> iface
+ parameter. The interface parameter is required. For example,
+ this command runs the facility on interface <filename>eth0</filename>.
+</para>
+<synopsis>
+iptraf -z eth0
+</synopsis>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<para>
+ To exit, press X or Ctrl+X.
+</para>
+</sect1>
+
+<sect1 id="servmon">
+<title>TCP and UDP Traffic Statistics</title>
+<para>
+ IPTraf also includes a facility that generates statistics on TCP and UDP
+ traffic. This facility displays counts of all TCP and UDP packets with
+ source or destination ports numbered less than 1024. Ports 1 to 1023 are
+ reserved for the TCP/IP application protocols (well-known ports).
+</para>
+<figure>
+<title>The TCP/UDP service monitor</title>
+<graphic format="png" fileref="iptraf-tcpudp">
+</figure>
+<para>
+ The statistics window indicates the protocol (TCP or UDP), the
+ port number, the total packets and bytes counted for this particular
+ protocol/port combination, the packets and bytes destined for that
+ protocol and port, and the packets and bytes coming
+ from that protocol and port.
+</para>
+<para>
+ Byte counts include the IP header and payload only. The data link header
+ is not included.
+</para>
+<para>
+ The protocol/port indicators are color-coded for easier identification
+ on color terminals. TCP indicators are in yellow, UDP in bright green.
+</para>
+<para>
+ Some network applications or protocols may use port numbers higher
+ than 1023. Examples
+ of these include application proxy servers (HTTP proxy servers typically
+ use values like 8000, 8080, 8888, and the like), and IRC
+ (IRC servers commonly accept connections on ports 6660 to 6669). These
+ ports are by default not included in the counts. If you do want
+ to include a higher-numbered port in the statistics, you can add
+ them yourself from the <emphasis><link linkend="config">Configure...</link>/Additional ports...</emphasis>
+ menu item. See the section below.
+</para>
+<para>
+ If logging is enabled, The statistics are also written to a log file
+ (the default name is
+<filename>tcp_udp_services-<replaceable>iface</replaceable>.log</filename>, where iface
+ is the selected interface (for example,
+<filename>tcp_udp_services-eth0.log</filename>).
+</para>
+<para>
+ IPTraf computes the total, incoming, outgoing, and data rates of the
+ protocol currently indicated by the facility's highlight bar. The data
+ rates are indicated at the bottom of the screen. If logging is
+ enabled, the average data rates since the start of the facility are
+ placed in the log file.
+</para>
+<para>
+ The Up and Down cursor keys move the highlight bar. Pressing X or Ctrl+X
+ exits and returns to the main menu (or the shell if it was started
+ from the command line).
+</para>
+
+<sect2>
+ <title>Sorting TCP/UDP Entries</title>
+<para>
+ Pressing the S key brings up a window which allows you to
+ select the field by which the entries will be sorted. You can press R to
+ sort by port, P to sort by total packets, B to sort by total bytes, T to
+ sort by incoming packets (packets to), O to sort by incoming bytes
+ (bytes to), F to sort by outgoing packets (packets from) and M to sort
+ by outgoing bytes (bytes from). Pressing any other key cancels the sort.
+</para>
+<para>
+ Port numbers are sorted in ascending order (least first) but
+ statistics are sorted in descending order (largest counts first).
+</para>
+<para>
+ As with the IP traffic monitor, sorting is performed only with
+ this sequence. Automatic sorting is not performed so as not to
+ affect performance.
+</para>
+<figure>
+<title>The TCP/UDP monitor's sort criteria</title>
+<graphic format="png" fileref="iptraf-tcpudpsort">
+</figure>
+</sect2>
+<sect2>
+<title>Additional Information</title>
+<para>
+IPTraf's filters affect the output of this facility. See Chapter 7, <link
+linkend="filters">Filters</link> for more information about filters.
+</para>
+<para>
+ If you wish to start this facility from the command line, you can
+ use the <computeroutput>-s</computeroutput> option followed by an interface to monitor. For example,
+</para>
+<synopsis>
+iptraf -s eth0
+</synopsis>
+<para>
+ brings up this module for traffic on
+ <filename>eth0</filename>. The interface must be specified, or
+ IPTraf will drop back to the shell.
+</para>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+</sect2>
+</sect1>
+</chapter>
+
+<chapter id="hostmon">
+<title>LAN Station Statistics</title>
+<para>
+ The LAN station monitor (Ethernet station monitor on versions prior to
+ 1.3.0) discovers MAC addresses and displays statistics on the number
+ of incoming, and outgoing packets. It also includes figures for incoming
+ and outgoing kilobits per second for each discovered station.
+</para>
+<para>
+ The entry above each line of statistics is the station's LAN
+ type (Ethernet, PLIP, Token Ring, or FDDI) and the hardware MAC address.
+ Each statistics line consists of the following information:
+</para>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>Total packets incoming</para></listitem>
+
+ <listitem><para>IP packets incoming</para></listitem>
+
+ <listitem><para>Total bytes incoming</para></listitem>
+
+ <listitem><para>Incoming rate</para></listitem>
+
+ <listitem><para>Total packets outgoing</para></listitem>
+
+ <listitem><para>IP packets outgoing</para></listitem>
+
+ <listitem><para>Total bytes outgoing</para></listitem>
+
+ <listitem><para>Outgoing rate</para></listitem>
+</itemizedlist>
+<para>
+ The byte counts include the data link header. The activity
+ indicators can be set to display kbits/s or kbytes/s with the <emphasis>Activity
+ mode</emphasis> configuration option.
+</para>
+<para>
+ This facility works only for Ethernet, PLIP, Token Ring, and
+ FDDI frames. Loopback. ISDN, and SLIP/PPP networks are not monitored here.
+</para>
+<figure>
+<title>The LAN station monitor</title>
+<graphic format="png" fileref="iptraf-hw">
+</figure>
+<para>
+ Copies of the statistics are written to a log file at regular intervals
+ if logging is enabled. The default log file name
+ is <filename>lan_statistics-<replaceable>n</replaceable>.log</filename>, where n is the instance number of this facility
+ (for example, if this is the first instance, the generated default log
+ file name is <filename>lan_statistics-1.log</filename>).
+</para>
+<sect1 id="sortinglan">
+ <title>Sorting the LAN Station Monitor Entries</title>
+<para>
+ Press S to sort the entries. A box will pop up and display the
+ keys you can press to select the field by which the entries will
+ be sorted. Press P to sort by total incoming packets, I to sort by
+ incoming IP packets, B to sort by total incoming bytes, K to sort
+ by total outgoing packets, O to sort by outgoing IP packets, and Y to
+ sort by total outgoing bytes. Pressing any other key cancels the sort.
+</para>
+<figure>
+<title>The LAN station monitor's sort criteria</title>
+<graphic format="png" fileref="iptraf-hwsort"
+</figure>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+</sect1>
+<sect1 id="morelanmoninfo">
+<title>Additional Information</title>
+<para>
+ The window can be scrolled with the Up and Down cursor keys. Press X
+ or Q to return to the main menu (or the shell if this
+ facility was started with the <computeroutput>-l</computeroutput> command-line option).
+</para>
+<para>
+The output of this facility is affected by any applied IPTraf filter.
+</para>
+</sect1>
+</chapter>
+
+<chapter id="filters">
+ <title>Filters</title>
+
+<para>
+ Filters are used to control the information displayed by all facilities.
+ You may want to view statistics only on particular traffic
+ so you must restrict the information displayed. The filters also apply
+ to logging activity.
+</para>
+
+<para>
+ The IPTraf filter management system is accessible through the
+ <emphasis>Filters...</emphasis> submenu.
+</para>
+<figure>
+<title>The Filters submenu</title>
+<graphic format="png" fileref="iptraf-filtermenu">
+</figure>
+
+<sect1 id="ipfilters">
+ <title>IP Filters</title>
+
+ <para>
+ The <emphasis>Filters/IP...</emphasis> menu option
+ allows you to define a set of rules that determine what IP traffic
+ to pass to the monitors. Selecting this option pops up another menu with
+ the tasks used to define and apply custom IP filters.
+</para>
+<figure>
+<title>The IP filter menu</title>
+<graphic format="png" fileref="iptraf-ipfltmenu">
+</figure>
+<sect2>
+ <title>Defining a New Filter</title>
+<para>
+ A freshly installed program will have no filters defined, so
+ before anything else, you will have to define a filter. You can do this
+ by selecting the <emphasis>Define new filter...</emphasis> option.
+</para>
+<para>
+ Selecting this option displays a box asking you to enter a short
+ description of the filter you are going to define. Just enter any text
+ that clearly identifies the nature of the filter.
+</para>
+<figure>
+<title>The IP filter name dialog</title>
+<graphic format="png" fileref="iptraf-ipfltnamedlg">
+</figure>
+<para>
+ Press Enter when you're done with that box. As an alternative, you can
+ also press Ctrl+X to cancel the operation.
+</para>
+<sect3>
+<title>The Filter Rule Selection Screen</title>
+<para>
+After you enter the filter's description, you will be taken to a blank
+rule selection box. At this screen you manage the various rules you
+define for this filter. You can opt to insert, append, edit, or delete
+rules.
+</para>
+<figure>
+<title>The filter rule selection screen. Selecting an entry
+displays that set for editing</title>
+<graphic format="png" fileref="iptraf-ipfltlist">
+</figure>
+<para>
+Any rules defined will appear here. You will see the
+source and destination
+addresses, masks and ports (long addresses and masks may
+be truncated) and whether this rule includes or excludes matching
+packets.
+</para>
+<para>Between the source and destination parameters is an arrow that
+indicates whether the rule matches packets (single-headed) only exactly or whether
+it matches packets flowing in the opposite direction (double-headed).
+</para>
+<para>
+At this screen, press I to insert at the current position of the selection
+bar, A to append a rule to the end of the list, Enter to
+edit the highlighted rule and D to delete the selected rule. With
+an empty list, A or I can be used to add the first rule.
+</para>
+<para>To add the first rule, press A or I. You will then be presented with
+a dialog box that allows you to enter the rule's parameters.
+</para>
+</sect3>
+<sect3>
+<title>Entering Filter Rules</title>
+<para>
+ You can enter addresses of individual hosts, networks,
+ or a catch-all address. The nature of the address will be determined
+ by the wildcard mask.
+</para>
+<para>
+ You'll notice two sets of fields, marked <computeroutput>Source</computeroutput>
+ and <computeroutput>Destination</computeroutput>. You fill these out
+ with the information about your source and targets.
+</para>
+<para>
+ Fill out the host name or IP address of the hosts or networks in
+ the first field
+ marked <computeroutput>Host name/IP Address</computeroutput>. Enter it in
+ standard dotted-decimal notation. When done, press Tab to move to the
+ <computeroutput>Wildcard mask</computeroutput> field. The wildcard mask
+ is similar but not exactly identical to the standard IP subnet
+ mask. The wildcard mask is used to determine which bits to ignore
+ when processing the filter. In most cases, it will work very closely
+ like a subnet mask. Place ones (1) under the bits you want the filter to
+ recognize, and keep zeros (0) under the bits you want the filter
+ to ignore. For example:
+</para>
+<para>
+To recognize the host 207.0.115.44
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+To recognize all hosts belonging to network
+202.47.132.<replaceable>x</replaceable>
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>202.47.132.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.0</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+To recognize all hosts with any address:
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ The IP address/wildcard mask mechanism of the display filter doesn't
+ recognize IP address class. It uses a simple bit- pattern matching
+ algorithm.
+</para>
+<para>
+ The wildcard mask also does not have to end on a
+ byte boundary; you may mask right into a byte itself. For example,
+ 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in
+ binary).
+</para>
+<para>
+ IPTraf also accepts host names in place of the IP addresses. IPTraf will
+ resolve the host name when the filter is loaded. When the filter
+ is interpreted, the wildcard mask will also be applied. This can be
+ useful in cases where a single host name may resolve to several IP
+ addresses.
+</para>
+
+<tip> <title>Tip</title>
+ <para> See the <emphasis>Linux Network Administrator's Guide</emphasis>
+ if you need more information on IP addresses and subnet masking.
+</para>
+</tip>
+
+<tip><title>Tip</title>
+<para>
+IPTraf allows you to specify the wildcard mask in Classless Interdomain Routing
+(CIDR) format. This format allows you to specify the number of 1-bits that
+mask the address. CIDR notation is the form
+<emphasis><computeroutput>address/bits</computeroutput></emphasis> where the
+<emphasis><computeroutput>address</computeroutput></emphasis> is the IP
+address or host name and
+<emphasis><computeroutput>bits</computeroutput></emphasis> is the number of
+1-bits in the mask. For example, if you want to mask 10.1.1.0 with
+<computeroutput>255.255.255.0</computeroutput>, note that
+<computeroutput>255.255.255.0</computeroutput> has 24 1-bits, so instead
+of specifying <computeroutput>255.255.255.0</computeroutput> in the wildcard
+mask field, you can just enter <computeroutput>10.1.1.0/24</computeroutput>
+in the address field. IPTraf will translate the mask bits into an
+appropriate wildcard mask and fill in the mask field the next time you edit
+the filter rule.
+</para>
+<para>
+If you specify the mask in CIDR notation, leave the wildcard mask fields
+blank. If you fill them up, the wildcard mask fields will take precedence.
+</para>
+</tip>
+
+<para>
+ The <computeroutput>Port</computeroutput> fields should contain a
+ port number or range of any TCP or UDP service you may be
+ interested in. If you want to match only a single port number, fill
+ in the first field, while leaving the second blank or set to zero.
+ Fill in the second field if you want to match a range of ports (e.g. 80 to
+ 90).
+ Leave the first field blank or set to zero to let the filter ignore
+ the ports altogether.
+ You will most likely be interested in target ports rather than source ports
+ (which are usually unpredictable anyway, perhaps with the exception
+ of FTP data).
+</para>
+<para>
+Non-TCP and non-UDP packets are not affected by these fields, and these
+are used only when filtering TCP or UDP packets.
+</para>
+<para>
+ Fill out the second set of fields with the parameters of the
+ opposite end of the connection.
+</para>
+<tip>
+<title>Tip</title>
+<para>
+Any address or mask fields left blank default to
+0.0.0.0 while blank
+<computeroutput>Port</computeroutput> fields default to 0.
+This makes it easy to define
+filter rules if you're interested only in either the source or destination,
+but not the other. For example, you may be interested
+in traffic originating from network 61.9.88.0, in which case you just enter
+the source address, mask and port
+in the
+<computeroutput>Source</computeroutput> fields, while leaving the
+<computeroutput>Destination</computeroutput> fields blank.
+</para>
+</tip>
+<para>
+The next fields let you specify which IP-type protocols you want matched by
+this filter rule. Any packet whose protocol's corresponding field
+is marked with a <computeroutput>Y</computeroutput> is matched against the
+filter's defined IP addresses and ports, otherwise
+they don't pass through this filter rule.
+</para>
+<para>
+If you want to evaluate all IP packets just mark
+with <computeroutput>Y</computeroutput> the <computeroutput>All
+IP</computeroutput> field.
+</para>
+<para>
+For example, if you want to see only all TCP traffic, mark the
+<computeroutput>TCP</computeroutput> field
+with <computeroutput>Y</computeroutput>.
+</para>
+<para>
+The long field marked <computeroutput>Additional
+protocols</computeroutput> allows you to specify other protocols
+by their IANA number. (You can view the common IP protocol number
+in the <filename>/etc/protocols</filename> file). You can specify a list
+of protocol numbers or ranges separated by commas,
+Ranges have the beginning and ending protocol numbers separated with a
+hyphen.
+</para>
+<para>
+For example, to see the RSVP (46), IP mobile (55), and protocols
+(101 to 104), you use an entry that looks like this:
+</para>
+<synopsis>
+46, 55, 101-104
+</synopsis>
+<para>
+It's certainly possible to specify any of the protocols listed above in
+this field. Entering <computeroutput>1-255</computeroutput> is
+functionally identical
+to marking <computeroutput>All IP</computeroutput>
+with a <computeroutput>Y</computeroutput>.
+</para>
+<para>
+ The next field is marked <computeroutput>Include/Exclude</computeroutput>.
+ This field allows you to decide whether to include or filter out matching
+ packets. Setting this field to <computeroutput>I</computeroutput> causes the filter to
+ pass matching packets, while setting it to <computeroutput>E</computeroutput> causes
+ the filter to drop them. This field is set to
+ <computeroutput>I</computeroutput> by default.
+</para>
+<para>
+The last field in the dialog is labeled <computeroutput>Match opposite</computeroutput>. When set
+to <computeroutput>Y</computeroutput>, the filter will match packets flowing in the opposite direction.
+Previous versions of IPTraf used to match TCP packets flowing in either direction, so the source
+and destination address/mask/port combinations were actually interchangeable. Starting with
+IPTraf 3.0, when filters extended to more than just the IP traffic monitor, this behavior is no longer
+the default throughout IPTraf except in the IP traffic monitor's TCP window.
+</para>
+<note>
+<title>Note</title>
+<para>
+For TCP packets, this field is used in all facilities except the IP traffic monitor. Because
+the IP traffic monitor must capture TCP packets in both directions
+to properly determine a closed connection, the filter automatically matches
+packets in the opposite direction, regardless of this field's setting. However
+iin all other facilities, automatic matching of the reverse packets is not performed
+unless you set this field to <computeroutput>Y</computeroutput>.
+</para>
+<para>
+Filters for UDP and other IP protocols do not automatically match packets in the opposite direction
+unless you set the field to <computeroutput>Y</computeroutput>, even in the IP traffic monitor.
+</para>
+</note>
+<para>
+ Press Enter to accept all parameters when done. The parameters will be
+ accepted and you'll be taken back to the rule selection box. You can
+then add more rules by pressing A or you can insert new rules at any point
+by pressing I. Should you make a mistake, you can press Enter to
+edit the selected filter. You may enter
+ as many sets of parameters as you wish. Press Ctrl+X when done.
+</para>
+<note>
+<title>Note</title>
+<para>
+Because of the major changes in the filtering system since IPTraf 2.7,
+old filters will no longer work and will have to be redefined.
+</para>
+</note>
+<figure>
+<title>The IP filter parameters dialog</title>
+<graphic format="png" fileref="iptraf-ipfltdlg">
+</figure>
+</sect3>
+<sect3>
+ <title>Examples</title>
+<para>
+To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>202.47.132.2</computeroutput></entry><entry><computeroutput>207.0.115.44</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+To see all traffic from host 207.0.115.44 to all hosts
+on network 202.47.132.x
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry><entry><computeroutput>202.47.132.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all Web traffic (to and from port 80)
+ regardless of source or destination
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>80</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all IRC traffic from port 6666 to 6669
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>6666</computeroutput>
+to <computeroutput>6669</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all DNS traffic, (TCP and UDP, destination port 53)
+ regardless of source or destination
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard
+mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>53</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y UDP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>202.47.132.2</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>25</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+
+</tbody>
+</tgroup>
+
+</informaltable>
+<para>
+ To see traffic from from/to host sunsite.unc.edu to/from cebu.mozcom.com
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>sunsite.unc.edu</computeroutput></entry><entry><computeroutput>cebu.mozcom.com</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+ To omit display of traffic to/from 140.66.5.x from/to anywhere
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>140.66.5.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+ You can enter as many parameters as you wish. All of them will
+ be interpreted until the first match is found.
+</para>
+</sect3>
+<sect3>
+ <title>Excluding Certain Sites</title>
+<para>
+
+ Filters follow an implicit "no-match" policy, that is, only packets
+ matching defined rules will be matched, others will be filtered out.
+ This is similar
+ to the access-list policy "whatever is not explicitly permitted is
+ denied". If you want to show all traffic to/from everywhere,
+ except certain places, you can specify the sites you wish to exclude,
+ mark them with <computeroutput>E</computeroutput> in the <computeroutput>Include/Exclude
+field</computeroutput>, and
+ define a general catch-all entry with source address
+<computeroutput>0.0.0.0</computeroutput>, mask
+ <computeroutput>0.0.0.0</computeroutput>, port <computeroutput>0</computeroutput>, and destination
+<computeroutput>0.0.0.0</computeroutput>, mask <computeroutput>0.0.0.0</computeroutput>,
+port <computeroutput>0</computeroutput>, tagged
+ with an <computeroutput>I</computeroutput>
+in the <computeroutput>Include/Exclude</computeroutput> field as the last entry.
+</para>
+
+<para>
+ For example:
+</para>
+<para>
+To see all traffic except all SMTP (both directions), Web (both directions), and traffic
+(only) from 207.0.115.44
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>25</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput> 0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>80</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<tip>
+ <title>Tip</title>
+ <para>
+ To filter out all TCP, define a filter with a single entry, with a source of
+ <computeroutput>0.0.0.0</computeroutput> mask
+<computeroutput>0.0.0.0</computeroutput> port <computeroutput>0</computeroutput>, and a destination
+ of <computeroutput>0.0.0.0</computeroutput> mask <computeroutput>0.0.0.0</computeroutput>
+port <computeroutput>0</computeroutput>,
+with the <computeroutput>Include/Exclude</computeroutput> field
+ marked <computeroutput>E</computeroutput> (exclude). Then apply this filter.
+</para>
+</tip>
+</sect3>
+</sect2>
+<sect2>
+
+ <title>Applying a Filter</title>
+<para>
+ The above steps only add the filter to a defined list. To actually apply
+ the filter, you must select <emphasis>Apply filter...</emphasis> from the menu. You will be
+ presented with a list of filters you already defined. Select the one you
+ want to apply, and press Enter.
+</para>
+<para>
+ The applied filter stays in effect over exits and restarts of the IPTraf program until it is detached.
+</para>
+</sect2>
+<sect2>
+ <title>Editing a Defined Filter</title>
+<para>
+ Select <emphasis>Edit filter...</emphasis> to modify an existing filter. Once you select this
+ option, you will be presented with the list of defined filters.
+ Select the filter you want to edit by moving the selection bar and press
+ Enter.
+</para>
+<para>
+ Edit the description if you wish. Pressing Ctrl+X at this point
+ will abort the operation, and the filter will remain unmodified. Press
+ Enter to accept any changes to the filter description.
+</para>
+<para>
+ After pressing Enter, you will see the filter's rules. To edit an
+ existing filter rule, move the selection bar
+ to the desired entry and press Enter. A prefilled dialog box
+ will appear. Edit its contents as desired. Press Enter to accept the
+ changes or Ctrl+X to discard.
+</para>
+<para>
+ You can add a new filter rule by pressing I to insert at the selection
+ bar's current position. When you press I, you will be presented with a
+ dialog box asking you to enter the new rule data. Pressing A results
+ in a similar operation, except the rule will be appended as the
+ last entry in the rule list.
+</para>
+<para>
+ Pressing D deletes the currently pointed entry.
+</para>
+<para>
+ Press X or Ctrl+X to end the edit and save the changes.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>If you're editing the currently applied filter, you will need
+ to re-apply the filter for the changes to take effect.
+ </para>
+</note>
+
+
+<note>
+ <title>Note</title>
+<para>
+ Be aware that the filter processes the rules in order. In other
+ words, if a packet matches more than one rule, only the first matching
+ rule is followed.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>Deleting a Defined Filter</title>
+<para>
+ Select <emphasis>Delete filter...</emphasis> from the menu to remove a filter
+ from the list. Just move the selection bar to the filter you want to
+ delete, and press Enter.
+</para>
+</sect2>
+<sect2>
+ <title>Detaching a Filter</title>
+<para>
+ The <emphasis>Detach filter</emphasis> option deactivates the filter currently in
+ use. Selecting this option causes all TCP traffic to be passed
+ to the monitors.
+</para>
+<para>
+ When you're done with the menu, just select the Exit menu option.
+</para>
+</sect2>
+</sect1>
+<sect1 id="nonipfilters">
+<title>ARP, RARP, and other Non-IP Packet Filters</title>
+<para>
+ The <emphasis>Non-IP</emphasis> filter option toggles the display and logging of all non-IP
+ packets, except ARP and RARP, which are toggled separately.
+</para>
+</sect1>
+</chapter>
+<chapter id="config">
+<title>Configuring IPTraf</title>
+
+<para>
+ IPTraf can be easily configured
+with the <emphasis><link linkend="config">Configure...</link></emphasis> item in the
+ main menu. The configuration is stored in the
+ <filename>/var/local/iptraf/iptraf.cfg</filename> file. If the file is not found, IPTraf uses
+ the default settings. Any changes to the configuration immediately get
+ stored in the configuration file.
+</para>
+<figure>
+<title>The IPTraf configuration menu</title>
+<graphic format="png" fileref="iptraf-configmenu">
+</figure>
+<sect1 id="toggles">
+ <title>Toggles</title>
+
+<sect2> <title>Reverse DNS Lookups</title>
+<para>
+ Activating reverse lookup
+ causes IPTraf to find out the name of the hosts with the addresses
+ in the IP packets. When this option is enabled, IPTraf's
+ IP traffic monitor starts the rvnamed DNS lookup server to help resolve
+ IP addresses in the background while allowing IPTraf to
+ continue capturing packets.
+</para>
+<para>
+ This option is off by default.
+</para>
+</sect2>
+<sect2>
+ <title>TCP/UDP Service Names</title>
+<para>
+
+ This option, when on, causes IPTraf to display the TCP/UDP service names
+ (<computeroutput>smtp</computeroutput>, <computeroutput>www</computeroutput>,
+ <computeroutput>pop3</computeroutput>, etc.) instead of their numeric ports (25, 80,
+ 110, etc). The number-to-name mappings will depend on the systems
+ services database file (usually <filename>/etc/services</filename>).
+ Should there be no corresponding service name for the
+ port number, the numeric form will still be displayed.
+
+</para>
+<para>
+ This setting is off by default.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>
+ Reverse lookup and service name lookup take some
+ time and may impact performance and increase the chances of dropped
+ packets. Performance and results are best (albeit more cryptic) with both
+ these settings off.
+</para>
+</note>
+</sect2>
+
+<sect2>
+ <title>Force promiscuous</title>
+<para>
+
+ If this option is enabled, your LAN interfaces will capture all packets
+ on your LAN. Using this option enables you
+ to see all TCP connections and packets passing your LAN segment, even if
+ they're not from or for your machine. When this option is active
+ in the statistics windows, the Activity indicators will show a
+ good estimate of the load on your LAN segment.
+</para>
+<para>
+ When this option is disabled, you'll
+ only receive information about packets coming from and entering your
+ machine.
+</para>
+<para>
+ The setting of this option affects all LAN (
+ Ethernet, FDDI, some Token Ring) interfaces on your machine, if you have more than one.
+</para>
+<para>
+ The interface's promiscuous flag is set only when a facility is started,
+ and turned off when it exits. However, if promiscuous
+ mode was already set when a facility was started, it remains set on exit.
+</para>
+<para>
+ If multiple instances of IPTraf are started, the promiscuous setting
+ is restored only upon exit of the last facility.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ Do not use other programs that change the interface's promiscuous flag at
+ the same time you're using IPTraf. The programs can interfere with
+ each other's expected operations. While IPTraf tries to obtain the
+ initial setting of any promiscuous flags for restoration
+ upon exit, other programs may not be as well-behaved, and they may
+ turn off the promiscuous flags while IPTraf is still monitoring.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>Color</title>
+<para>
+ Turn this on with color monitors. Turn it off with
+ black-and- white monitors or non-color terminals (like xterms). Changes
+ to this setting will take effect the next time the program is started.
+</para>
+<para>
+ Color is on by default on consoles and color xterms, off on non-color terminals like xterms and VT100s.
+</para>
+</sect2>
+<sect2>
+ <title>Logging</title>
+<para>
+ When this option is active, IPTraf will log information to a
+ disk file, which can be examined or analyzed later. Since IPTraf
+ 2.4.0, IPTraf prompts you for the name of the file to which to write the
+ logs. It will provide a default name, which you are free to accept
+ or change. The IP traffic monitor and LAN station monitor will
+ generate a log file name that is based on what instance they are (first,
+ second, and so on). The general interface statistics' default log file
+ name is constant, because it listens to all interfaces at once, and only
+ one instance can run at one time.
+</para>
+<para>
+ The other facilities generate a log file name based
+ on the interface they're listening on.
+</para>
+<para>
+ See the descriptions on the facilities above for the default log file names.
+</para>
+<para>
+ Press Enter to accept the log file name, or Ctrl+X to cancel. Canceling will turn logging off for that session.
+</para>
+<para>
+ The IP traffic monitor will write the following pieces of information to its log file:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+ <listitem><para>Start of the traffic monitor</para></listitem>
+
+ <listitem><para>Receipt of the first TCP packet for a connection. If that packet is a
+ SYN, (SYN) will be indicated in the log entry. (Of course, the traffic
+ monitor may start in the middle of established connections. It
+ will still count those packets. This also explains why some connection
+ entries may become idle if the traffic monitor is started in the
+ middle of a half-closed connection, and miss the first FIN.
+ Such entries time out in a while.)</para></listitem>
+
+ <listitem><para>Receipt of a FIN (with average flow rate)</para></listitem>
+
+ <listitem><para>ACK of a FIN</para></listitem>
+
+ <listitem><para>Timeouts of TCP entries (with average flow rate)</para></listitem>
+
+ <listitem><para>Reset connections (with average flow rate)</para></listitem>
+
+ <listitem><para>Everything that appears in the bottom window of the traffic monitor</para></listitem>
+
+ <listitem><para>Stopping of the traffic monitor</para></listitem>
+</itemizedlist>
+<para>
+ Each log entry includes the date and time the entry was written. Logging
+ is also affected by the defined filters.
+</para>
+<para>
+ Log files can grow very fast, so be prepared with plenty of
+ free space and delete unneeded logs. Log write errors are not indicated.
+</para>
+<para>
+ Copies of the interface statistics, TCP/UDP statistics, packet
+ size statistics, and LAN host statistics are also written
+ to the log files at regular intervals. See <emphasis>Log
+Interval...</emphasis> in this chapter.
+</para>
+<para>
+ IPTraf closes and reopens the active log file when it receives a
+ <computeroutput>USR1</computeroutput> signal. This is useful in cases where a facility is run for
+ long periods of time but the log files have to be cleared or moved.
+</para>
+<para>
+ To clear or move an active log file, rename it first. IPTraf will
+ continue to write to the file despite the new name. Then use the UNIX
+ kill command to send the running IPTraf process a <computeroutput>USR1</computeroutput> signal. IPTraf
+ will then close the log file and open another with the
+ original name. You can then safely remove or delete the renamed file.
+</para>
+<para>
+ Do not delete an open log file. Doing so will only result in a file just
+ as large but filled with null characters (ASCII code 0).
+</para>
+<para>
+ Logging comes disabled by default. The <computeroutput>USR1</computeroutput> signal is caught only if
+ logging is enabled, it is ignored otherwise.
+</para>
+<para>
+ A valid specification of <computeroutput>-L</computeroutput> on the command line with automatically
+ enable logging for that particular session. The saved configuration setting is not affected.
+</para>
+</sect2>
+<sect2>
+ <title>Activity mode</title>
+<para>
+ Toggles activity indicators in the interface and LAN statistics
+ facilities between kilobits per second (kbits/s) or kilobytes per second
+ (kbytes/s).
+</para>
+<para>
+ The default setting is kilobits per second.
+</para>
+</sect2>
+<sect2>
+ <title>Source MAC addrs in traffic monitor</title>
+<para>
+ When enabled, the IP traffic monitor retrieves the packets' source MAC
+ addresses if they came in on an Ethernet, FDDI, or PLIP interface. The
+ addresses appear in the lower window for non-TCP
+ packets, while for TCP connections, they can be viewed by pressing M.
+</para>
+<para>
+ No such information is displayed
+ if the network interface doesn't use MAC addresses (such
+ as PPP interfaces).
+</para>
+<para>
+ This can be used to determine the actual source of the packets on your local LAN.
+</para>
+<para>
+ The traffic monitor also logs the MAC addresses with this option
+ enabled. The default setting is off.
+</para>
+</sect2>
+</sect1>
+
+<sect1 id="timers">
+ <title>Timers</title>
+<para>
+ The <emphasis>Timers...</emphasis> submenu allows you to IPTraf's
+ interval and timeout functions.
+</para>
+<figure>
+<title>The Timers configuration submenu</title>
+<graphic format="png" fileref="iptraf-timermenu">
+</figure>
+<sect2>
+ <title>TCP Timeout</title>
+<para>
+ This figure determines the amount of time (in minutes) a
+ connection entry may remain idle before it becomes
+ eligible for replacement by a new connection. The default is 15 minutes.
+ You may want to reduce this on an isolated (not connected
+ to the Internet) LAN or a LAN connected to the Internet with
+ high-speed links. Just enter the new value and press
+ Enter. You can press Ctrl+X to leave the current value unchanged.
+</para>
+</sect2>
+<sect2>
+<title>Log Interval</title>
+<para>
+ This figure determines the number of minutes between logging
+ of interface statistics, TCP/UDP figures, and LAN host statistics. The
+ default is 60 minutes. This figure is meaningless if logging is disabled.
+</para>
+<para>
+ This configuration item can be overridden with the <computeroutput>-I</computeroutput> when
+ a facility is directly invoked from the command line (not accessed via the main menu), and
+ remains effective for that particular session. The configured value is not affected.
+</para>
+</sect2>
+<sect2>
+ <title>Screen Update Interval</title>
+<para>
+ This value determines the rate in seconds at which the screen is
+ updated. The default is 0, which means the screen is updated as fast
+ as possible, giving close-to-realtime reflection
+ of network activity. However, this high-speed update can cause
+ incredible amounts of traffic if IPTraf is run on a remote
+ terminal (e.g. a Telnet or Secure Shell session). You can set this
+ to a higher value, such as 1 or 2 seconds to slow down the updates.
+</para>
+<para>
+ This figure does not affect the rate of data capture. Only the
+ screen refresh is affected. The figures are still updated as fast as
+ possible, although the figure display will no longer be as close
+ to realtime.
+</para>
+<para>
+ The default setting is 0, which shouldn't be a problem on the
+ console. Set it to a slightly higher value on remote terminals or slow
+ links. The setting affects all monitoring facilities.
+</para>
+<note>
+ <title>Note</title>
+ <para>
+ Updating the screen is one of the slowest operations in a
+ program. Older versions of IPTraf had a problem once network
+ activity became very high. Because each packet caused a screen update,
+ IPTraf began spending more time with the screen updates, causing a loss
+ of packets once network activity reached a certain point.
+</para>
+<para>
+ However, since many users like rapid counts on their screen, a
+ compromise was incorporated. Even when the screen update interval is set
+ to 0, there is still a 50ms delay between screen updates (except the LAN
+ station monitor, which has a 100 ms delay). This is still visually fast,
+ but provides more time to the packet capture routine. Higher
+ delays may result in better accuracy of counts and activity.
+</para>
+<para>
+ In any case, this setting only affects screen updates. Capture still
+ proceeds as fast as possible.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>TCP closed/idle persistence</title>
+ <para>
+ This parameter
+ determines the interval (in minutes) at which the IP Traffic Monitor
+ clears from the TCP display window all closed, idle, and timed out
+ entries. Enter <computeroutput>0</computeroutput> to keep such entries on the
+ screen indefinitely, disappearing only when replaced by new connections.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ The <emphasis>TCP timeout...</emphasis> option
+ only tells IPTraf how long it should take before a connection should
+ be considered idle and open to replacement by new connections. This does
+ not determine how long
+ it remains onscreen. The <emphasis>TCP closed/idle
+ persistence...</emphasis>
+ parameter flushes entries that have been closed or reset, or idle for the number
+ of minutes defined by the <emphasis>TCP timeout...</emphasis> option.
+</para>
+</note>
+</sect2>
+</sect1>
+
+<sect1 id="customports">
+ <title>Custom Information</title>
+<para>
+ The remaining configuration items allow you to enter information which
+ IPTraf uses for its displays and logs.
+</para>
+<sect2>
+ <title>Additional ports</title>
+ <para>Select this item to enter a port
+ number to be included in the TCP/UDP counts in the TCP/UDP service
+ statistics main menu item described above. By default,
+ port numbers above 1023 are not monitored. If you do
+ have a higher-numbered port to monitor, enter it here.
+</para>
+<para>
+ You will see two fields. If you have only one port to enter, just fill
+ up the first field. To specify a range, fill both fields, the first port
+ in the first field, the last port in the second field.
+</para>
+<para>
+ You can select this option multiple times to add more values or ranges.
+</para>
+</sect2>
+<sect2>
+ <title>Delete port/range</title>
+<para>
+ Select this item to remove a higher-numbered port number or
+ port range you entered earlier with the <emphasis>Additional
+ ports...</emphasis> option. A window will come up
+ containing the entered ports and ranges. Select the entry you want
+ delete and press Enter.
+</para>
+</sect2>
+<sect2>
+ <title>LAN Station Identifiers</title>
+
+<para>
+ The LAN station statistics facility monitors stations based
+ on their respective MAC addresses. The hexadecimal notation of these
+ addresses make them even more difficult to remember than the
+ dotted-decimal IP addresses, so these facilities were added to
+ help you better determine which station is which.
+</para>
+<para>
+ Selecting the <emphasis>Ethernet/PLIP host descriptions...</emphasis> or
+ <emphasis>FDDI/Token Ring host descriptions...</emphasis> options brings
+ up a submenu asking you to add, edit, or delete descriptions.
+</para>
+<para>
+ To add a new description, select the <emphasis>Add
+description...</emphasis> option. A dialog
+ box will appear, asking you for the MAC address and an appropriate
+ description. Type in the address in hexadecimal notation with no
+ punctuation of any kind. The dialog box is
+ case-insensitive for the address; the alphabetical digits A to F will be
+ stored in lowercase.
+</para>
+<para>
+ Use the Tab key to move between fields and Enter to accept. Press Ctrl+X
+ to discard this dialog and return to the main menu.
+</para>
+<para>
+ The description may be anything: the IP address, a fully-qualified
+ domain name, or a description of your liking as long
+ as the field can hold.
+</para>
+<para>
+ Enter as many descriptions as you need. Press Ctrl+X at a blank dialog
+ after you have entered the last entry
+</para>
+<para>
+ These descriptions will be displayed alongside the MAC addresses
+ in the LAN station monitor, together with the type of frame (Ethernet,
+ PLIP, or FDDI).
+</para>
+<para>
+ An existing address or description may be edited
+by selecting the <emphasis>Edit
+ description...</emphasis> option from the submenu. A panel will appear with a list
+ of existing address descriptions. Select the one you wish to
+ edit and press Enter. A dialog box identical to that
+ when you add a description will appear with prefilled fields. Just
+ backspace over and edit the fields. Press Enter to accept or Ctrl+X to
+ cancel.
+</para>
+<para>
+ Selecting the <emphasis>Delete description...</emphasis> submenu
+ item brings up the selection panel. Select the description you want to
+ delete and press Enter. You can also press Ctrl+X to cancel the operation.
+</para>
+<para>
+ IPTraf 2.4 and later also recognizes the <filename>/etc/ethers</filename> file.
+ Should a hardware address be present in the IPTraf definition files and
+ in <filename>/etc/ethers</filename>, the IPTraf definition will be used.
+</para>
+<note>
+ <title>Note</title>
+<para>
+ The description file for Ethernet and PLIP is
+ <filename>ethernet.desc</filename>, while the FDDI and Token Ring mappings are stored
+ in <filename>fddi.desc</filename> in the IPTraf working directory. These files are in
+ colon-delimited text format. Database engines or custom scripts can be
+ told to append data lines to those files. Each line follows this
+ simple format:
+</para>
+<synopsis>
+<replaceable>address</replaceable>:<replaceable>description</replaceable>
+</synopsis>
+<para>
+ For example
+</para>
+<synopsis>
+00201e457e:Cisco 3640 gateway
+</synopsis>
+<para>
+ Do not put colons, periods, or any invalid characters in the MAC address.
+</para>
+</note>
+</sect2>
+</sect1>
+</chapter>
+<chapter id="backop">
+<title>Background Operation</title>
+
+<para>
+ IPTraf's facilities can be placed in the background solely for
+ logging. When running in the background, it doesn't display any output
+ on the screen, and doesn't receive input
+ from the keyboard, and drops you back to the shell.
+</para>
+<para>
+ Before starting a statistical facility in the background, configure
+ IPTraf in the usual way (set filters, add TCP/UDP ports, etc).
+</para>
+<para>
+ Once that's done, exit all instances of IPTraf on the system, then
+ invoke IPTraf from the command line with the parameter
+ to start the facility you want, the timeout (<computeroutput>-t</computeroutput>) parameter
+ if you wish, and the <computeroutput>-B</computeroutput> parameter to actually daemonize the program.
+ For example, to run the IP traffic monitor in the
+ background for all interfaces, issue the command
+</para>
+<synopsis>
+iptraf -i all -B
+</synopsis>
+<para>
+ To run the detailed interface statistics
+on interface <filename>eth0</filename> for 5 minutes
+ in the background:
+</para>
+<synopsis>
+iptraf -d eth0 -t 5 -B
+</synopsis>
+<para>
+ If the timeout parameter is not specified, the facility
+ will run until the process receives a USR2 signal. To stop a facility in
+ the background, do a
+</para>
+<synopsis>
+ps x
+</synopsis>
+<para>
+ at the command line, and find the process id (pid) of the iptraf process
+ you're looking for. Then send that process a USR2 signal with the kill
+ command:
+</para>
+<synopsis>
+kill -USR2 pid
+</synopsis>
+<para>
+ Since IPTraf cannot send error messages to the terminal, all
+ messages are written to the file daemon.log in the
+ IPTraf logging directory.
+</para>
+<para>
+ The <computeroutput>-B</computeroutput> parameter automatically enables logging regardless of its configured
+ setting. The parameter is ignored if not used with one of the parameters
+ to start a facility from the command line.
+</para>
+<para>
+ The log file can be specified with the <computeroutput>-L</computeroutput> command-line parameter. If
+ this parameter is not specified, the default log file name for the
+ facility will be used (see the descriptions of the
+ facilities above for the default log name patterns).
+ If you don't specify an path, the log file will be placed in
+ <filename>/var/log/iptraf</filename>.
+</para>
+<para>
+ The logging interval for all facilities (except the IP traffic monitor) can also be overriden
+ with the <computeroutput>-I</computeroutput> command-line parameter.
+</para>
+</chapter>
+
+<appendix id="messages">
+ <title>Messages</title>
+<para>
+IPTraf's messages are presented in two ways. In interactive mode, messages
+are displayed in a distictive message box. In daemon (background) mode,
+appropriate messages are written to the <filename>iptraf.log</filename>
+file in the IPTraf log directory (normally
+<filename>/var/log/iptraf</filename>.
+</para>
+
+<sect1 id="iptrafmessages">
+<title>IPTraf Messages</title>
+<msgset>
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+Unable to create config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot create the configuration file. The most likely cause of
+ this is that you didn't properly install the
+ program, and the necessary directory
+<filename>/var/local/iptraf</filename> does not
+ exist. Can also be generated if you have a disk problem or if you
+ have too many files open.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to read config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The configuration record cannot be read. You most likely have a disk
+ problem.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The configuration file cannot be written. You either have a disk
+ problem, or (more likely), your disk is full.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Enter an appropriate description for this filter
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Enter something to clearly describe the filter you are defining.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error loading filter list file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot access the list of defined TCP or UDP filters. Can also be
+ an indicator of a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error writing filter list file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The filter list file cannot be written to. You may
+ have trouble accessing your filters.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to read TCP/UDP/misc IP filter file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot read the filter data off the file. Could be caused
+ by a bad disk.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error opening filter data file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot open the filter file. Could be caused by a shortage of
+ file descriptors or a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write filter data
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot add the newly defined filter to the filter list. This may
+ be due to a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Cannot create filter data file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot create the filter record file. The defined filter is lost.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to save filter changes
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot save the changes you made to the filter. You probably
+ have a disk error.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write filter state information
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The current state of the filters cannot be saved. IPTraf will be unable
+ to correctly reload the filters the next time it's started. This can
+ be caused by a bad disk or improper installation.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to save interface flags
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to save the flags of the network interfaces. This is
+ probably due to a bad installation or full filesystem.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to retrieve saved interface flags
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to retrieve the save interface flags.
+ Probably again due to a bad installation or full filesystem.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>
+<replaceable>protocol</replaceable> filter data file in use; try again later
+</computeroutput></para>
+<para><computeroutput>
+Filter state file in use; try again later
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ Another IPTraf process is modifying the TCP, UDP or miscellaneous IP
+ filter data or the filter state file and has locked the files
+ or file. Try again once the other IPTraf process has terminated or
+ completed its modifications and unlocked the files.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to resolve hostname
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The indicated host name in the filter cannot be resolved into an
+ IP address. Check the local hosts database <filename>/etc/hosts</filename> or
+ your machine's DNS configuration or DNS server.
+</para>
+<para>
+ The filter parameters will not be used.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open host description file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot open the file containing the descriptions for Ethernet
+ or FDDI addresses. Could be due to a bad disk or a hit on the file
+ descriptor limit.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write host description
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to write the description record for this Ethernet or
+ FDDI address. Could be due to a bad disk or corrupted filesystem.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No descriptions
+
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ You tried to edit or delete a description with no previous
+ descriptions defined.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Cannot open log file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ There is a problem opening the log file. There is most
+ likely a problem with the disk, or there are too many open files.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface list
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to retrieve the list of network interfaces
+ from the <filename>/proc</filename> filesystem. This may be due
+ to a badly configured kernel. IPTraf needs <filename>/proc</filename>
+ filesystem support.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>
+No active interfaces. Check their status or the /proc filesystem.
+</computeroutput></para>
+</msgtext>
+<msgexplan>
+<para>
+
+ IPTraf found no active interfaces. Either all interfaces are down or the
+ <filename>/proc/net/dev</filename> file was empty or unavailable. Activate at least one
+ interface or check the <filename>/proc/net/dev</filename> file.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface parameters for interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The system call to retrieve the interface's flags failed. Check your
+ interface or kernel driver.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Promisc change failed for interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The system call to change the promiscuous flag failed. Check
+ your interface or its kernel driver.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open raw socket for flag change
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to open the necessary socket for the promiscuous
+ change operation. May be due to a shortage of file descriptors.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open socket for MTU determination
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Returned by the facility for detailed interface statistics
+ if the raw socket's opening sequence failed. The facility will abort.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open raw socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to open the raw socket for packet capture. May be due
+ to a shortage of file descriptors.
+</para>
+
+<note>
+ <title>Reminder</title>
+<para> IPTraf 2.x.x requires Linux kernel 2.2.x, with the Packet
+ Socket option compiled in or installed as a module. IPTraf 2.x will
+ return this error on a pre-2.2 kernel or on a 2.2 kernel without
+ Packet Socket.
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface MTU
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The detailed statistics facility was unable to
+ obtain the maximum transmission unit (MTU) for the selected
+ interface. The facility will abort.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Specified interface not supported
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The interface specified with the <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>, <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>,
+ or <computeroutput>-z</computeroutput> command-line parameters is not supported
+ by IPTraf.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Specified interface not active
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The interface specified with the <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>,
+ <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>, or
+ <computeroutput>-z</computeroutput> command-line parameters is
+ supported, but not currently activated.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Fatal: memory allocation error
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ May occur if you have too little memory to allocate for windows, the
+ menu system, or dialog boxes. IPTraf tries
+ to prevent further allocations if memory runs out during a
+ monitor. However, this could also mean a bug if you're reasonably sure
+ you're not out of memory. An instructional message
+ on bug reporting follows this message.
+</para>
+<note>
+ <title>Technical note</title>
+<para>This is actually a response to the
+ segmentation fault error (SIGSEGV).
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>This program can be run only by the system administrator
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf normally does not allow anybody but uid 0 (root) to run it.
+ This measure is included for safety reasons. See the section
+ on recompiling the program below if you want to override this.
+ This feature is built in, and not part of the configuration
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Your TERM variable is not set
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The <envar>TERM</envar> (terminal type) environment variable
+ must be set to a valid terminal type so that the screen management
+ routines can function properly. Set it to the appropriate terminal type.
+ Linux consoles typically have their <envar>TERM</envar> variables set to
+<computeroutput>linux</computeroutput>.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Received TERM signal
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ Not related to the previous message. The
+<computeroutput>TERM</computeroutput> (terminate) signal
+ is normally used to gracefully shut down a program. This message
+ simply indicates that the <computeroutput>TERM</computeroutput> signal was caught and IPTraf is
+ attempting to shut down as gracefully as possible.
+</para>
+</msgexplan>
+</simplemsgentry>
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Invalid option or missing parameter, use iptraf -h for help
+</computeroutput></para>
+</msgtext>
+<msgexplan>
+<para>
+ The <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>,
+ <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>, or
+ <computeroutput>-z</computeroutput> options were specified but
+ no interface was specified on the command line. These
+ parameters require a valid interface name (or
+ <computeroutput>all</computeroutput> for <computeroutput>-i</computeroutput>
+or <computeroutput>-l</computeroutput>).
+</para>
+<para>
+ This message also appears if an unknown option is passed
+to the <command>iptraf</command> command.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Warning: unable to tag this process
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf normally tags itself when it runs to prevent multiple instances
+ of the statistical facilities from running.
+ This message means the program was unable to
+ create the necessary tag file. This may be due to a bad or
+ improper installation. Try running the
+<command>make install</command> procedure or the
+<command>Setup</command> in the distribution's top-level directory.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Warning: unable to tag facility
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to create the tag file for the facility you
+ started. The facility will still run, but other instances of IPTraf that
+ may be running simultaneously will allow the same facility to run.
+ This may cause both instances of the facility to malfunction. This could
+ be due to a bad disk or bad installation.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput><replaceable>facility</replaceable> already running/listening on interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The facility you tried to start is currently running
+ on the indicated interface in another IPTraf process on the machine.
+ This restriction is placed to prevent conflicts involving
+ internal sockets or the log files.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>General interface statistics already active in another process
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Only one instance of the general interface statistics can run at a time.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Duplicate port/range entry
+
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ You entered a port number or range that was already added to the list of
+ additional ports to be monitored by the TCP/UDP service monitor
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No custom ports
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ There are no ports or port ranges earlier added. There's nothing
+ to delete.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Can't start rvnamed; lookups will block
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start the <command>rvnamed</command> daemon; probably due
+ to a bad installation. IPTraf will fall back to blocking lookups.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Can't spawn new process; lookups will block
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start a new process. This may be due to memory shortage.
+ IPTraf will fall back to blocking lookups.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Fork error, IPTraf cannot run in background
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start a new process, and can go into the background.
+ This may be due to memory shortage. IPTraf aborts.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No memory for new filter entry
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to allocate memory for a new filter entry. Most likely
+ due to memory shortage.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Memory Low
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ This indicator appears if memory runs low due to a lot of entries in a
+ facility. Should critical functions fail (window creation,
+ internal allocation), the program could terminate with a
+ segmentation violation.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ Any message or indicator about low memory means that your system
+ does not have enough memory to handle the entries. It is
+ almost certain that sooner or later, IPTraf or other applications will
+ abort due to the failure of important system calls or library functions.
+ Memory must be added right away.
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>IPC Error
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ This indicator appears if an error occurs receiving data
+ from the <command>rvnamed</command> program (IPC stands for Interprocess Communication).
+ This indication should not occur under normal circumstances.
+ Report instances of this condition and the circumstances under which
+ it happens. You may also include data from the
+<filename>rvnamed.log</filename> file.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error opening terminal: <replaceable>terminal</replaceable>
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The screen management routines cannot find the
+<filename>terminfo</filename> entry for your
+ terminal. IPTraf expects the terminfo database located
+ in <filename>/usr/share/terminfo</filename>. This error could occur when your terminfo
+ database is located somewhere else.
+</para>
+<para>
+ See the section on controlling the <filename>terminfo</filename> search path.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>This will end your IPTraf session
+ </computeroutput></para></msgtext>
+<msgexplan>
+<para>
+In interactive mode IPTraf asks you to confirm your exit
+command. Press Enter to return to the shell or any other key to cancel
+your command and return to the main menu.
+</para>
+</msgexplan>
+</simplemsgentry>
+</msgset>
+</sect1>
+<sect1 id="rvnamedmessages">
+<title>
+ rvnamed Messages
+</title>
+<para>
+ As a daemon, rvnamed does not send messages to the screen. It
+ writes its messages to the file <filename>rvnamed.log</filename> in the
+ IPTraf log directory.
+</para>
+<msgset>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Unable to open child communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to open the communication endpoint for data reception
+ from the children it creates. This is highly unusual, and should it
+ occur, report the circumstances.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Unable to open client communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to open the communication endpoint for data exchange
+ with the IPTraf program. This is highly unusual, and should it
+ occur, report the circumstances.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Error binding client communication socket
+ Error binding child communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to assign a name
+ to the indicated communication socket. This may be due to a bad, full,
+ or corrupted filesystem.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Fatal error: no memory for descriptor monitoring
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed ran out of memory. IPTraf will resort to blocking, and may freeze.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Error on fork, returning IP address
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed had a problem spawning a copy of itself to resolve the IP
+ address. rvnamed will simply return the IP address in its literal,
+ dotted-decimal notation. IPTraf will still function normally. This may
+ be due to lack of memory or a process limit hit.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Maximum child process limit reached
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed has reached its maximum number of child processes. This is
+ intended as a "brake" to prevent too many rvnamed children
+ from hogging your computer's resources and possibly crashing it.
+</para>
+<para>
+ Unless IPTraf is monitoring an extremely busy network without filters,
+ this shouldn't happen, at least, not that often. If you notice
+ this message, try applying filters or check your DNS server. Many times,
+ this can happen when the DNS server goes down for
+ whatever reason, and you have rvnamed children taking too long to resolve.
+</para>
+</msgexplan>
+</simplemsgentry>
+</msgset>
+</sect1>
+</appendix>
+<appendix id="gfdl">
+<title>GNU Free Documentation License</title>
+<!-- - GNU Project - Free Software Foundation (FSF) -->
+<!-- LINK REV="made" HREF="mailto:webmasters@gnu.org" -->
+
+
+ <!-- sect1>
+ <title>GNU Free Documentation License</title -->
+
+ <para>Version 1.1, March 2000</para>
+
+ <blockquote>
+ <para>Copyright (C) 2000 Free Software Foundation, Inc.
+59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.</para>
+ </blockquote>
+
+ <sect1 id="gfdl-0">
+ <title>PREAMBLE</title>
+
+ <para>The purpose of this License is to make a manual, textbook,
+ or other written document "free" in the sense of freedom: to
+ assure everyone the effective freedom to copy and redistribute it,
+ with or without modifying it, either commercially or
+ noncommercially. Secondarily, this License preserves for the
+ author and publisher a way to get credit for their work, while not
+ being considered responsible for modifications made by
+ others.</para>
+
+ <para>This License is a kind of "copyleft", which means that
+ derivative works of the document must themselves be free in the
+ same sense. It complements the GNU General Public License, which
+ is a copyleft license designed for free software.</para>
+
+ <para>We have designed this License in order to use it for manuals
+ for free software, because free software needs free documentation:
+ a free program should come with manuals providing the same
+ freedoms that the software does. But this License is not limited
+ to software manuals; it can be used for any textual work,
+ regardless of subject matter or whether it is published as a
+ printed book. We recommend this License principally for works
+ whose purpose is instruction or reference.</para>
+ </sect1>
+
+ <sect1 id="gfdl-1">
+ <title>APPLICABILITY AND DEFINITIONS</title>
+
+ <para>This License applies to any manual or other work that
+ contains a notice placed by the copyright holder saying it can be
+ distributed under the terms of this License. The "Document",
+ below, refers to any such manual or work. Any member of the
+ public is a licensee, and is addressed as "you".</para>
+
+ <para>A "Modified Version" of the Document means any work
+ containing the Document or a portion of it, either copied
+ verbatim, or with modifications and/or translated into another
+ language.</para>
+
+ <para>A "Secondary Section" is a named appendix or a front-matter
+ section of the Document that deals exclusively with the
+ relationship of the publishers or authors of the Document to the
+ Document's overall subject (or to related matters) and contains
+ nothing that could fall directly within that overall subject.
+ (For example, if the Document is in part a textbook of
+ mathematics, a Secondary Section may not explain any mathematics.)
+ The relationship could be a matter of historical connection with
+ the subject or with related matters, or of legal, commercial,
+ philosophical, ethical or political position regarding
+ them.</para>
+
+ <para>The "Invariant Sections" are certain Secondary Sections
+ whose titles are designated, as being those of Invariant Sections,
+ in the notice that says that the Document is released under this
+ License.</para>
+
+ <para>The "Cover Texts" are certain short passages of text that
+ are listed, as Front-Cover Texts or Back-Cover Texts, in the
+ notice that says that the Document is released under this
+ License.</para>
+
+ <para>A "Transparent" copy of the Document means a
+ machine-readable copy, represented in a format whose specification
+ is available to the general public, whose contents can be viewed
+ and edited directly and straightforwardly with generic text
+ editors or (for images composed of pixels) generic paint programs
+ or (for drawings) some widely available drawing editor, and that
+ is suitable for input to text formatters or for automatic
+ translation to a variety of formats suitable for input to text
+ formatters. A copy made in an otherwise Transparent file format
+ whose markup has been designed to thwart or discourage subsequent
+ modification by readers is not Transparent. A copy that is not
+ "Transparent" is called "Opaque".</para>
+
+ <para>Examples of suitable formats for Transparent copies include
+ plain ASCII without markup, Texinfo input format, LaTeX input
+ format, SGML or XML using a publicly available DTD, and
+ standard-conforming simple HTML designed for human modification.
+ Opaque formats include PostScript, PDF, proprietary formats that
+ can be read and edited only by proprietary word processors, SGML
+ or XML for which the DTD and/or processing tools are not generally
+ available, and the machine-generated HTML produced by some word
+ processors for output purposes only.</para>
+
+ <para>The "Title Page" means, for a printed book, the title page
+ itself, plus such following pages as are needed to hold, legibly,
+ the material this License requires to appear in the title page.
+ For works in formats which do not have any title page as such,
+ "Title Page" means the text near the most prominent appearance of
+ the work's title, preceding the beginning of the body of the
+ text.</para>
+ </sect1>
+
+ <sect1 id="gfdl-2">
+ <title>VERBATIM COPYING</title>
+
+ <para>You may copy and distribute the Document in any medium,
+ either commercially or noncommercially, provided that this
+ License, the copyright notices, and the license notice saying this
+ License applies to the Document are reproduced in all copies, and
+ that you add no other conditions whatsoever to those of this
+ License. You may not use technical measures to obstruct or
+ control the reading or further copying of the copies you make or
+ distribute. However, you may accept compensation in exchange for
+ copies. If you distribute a large enough number of copies you
+ must also follow the conditions in section 3.</para>
+
+ <para>You may also lend copies, under the same conditions stated
+ above, and you may publicly display copies.</para>
+ </sect1>
+
+ <sect1 id="gfdl-3">
+ <title>COPYING IN QUANTITY</title>
+
+ <para>If you publish printed copies of the Document numbering more
+ than 100, and the Document's license notice requires Cover Texts,
+ you must enclose the copies in covers that carry, clearly and
+ legibly, all these Cover Texts: Front-Cover Texts on the front
+ cover, and Back-Cover Texts on the back cover. Both covers must
+ also clearly and legibly identify you as the publisher of these
+ copies. The front cover must present the full title with all
+ words of the title equally prominent and visible. You may add
+ other material on the covers in addition. Copying with changes
+ limited to the covers, as long as they preserve the title of the
+ Document and satisfy these conditions, can be treated as verbatim
+ copying in other respects.</para>
+
+ <para>If the required texts for either cover are too voluminous to
+ fit legibly, you should put the first ones listed (as many as fit
+ reasonably) on the actual cover, and continue the rest onto
+ adjacent pages.</para>
+
+ <para>If you publish or distribute Opaque copies of the Document
+ numbering more than 100, you must either include a
+ machine-readable Transparent copy along with each Opaque copy, or
+ state in or with each Opaque copy a publicly-accessible
+ computer-network location containing a complete Transparent copy
+ of the Document, free of added material, which the general
+ network-using public has access to download anonymously at no
+ charge using public-standard network protocols. If you use the
+ latter option, you must take reasonably prudent steps, when you
+ begin distribution of Opaque copies in quantity, to ensure that
+ this Transparent copy will remain thus accessible at the stated
+ location until at least one year after the last time you
+ distribute an Opaque copy (directly or through your agents or
+ retailers) of that edition to the public.</para>
+
+ <para>It is requested, but not required, that you contact the
+ authors of the Document well before redistributing any large
+ number of copies, to give them a chance to provide you with an
+ updated version of the Document.</para>
+ </sect1>
+
+ <sect1 id="gfdl-4">
+ <title>MODIFICATIONS</title>
+
+ <para>You may copy and distribute a Modified Version of the
+ Document under the conditions of sections 2 and 3 above, provided
+ that you release the Modified Version under precisely this
+ License, with the Modified Version filling the role of the
+ Document, thus licensing distribution and modification of the
+ Modified Version to whoever possesses a copy of it. In addition,
+ you must do these things in the Modified Version:</para>
+
+ <orderedlist numeration="upperalpha">
+ <listitem><para>Use in the Title Page
+ (and on the covers, if any) a title distinct from that of the
+ Document, and from those of previous versions (which should, if
+ there were any, be listed in the History section of the
+ Document). You may use the same title as a previous version if
+ the original publisher of that version gives permission.</para>
+ </listitem>
+
+ <listitem><para>List on the Title Page,
+ as authors, one or more persons or entities responsible for
+ authorship of the modifications in the Modified Version,
+ together with at least five of the principal authors of the
+ Document (all of its principal authors, if it has less than
+ five).</para>
+ </listitem>
+
+ <listitem><para>State on the Title page
+ the name of the publisher of the Modified Version, as the
+ publisher.</para>
+ </listitem>
+
+ <listitem><para>Preserve all the
+ copyright notices of the Document.</para>
+ </listitem>
+
+ <listitem><para>Add an appropriate
+ copyright notice for your modifications adjacent to the other
+ copyright notices.</para>
+ </listitem>
+
+ <listitem><para>Include, immediately
+ after the copyright notices, a license notice giving the public
+ permission to use the Modified Version under the terms of this
+ License, in the form shown in the Addendum below.</para>
+ </listitem>
+
+ <listitem><para>Preserve in that license
+ notice the full lists of Invariant Sections and required Cover
+ Texts given in the Document's license notice.</para>
+ </listitem>
+
+ <listitem><para>Include an unaltered
+ copy of this License.</para>
+ </listitem>
+
+ <listitem><para>Preserve the section
+ entitled "History", and its title, and add to it an item stating
+ at least the title, year, new authors, and publisher of the
+ Modified Version as given on the Title Page. If there is no
+ section entitled "History" in the Document, create one stating
+ the title, year, authors, and publisher of the Document as given
+ on its Title Page, then add an item describing the Modified
+ Version as stated in the previous sentence.</para>
+ </listitem>
+
+ <listitem><para>Preserve the network
+ location, if any, given in the Document for public access to a
+ Transparent copy of the Document, and likewise the network
+ locations given in the Document for previous versions it was
+ based on. These may be placed in the "History" section. You
+ may omit a network location for a work that was published at
+ least four years before the Document itself, or if the original
+ publisher of the version it refers to gives permission.</para>
+ </listitem>
+
+ <listitem><para>In any section entitled
+ "Acknowledgements" or "Dedications", preserve the section's
+ title, and preserve in the section all the substance and tone of
+ each of the contributor acknowledgements and/or dedications
+ given therein.</para>
+ </listitem>
+
+ <listitem><para>Preserve all the
+ Invariant Sections of the Document, unaltered in their text and
+ in their titles. Section numbers or the equivalent are not
+ considered part of the section titles.</para>
+ </listitem>
+
+ <listitem><para>Delete any section
+ entitled "Endorsements". Such a section may not be included in
+ the Modified Version.</para>
+ </listitem>
+
+ <listitem><para>Do not retitle any
+ existing section as "Endorsements" or to conflict in title with
+ any Invariant Section.</para>
+ </listitem>
+ </orderedlist>
+
+ <para>If the Modified Version includes new front-matter sections
+ or appendices that qualify as Secondary Sections and contain no
+ material copied from the Document, you may at your option
+ designate some or all of these sections as invariant. To do this,
+ add their titles to the list of Invariant Sections in the Modified
+ Version's license notice. These titles must be distinct from any
+ other section titles.</para>
+
+ <para>You may add a section entitled "Endorsements", provided it
+ contains nothing but endorsements of your Modified Version by
+ various parties--for example, statements of peer review or that
+ the text has been approved by an organization as the authoritative
+ definition of a standard.</para>
+
+ <para>You may add a passage of up to five words as a Front-Cover
+ Text, and a passage of up to 25 words as a Back-Cover Text, to the
+ end of the list of Cover Texts in the Modified Version. Only one
+ passage of Front-Cover Text and one of Back-Cover Text may be
+ added by (or through arrangements made by) any one entity. If the
+ Document already includes a cover text for the same cover,
+ previously added by you or by arrangement made by the same entity
+ you are acting on behalf of, you may not add another; but you may
+ replace the old one, on explicit permission from the previous
+ publisher that added the old one.</para>
+
+ <para>The author(s) and publisher(s) of the Document do not by
+ this License give permission to use their names for publicity for
+ or to assert or imply endorsement of any Modified Version.</para>
+ </sect1>
+
+ <sect1 id="gfdl-5">
+ <title>COMBINING DOCUMENTS</title>
+
+ <para>You may combine the Document with other documents released
+ under this License, under the terms defined in section 4 above for
+ modified versions, provided that you include in the combination
+ all of the Invariant Sections of all of the original documents,
+ unmodified, and list them all as Invariant Sections of your
+ combined work in its license notice.</para>
+
+ <para>The combined work need only contain one copy of this
+ License, and multiple identical Invariant Sections may be replaced
+ with a single copy. If there are multiple Invariant Sections with
+ the same name but different contents, make the title of each such
+ section unique by adding at the end of it, in parentheses, the
+ name of the original author or publisher of that section if known,
+ or else a unique number. Make the same adjustment to the section
+ titles in the list of Invariant Sections in the license notice of
+ the combined work.</para>
+
+ <para>In the combination, you must combine any sections entitled
+ "History" in the various original documents, forming one section
+ entitled "History"; likewise combine any sections entitled
+ "Acknowledgements", and any sections entitled "Dedications". You
+ must delete all sections entitled "Endorsements."</para>
+ </sect1>
+
+ <sect1 id="gfdl-6">
+ <title>COLLECTIONS OF DOCUMENTS</title>
+
+ <para>You may make a collection consisting of the Document and
+ other documents released under this License, and replace the
+ individual copies of this License in the various documents with a
+ single copy that is included in the collection, provided that you
+ follow the rules of this License for verbatim copying of each of
+ the documents in all other respects.</para>
+
+ <para>You may extract a single document from such a collection,
+ and distribute it individually under this License, provided you
+ insert a copy of this License into the extracted document, and
+ follow this License in all other respects regarding verbatim
+ copying of that document.</para>
+ </sect1>
+
+ <sect1 id="gfdl-7">
+ <title>AGGREGATION WITH INDEPENDENT WORKS</title>
+
+ <para>A compilation of the Document or its derivatives with other
+ separate and independent documents or works, in or on a volume of
+ a storage or distribution medium, does not as a whole count as a
+ Modified Version of the Document, provided no compilation
+ copyright is claimed for the compilation. Such a compilation is
+ called an "aggregate", and this License does not apply to the
+ other self-contained works thus compiled with the Document, on
+ account of their being thus compiled, if they are not themselves
+ derivative works of the Document.</para>
+
+ <para>If the Cover Text requirement of section 3 is applicable to
+ these copies of the Document, then if the Document is less than
+ one quarter of the entire aggregate, the Document's Cover Texts
+ may be placed on covers that surround only the Document within the
+ aggregate. Otherwise they must appear on covers around the whole
+ aggregate.</para>
+ </sect1>
+
+ <sect1 id="gfdl-8">
+ <title>TRANSLATION</title>
+
+ <para>Translation is considered a kind of modification, so you may
+ distribute translations of the Document under the terms of section
+ 4. Replacing Invariant Sections with translations requires
+ special permission from their copyright holders, but you may
+ include translations of some or all Invariant Sections in addition
+ to the original versions of these Invariant Sections. You may
+ include a translation of this License provided that you also
+ include the original English version of this License. In case of
+ a disagreement between the translation and the original English
+ version of this License, the original English version will
+ prevail.</para>
+ </sect1>
+
+ <sect1 id="gfdl-9">
+ <title>TERMINATION</title>
+
+ <para>You may not copy, modify, sublicense, or distribute the
+ Document except as expressly provided for under this License. Any
+ other attempt to copy, modify, sublicense or distribute the
+ Document is void, and will automatically terminate your rights
+ under this License. However, parties who have received copies, or
+ rights, from you under this License will not have their licenses
+ terminated so long as such parties remain in full
+ compliance.</para>
+ </sect1>
+
+ <sect1 id="gfdl-10">
+ <title>FUTURE REVISIONS OF THIS LICENSE</title>
+
+ <para>The Free Software Foundation may publish new, revised
+ versions of the GNU Free Documentation License from time to time.
+ Such new versions will be similar in spirit to the present
+ version, but may differ in detail to address new problems or
+ concerns. See <ulink
+ url="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</ulink>.</para>
+
+ <para>Each version of the License is given a distinguishing
+ version number. If the Document specifies that a particular
+ numbered version of this License "or any later version" applies to
+ it, you have the option of following the terms and conditions
+ either of that specified version or of any later version that has
+ been published (not as a draft) by the Free Software Foundation.
+ If the Document does not specify a version number of this License,
+ you may choose any version ever published (not as a draft) by the
+ Free Software Foundation.</para>
+ </sect1>
+
+ <sect1 id="gfdl-11">
+ <title>How to use this License for your documents</title>
+
+ <para>To use this License in a document you have written, include
+ a copy of the License in the document and put the following
+ copyright and license notices just after the title page:</para>
+
+<blockquote><para>
+ Copyright (c) YEAR YOUR NAME.
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the GNU Free Documentation License, Version 1.1
+ or any later version published by the Free Software Foundation;
+ with the Invariant Sections being LIST THEIR TITLES, with the
+ Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
+ A copy of the license is included in the section entitled "GNU
+ Free Documentation License".
+</para></blockquote>
+
+ <para>If you have no Invariant Sections, write "with no Invariant
+ Sections" instead of saying which ones are invariant. If you have
+ no Front-Cover Texts, write "no Front-Cover Texts" instead of
+ "Front-Cover Texts being LIST"; likewise for Back-Cover
+ Texts.</para>
+
+ <para>If your document contains nontrivial examples of program
+ code, we recommend releasing these examples in parallel under your
+ choice of free software license, such as the GNU General Public
+ License, to permit their use in free software.</para>
+ </sect1>
+
+</appendix>
+<!-- Keep this comment at the end of the file
+Local variables:
+mode: sgml
+sgml-omittag:nil
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:2
+sgml-parent-document: ("referenz.sgml" "appendix")
+sgml-exposed-tags:nil
+sgml-local-ecat-files:nil
+sgml-local-catalogs: CATALOG
+sgml-validate-command: "nsgmls -s referenz.sgml"
+ispell-skip-sgml: t
+End:
+-->
+</book>
diff --git a/Documentation/manual.template b/Documentation/manual.template
new file mode 100644
index 0000000..ba8a1c8
--- /dev/null
+++ b/Documentation/manual.template
@@ -0,0 +1,4752 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
+]>
+<book id="manual">
+<bookinfo>
+<title>IPTraf User's Manual</title>
+
+<releaseinfo>
+Version @@version@@
+</releaseinfo>
+
+<copyright>
+<year>1997</year>
+<year>2003</year>
+<holder>Gerard Paul Java</holder>
+</copyright>
+
+<legalnotice id="legalinfo">
+<para>
+This manual is released under the terms of the GNU
+Free Documentation License of March, 2000 as published by the
+Free Software Foundation, reproduced in this manual as Appendix B.
+</para>
+<para>
+IPTraf is open-source software released under the terms of the GNU General
+Public License version 2 or any later version as published by the Free
+Software Foundation, reproduced in the LICENSE file in the distribution's
+top-level directory.
+</para>
+<para>
+The accomanying software and the information contained in this
+document are provided "AS IS" without warranty of any kind, express or
+implied, including, without limitation, the implied warranties
+of mercantability or fitness for any particular purpose.
+</para>
+<para>
+In no event shall the author be liable for any indirect,
+special, consequential, or incidental damages arising from the use of this
+manual or the accompanying software even if the author has been advised of
+the possibility of such damages.
+</para>
+<para>
+Linux is a registered trademark of Linus Torvalds. Pentium is a
+registered trademark of Intel Corporation. All other trademarks are
+property of their respective owners.
+</para>
+<para>
+Some structure declarations were based on code copyrighted by the Regents
+of the University of California.
+</para>
+<para>
+Token Ring parsing code based on the Token Ring packet construction code
+in the Linux 2.2 kernel.
+</para>
+</legalnotice>
+</bookinfo>
+<toc></toc>
+<lot></lot>
+<preface id="preface">
+<title>About This Document</title>
+<para>
+This document contains the instructions on how to use the IPTraf network
+monitoring software version @@major@@. This manual details the
+different statistical facilities, the user
+interface, and the important features of the software.
+</para>
+
+<sect1 id="addinfo">
+<title>For Additional Information</title>
+<para>
+See the included README file for summarized and late-breaking information.
+Also read the RELEASE-NOTES file for important new information about
+this new version. The CHANGES file contains a record of the changes made
+to the software since 1.0.0. README.rvnamed contains information on the
+rvnamed reverse resolution program. See the other
+README files for support and development information.
+</para>
+</sect1>
+
+<sect1 id="conventions">
+<title>Document Conventions</title>
+<para>
+ The following symbols and typefaces are used throughout this manual:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>[ ]</computeroutput></term>
+<listitem>
+<para>
+items in brackets are optional. Brackets also denote items that may or may
+not be displayed onscreen depending on settings or conditions.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>{ }</computeroutput></term>
+<listitem><para>
+ curly braces enclose items you choose from
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>|</computeroutput></term>
+<listitem><para>
+ the vertical bar separates choices in curly braces
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput>normal monospace</computeroutput></term>
+<listitem><para>
+ normal monospace text in syntax specifications should be typed in exactly as presented. Because UNIX and variants are case-sensitive, case must be preserved. Monospace is also used in presenting items that appear on the screen.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><computeroutput><replaceable>
+ monospace italics
+</replaceable></computeroutput></term>
+<listitem><para>
+
+ italics in syntax specifications indicate items that are to be
+ replaced with an actual item (e.g.
+ <replaceable>interface</replaceable> should be replaced with an
+ actual interface name, like <computeroutput>eth0</computeroutput>).
+
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+Additional information appears distinctively set apart from the main text.
+This information includes Notes, Tips, or Technical Notes.
+</para>
+
+<para>
+<emphasis>Notes</emphasis> are additional pieces of information that may be useful or may
+ clarify the preceeding paragraphs of the manual.
+</para>
+<para>
+ <emphasis>Tips</emphasis> provide shortcuts, clarify tasks that may not
+ be immediately obvious, or provide references to additional sources of information.
+</para>
+<para>
+<emphasis>Technical notes</emphasis> are explanations of a
+ more technical nature and may be of more use to programmers and advanced
+ users.
+</para>
+</sect1>
+</preface>
+
+<chapter id="gettingstarted"><title>
+Getting Started
+</title>
+<sect1>
+<title>About IPTraf</title>
+<para>
+IPTraf is a network monitoring utility and traffic analyzer for IP networks. It
+intercepts packets and returns data about captured the network traffic
+in various statistical facilities.
+</para>
+<para>
+IPTraf comes with these major features:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>An IP traffic monitor that shows TCP
+connection information (hosts, packet/byte counts, flags,
+window sizes), and color-coded information about other
+IP packets</para></listitem>
+<listitem><para>Statistics (counts and load rates) for network interfaces
+in general and detailed views</para></listitem>
+<listitem><para>Statistics per TCP/UDP port</para></listitem>
+<listitem><para>Statistical breakdown according to packet sizes</para></listitem>
+<listitem><para>A LAN host monitor that returns counts and loads per
+detected MAC address</para></listitem>
+<listitem><para>A powerful filtering system for users to view
+only interesting traffic</para></listitem>
+<listitem><para>Logging</para></listitem>
+<listitem><para>An asynchronous DNS resolver for the
+IP traffic monitor</para></listitem>
+<listitem><para>A text-based, full-color, menu-driven user interface
+suitable for use on all Linux systems with terminals, especially Linux
+consoles and color xterms</para></listitem>
+<listitem><para>Easy configuration</para></listitem>
+<listitem><para>Fully software-based. No additional
+hardware required</para></listitem>
+</itemizedlist>
+<para>
+ Basic knowledge of the important TCP/IP protocols (IP, TCP, UDP, ICMP,
+ etc.) is necessary for you to best understand the information generated
+ by the program.
+</para>
+
+</sect1>
+<sect1 id="installation">
+<title>
+ Installation
+</title>
+<para>
+ IPTraf is most readily available on the Internet, but some may receive
+ it on a diskette. Here are the instructions for both types
+ of distributions.
+</para>
+<sect2>
+<title>System Requirements</title>
+<para>
+IPTraf requires:
+</para>
+
+<sect3>
+<title>Hardware Requirements</title>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ 16 megabytes of physical RAM (more recommended, at least 64 MB for very busy networks)
+</para></listitem>
+<listitem><para>
+ 2 megabytes of free disk space for installation (more will be needed if you log high amounts of traffic over time)
+</para></listitem>
+<listitem><para>
+ Pentium-class processor or higher (Pentium-II 200 MHz or higher recommended) or equivalent.
+</para></listitem>
+<listitem><para>
+ One or more of the supported network interfaces.
+</para></listitem>
+</itemizedlist>
+</sect3>
+<sect3>
+ <title>Operating System Requirements</title>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ Linux kernel 2.2.0 or higher
+</para></listitem>
+<listitem><para>
+ GNU C Library 2.1 or later
+</para></listitem>
+<listitem><para>
+
+ ncurses 4.2 or later with the complete terminfo database in
+ <filename>/usr/share/terminfo</filename>. Support for
+ <computeroutput>linux</computeroutput>, <computeroutput>vt100</computeroutput>,
+ <computeroutput>xterm</computeroutput>,
+ <computeroutput>xterm-color</computeroutput> recommended.
+
+</para></listitem>
+</itemizedlist>
+</sect3>
+<sect3>
+ <title>Compilation Requirements</title>
+<para>
+The following components are required when compiling IPTraf from the
+source code.
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ gcc 2.7.2.3 or later
+</para></listitem>
+<listitem><para>
+
+ GNU C (glibc) development library 2.1 or later
+</para></listitem>
+<listitem><para>
+
+ ncurses development libraries 4.2 or later
+</para>
+</listitem>
+</itemizedlist>
+</sect3>
+</sect2>
+
+<sect2>
+<title>Availability</title>
+<para>
+ IPTraf can be downloaded from the Internet from the official FTP site at
+ <ulink url="ftp://iptraf.seul.org/pub/iptraf/">
+ftp://iptraf.seul.org/pub/iptraf/
+</ulink>.
+</para>
+<para>
+
+ The software is available in source form in
+ compressed
+<filename>.tar.gz</filename> files named
+<filename>iptraf-<replaceable>x.y.z</replaceable>.tar.gz</filename> where
+<filename><replaceable>x.y.z</replaceable></filename>
+ is the version number. Precompiled ready-to-run software is available in
+ the
+<filename>iptraf-<replaceable>x.y.z.machinetype</replaceable>.bin.tar.gz</filename>
+ files. (<filename><replaceable>machinetype</replaceable></filename> indicates
+ what platform the precompiled binaries run on. The official distribution
+ will only be for the Intel x86 architecture indicated as
+<filename>i386</filename>.)
+</para>
+</sect2>
+
+<sect2>
+<title>Installing Downloaded Packages</title>
+
+<para>
+ You will need to have GNU tar and GNU zip installed. All
+ modern Linux installations already have these utilities ready.
+</para>
+<orderedlist>
+<listitem>
+<para>
+ Decompress the <filename>.tar.gz</filename> file by entering
+</para>
+<synopsis>
+tar zxvf iptraf-<replaceable>x.y.z</replaceable>.tar.gz
+</synopsis>
+<para>
+ for the source code or
+</para>
+<synopsis>
+tar zxvf iptraf-<replaceable>x.y.z</replaceable>.i386.bin.tar.gz
+</synopsis>
+<para>
+for the precompiled x86 programs.
+</para>
+<para>
+If your tar doesn't support the z option, you can separately
+decompress the <filename>.tar.gz</filename> file
+then extract the resulting <filename>.tar</filename> archive.
+</para>
+<synopsis>
+gunzip iptraf-<replaceable>x.y.z</replaceable>.tar.gz
+tar xvf iptraf-<replaceable>x.y.z</replaceable>.tar
+</synopsis>
+<para>
+This will decompress the sources into a directory called
+<filename>iptraf-<replaceable>x.y.z</replaceable></filename> (source code)
+or
+<filename>iptraf-<replaceable>x.y.z</replaceable>.bin</filename>
+(precompiled).
+ (<replaceable>x.y.z</replaceable> here should be the IPTraf version number
+you're installing, like <filename>@@version@@</filename>).
+</para>
+</listitem>
+<listitem>
+<para>
+Change to the created top level directory.
+</para></listitem>
+<listitem><para>
+To compile and install the software, run the Setup program by entering
+</para>
+<synopsis>
+./Setup
+</synopsis>
+<para>
+ while you are logged in as root. The Setup script will recognize the
+ source distribution and compile the software before installing. It
+ will immediately install a precompiled distribution.
+</para>
+</listitem>
+</orderedlist>
+
+<para>
+ The resulting binaries will be placed in the
+<filename>/usr/local/bin</filename> directory.
+ All needed directories will also be created.
+</para>
+<para>
+ After installation, you will be asked if you want to
+ read the <filename>RELEASE-NOTES</filename> file. It is recommended that you do so at
+ that point, since the <filename>RELEASE-NOTES</filename> file
+ contains important information about the new version.
+</para>
+</sect2>
+<sect2>
+<title>Installing a Floppy Distribution</title>
+<para>
+ If you received IPTraf
+ on a diskette, the sources are already decompressed. The diskette is
+ in Second Extended filesystem format. Perform the following steps to
+ install the software. </para> <orderedlist> <listitem><para>
+Insert the floppy in the drive.
+</para></listitem>
+<listitem><para>
+Mount the floppy on an empty directory. For example, to
+mount the floppy in the first floppy drive under a directory
+called <filename>/mnt</filename>, enter
+</para>
+<synopsis>
+mount -t ext2 /dev/fd0 /mnt
+</synopsis>
+<para>
+ This assumes your floppy is in
+ <filename>/dev/fd0</filename>. You can use any empty directory in place
+ of <filename>/mnt</filename>. With most Linux installations, this will work fine.
+</para></listitem>
+<listitem<para>
+
+After mounting, change
+to the <filename>/mnt</filename> (or whatever) directory.
+</para></listitem>
+<listitem><para>
+Enter</para>
+<synopsis>
+./Setup
+</synopsis>
+<para>
+ while logged in as root. Setup will determine whether the diskette
+ contains a source code distribution or
+ ready-to-run precompiled software. This will copy the binaries to
+ <filename>/usr/local/bin</filename>, and
+ create the necessary working directories.
+</para></listitem>
+<listitem>
+<para>
+Unmount the diskette by typing
+</para>
+<synopsis>
+umount /mnt
+</synopsis>
+<para>
+ (That's <emphasis>u</emphasis>mount, not <emphasis>un</emphasis>mount.)
+</para>
+<para>
+ You can then eject the diskette. Store it in a safe place.
+</para>
+<para>
+ You will also be asked if you want to view the
+<filename>RELEASE-NOTES</filename> file. It is
+ recommended that you do so at that point.
+</para>
+<para>
+ In both cases (downloaded and floppy), the installation will store the
+ program in <filename>/usr/local/bin</filename> with the binaries owned by
+ user root, readable, writable, and executable by the owner,
+ no permissions for the group, no permissions for all others. (700 octal,
+ or <computeroutput>-rwx------</computeroutput>).
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ You must be <filename>root</filename> to
+ do the installation. The old style of installation (<command>cd src;make
+ install</command>)
+ is still supported.
+</para>
+</note>
+</listitem>
+</orderedlist>
+
+<para>
+ Be sure <filename>/usr/local/bin</filename> is included in
+ your environment's <envar>PATH</envar> variable. You can
+ edit the appropriate command in your login customization
+ file (<filename>.profile</filename> for the Bourne-type shells,
+ <filename>.cshrc</filename> for the C shell and its relatives).
+</para>
+</sect2>
+</sect1>
+<sect1 id="upgrading">
+<title>
+ Upgrading from Earlier Versions
+</title>
+<para>
+IPTraf 3.0 is a major revision from IPTraf 2.7. The
+filter subsystem has been completely redesigned and as such, is
+incompatible with previous filter formats. Therefore old
+IPTraf filters can no longer be used. The installation procedure for
+IPTraf 3.0 will rename the filter list files but not delete them.
+</para>
+<para>
+If you install a distribution package (e.g. RPM,
+dpkg), old filters may still appear in the filter selection
+list but the new IPTraf version will be unable to load them.
+</para>
+</sect1>
+<sect1 id="startstop">
+<title>Starting and Stopping IPTraf</title>
+<para>
+ After installation, you can start the program by simply entering
+</para>
+<synopsis>
+iptraf
+</synopsis>
+<para>
+ at the shell prompt. You will see a copyright notice, with
+ an instruction to press any key to get started. Just press any character
+ key, and you will be immediately taken to the main menu. All major
+ functions of the program are found there.
+</para>
+<para>
+ Entering the IPTraf command without any command-line parameters brings
+ up the program's main menu. From there, you can select the
+ facilities you want.
+</para>
+<para>
+ IPTraf determines and makes use of the maximum number
+ of lines and columns on the terminal.
+</para>
+
+<note>
+
+ <title>Note</title><para>
+ IPTraf does not have a SIGWINCH handler; it does not
+ adjust itself when an xterm or some other X terminal is resized.
+</para></note>
+
+
+<note>
+ <title>Technical note</title>
+ <para>
+
+ IPTraf needs to refer to the terminfo database
+in <filename>/usr/share/terminfo</filename>.
+ If the supplied executable program fails with <computeroutput>Error
+opening
+ terminal</computeroutput>, your terminfo database may be located somewhere else. You can
+ control the terminfo search path
+by using the <envar>TERMINFO</envar> environment
+ variable. For example, if you're using the <command>sh</command>
+or <command>bash</command> shell, and
+ your terminfo database is in <filename>/usr/lib/terminfo</filename>
+ (typical for Slackware distributions), you can use the commands:
+
+</para>
+<synopsis>
+TERMINFO=/usr/lib/terminfo
+export TERMINFO
+</synopsis>
+<para>
+ You can place these commands in your <filename>~/.profile</filename> or the
+ systemwide <filename>/etc/profile</filename> startup files.
+</para>
+<para>
+ You can also create a symbolic
+ link named <filename>/usr/share/terminfo</filename> to let
+ it point to your existing terminfo (assuming again your terminfo is in
+ <filename>/usr/lib/terminfo</filename>):
+</para>
+<synopsis>
+ln -s /usr/lib/terminfo /usr/share/terminfo
+</synopsis>
+<para>
+ Or you can recompile your program to use your existing ncurses library
+ installation. If you do this, make sure you have ncurses 4.2 or later.
+</para>
+</note>
+</sect1>
+<sect1 id="cmdline">
+<title>Command-line Options</title>
+<para>
+ IPTraf has a few optional command-line parameters. As with most UNIX
+ commands, IPTraf command-line parameters are
+case-sensitive (<computeroutput>-l</computeroutput>
+ is NOT the same as <computeroutput>-L</computeroutput>).
+</para>
+<para>
+ The following command-line parameters can be supplied
+to the <command>iptraf</command> command:
+</para>
+<variablelist>
+<varlistentry>
+<term><computeroutput>-i <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ causes the IP traffic monitor to start immediately on the specified interface.
+ If -i all is specified, all interfaces are monitored.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-g</computeroutput></term>
+<listitem><para>
+ starts the general interface statistics
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-d <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ shows detailed statistics for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-s <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the TCP/UDP traffic monitor for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-z <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the packet size breakdown for the specified interface
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-l <replaceable>iface</replaceable></computeroutput></term>
+<listitem><para>
+ starts the LAN station monitor on the specified interface. If
+<computeroutput>-l all</computeroutput> is specified, all LAN interfaces are monitored.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-t <replaceable>timeout</replaceable></computeroutput></term>
+<listitem><para>
+ The <computeroutput>-t</computeroutput> parameter, when used with one
+ of the other parameters that specify a facility to start, tells
+ IPTraf to run the indicated facility for only timeout
+ minutes, after which the facility
+ exits. The <computeroutput>-t</computeroutput> parameter is ignored in menu
+ mode.
+</para>
+<para>
+ If this parameter is not specified, the facility runs until the
+ exit keystroke is pressed.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-B</computeroutput></term>
+<listitem><para>
+ Redirects all terminal output to the "bit bucket"
+<filename>/dev/null</filename>, closes standard input, and
+places the program in the background. This parameter can be used only with
+one of the <computeroutput>-i</computeroutput>, <computeroutput>-g</computeroutput>,
+<computeroutput>-d</computeroutput>,
+<computeroutput>-s</computeroutput>, <computeroutput>-z</computeroutput>, or
+<computeroutput>-l</computeroutput> parameters. See
+<link linkend="backop">Background Operation</link> in Chapter 9. <computeroutput>-B</computeroutput> is ignored in menu
+mode.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-L <replaceable>filename</replaceable></computeroutput></term>
+<listitem><para>
+ Allows you to specify an alternate log file name when the
+ any facility is directly started from the command line, whether in foreground or
+ background mode. If specified in foreground mode, the log filename prompt is
+ bypassed, even when logging is turned on in the <emphasis>Configure...</emphasis>
+ menu. If this parameter is omitted in background mode, the default log filename
+ is used.
+</para>
+<para>
+ This parameter always turns on logging.
+</para>
+<para>
+ If an absolute path is not specified, the log
+ file will be created in the default log file directory
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-I <replaceable>interval</replaceable></computeroutput></term>
+<listitem><para>
+ Sets the logging interval (in minutes) when the <computeroutput>-L</computeroutput> parameter is
+ used. This overrides the <emphasis>Log interval...</emphasis> setting in the <emphasis>Configure...</emphasis>
+ menu. If omitted, the configured value is used. This parameter is ignored when the
+ <computeroutput>-L</computeroutput> parameter is omitted and logging is disabled.
+</para>
+<para>
+ The value specified here will affect all facilities except for the IP traffic monitor.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-q</computeroutput></term>
+<listitem><para>
+ Previously used to suppress the warning screen when IPTraf is run
+ on kernels with IP masquerading. Since the masquerading
+ code now processes packets in a way better suited to raw capture,
+ this parameter is no longer needed and is retained only for
+ compatibility.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><computeroutput>-f</computeroutput></term>
+<listitem><para>
+ Forces IPTraf to clear all lock files and reset all instance counters
+ to zero before running any facilities. IPTraf will then think
+ it's the first instance of itself.
+</para>
+<para>
+ The <computeroutput>-f</computeroutput> parameter overrides the
+ existing locks and counters imposed by the IPTraf process and
+ by the various facilities, causing this instance to think it is the
+ first and that there are no other facilities running. Use
+ this parameter with great caution. A common use for this parameter is
+ to recover from abrupt or abnormal terminations which may leave stale
+ locks and counters still lying around.
+</para>
+<para>
+ The <computeroutput>-f</computeroutput> parameter may be used together with the others.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>iptraf -h</computeroutput></term>
+<listitem><para>
+ displays a short help screen
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+<para>
+ While the command-line options are case-sensitive, interactive keystroke
+ at the IPTraf full-screen interface are not.
+</para>
+</sect1>
+
+<sect1 id="menus">
+<title>Using the Menus</title>
+<para>
+ Menu items with a trailing ellipsis (<computeroutput>...</computeroutput>) either
+ pop up a submenu with further items, or require additional information
+ before it can complete the task and return to the menu.
+ Menu items without an ellipsis execute immediately.
+</para>
+<para>
+ Use the Up and Down arrow keys on your keyboard to move the selection
+ bar. Press Enter to execute the selected item. Alternatively, you can
+ also directly press the highlighted letter of the item you want. This
+ will immediately execute the option.
+</para>
+<figure>
+<title>The IPTraf Main Menu</title>
+<graphic format="png" fileref="iptraf-mmenu">
+</figure>
+</sect1>
+<sect1 id="exiting">
+<title>Exiting IPTraf</title>
+<para>
+ You can exit IPTraf with the Exit command in the main menu.
+</para>
+<para>
+ When started with one of the command-line options to
+ directly start a statistical facility, pressing X or Q will exit the
+ facility directly, without any confirmation. The
+<computeroutput>-t</computeroutput>
+ command-line parameter will automatically exit the
+ facility after the specified length of time without any confirmation
+ as well. Daemon facilities started with the <computeroutput>-B</computeroutput> parameter
+ will immediately terminate after being sent a
+ USR2 signal. See <link linkend="backop">background
+ operation</link> in chapter 9 for more information.
+</para>
+</sect1>
+</chapter>
+
+<chapter id="preparingtouse">
+<title>Preparing to Use IPTraf</title>
+<para>
+This chapter provides information applicable to all of IPTraf's statistical
+monitors.
+</para>
+<sect1 id="numbers">
+<title>Number Display Notations</title>
+<para>
+ IPTraf initially returns exact counts of bytes and packets. However, as they
+ grow larger, IPTraf begins displaying them in increasingly higher denominations.
+</para>
+<para>
+ A number standing alone with no suffix represents an exact count. A
+ number with a K following is a kilo (thousand) figure. An M,
+ G, and T suffix represents mega (million), giga (billion), and
+ tera (trillion) respectively. The following table shows examples.
+</para>
+
+<table frame="all">
+<title>Numeric Display Notations</title>
+<tgroup cols="2" align="left" colsep="0" rowsep="0">
+<tbody>
+<row>
+<entry>1024067</entry><entry>exactly 1024067</entry>
+</row>
+<row>
+<entry>1024K</entry><entry>approximately 1024000</entry>
+</row>
+<row>
+<entry>1024M</entry><entry>approximately 1024000000</entry>
+</row>
+<row>
+<entry>1024G</entry><entry>approximately 1024000000000</entry>
+</row>
+<row>
+<entry>1024T</entry><entry>approximately 1024000000000000</entry>
+</row>
+</tbody>
+</tgroup>
+</table>
+
+<para>
+ These notations apply to both packet and byte counts.
+</para>
+</sect1>
+<sect1 id="instances">
+<title>Instances and Logging</title>
+<para>
+ Since version 2.4, IPTraf allows multiple instances of the
+ facilities at the same time in different processes (for example, you can
+ now run two or more IP Traffic Monitors at the same time).
+ However only one can listen on a specific interface or all interfaces
+ at once. The only exception is the general interface
+ statistics, which is still restricted to only one instance at a time.
+</para>
+<para>
+ Because of this relaxation, each instance now generates log files with
+ unique names for instances, depending on either their instance
+ or the interface they're listening on. If the <emphasis>Logging</emphasis> option is turned
+ on (see the <link linkend="config">Configuration</link> chapter), IPTraf
+ will prompt you for a log file name while presenting a
+ default. You may accept this default or change it. Press Enter
+ to accept, or Ctrl+X to cancel. Canceling will turn logging off for that
+ particular session.
+</para>
+<para>
+ If you don't specify an absolute path, the log file will be placed
+ in <filename>/var/log/iptraf</filename>.
+</para>
+<figure>
+<title>The logfile prompt dialog</title>
+<graphic format="png" fileref="iptraf-logprompt">
+</figure>
+<para>
+ See the Logging section
+in the <link linkend="config">Configuration</link> chapter for
+detailed information on logging. See also the documentation on
+each statistical facility for the default log file names.
+</para>
+<para>
+ The default log file names will also be used
+if the <computeroutput>-B</computeroutput> parameter is used
+ to run IPTraf in the background. You can override the defaults with the
+ <computeroutput>-L</computeroutput> parameter. See
+<link linkend="backop">Background Operation</link> in Chapter 9.
+</para>
+</sect1>
+<sect1 id="updates">
+<title>Screen Update Delays</title>
+<para>
+ Older versions of IPTraf updated the screen as soon as a
+ packet was received. However, screen update is one
+ of the slowest operations the program performs. Since version 1.3, a
+ configuration option has been available to control screen update speed.
+</para>
+<para>
+ See the <emphasis>Screen update interval...</emphasis> configuration option under the
+ <link linkend="config">Configuration</link> chapter of this manual.
+</para>
+</sect1>
+<sect1 id="ifaces">
+<title>Supported Network Interfaces</title>
+<para>
+ IPTraf currently supports the following network interface types and names.
+</para>
+<variablelist>
+<varlistentry>
+<term><filename>lo</filename></term>
+<listitem><para>
+ The loopback interface. Every machine has one, and has an IP address
+ of 127.0.0.1. <filename>lo</filename> is also indicated if data
+ is detected on the
+<filename>dummy<replaceable>n</replaceable></filename> interface(s).
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>eth<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ An Ethernet interface. <replaceable>n</replaceable> starts from 0.
+ Therefore, <filename>eth0</filename> refers to the first
+ Ethernet interface, <filename>eth1</filename> to the second, and
+ so on. Most machines only have one.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>fddi<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ An FDDI interface. <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>tr<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ A Token Ring interface, where <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>ppp<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ A PPP interface. <replaceable>n</replaceable> starts from 0.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>sli<replaceable>n</replaceable></filename></term>
+<listitem><para>
+A SLIP interface. <replaceable>n</replaceable> starts from 0.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>plip<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ PLIP interfaces. These are point-to-point IP connections using the PC
+ parallel port.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>ipsec<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ This refers to Free s/WAN (and possibly other) logical VPN interfaces.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>sbni<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ SBNI long-range modem interfaces
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>dvb<replaceable>n</replaceable></filename>,
+<filename>sm200</filename>, <filename>sm300</filename></term>
+<listitem><para>
+ DVB satellite-receive interfaces
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>wlan<replaceable>n</replaceable></filename>,
+<filename>wvlan<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Wireless LAN interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>tun<replaceable>n</replaceable></filename></term>
+<listitem><para>
+general logical tunnel interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>brg<replaceable>n</replaceable></filename></term>
+<listitem><para>
+general logical bridge interfaces
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>hdlc<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Frame Relay base (FRAD) interfaces (non-PVC)
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><filename>pvc<replaceable>n</replaceable></filename></term>
+<listitem><para>
+ Frame Relay Permanent Virtual Circuit interfaces
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+<para>
+ Your system's network interfaces must be named according
+ to the schemes specified above.
+</para>
+</sect1>
+</chapter>
+<chapter id="itrafmon">
+<title>The IP Traffic Monitor</title>
+<para>
+ Executing the first menu item or specifying <computeroutput>-i</computeroutput>
+ to the <command>iptraf</command> command takes you to the IP traffic monitor. The traffic
+ monitor is a real-time monitoring system that intercepts all packets
+ on all detected network interfaces, decodes the IP information on all IP packets and
+ displays the appropriate information, most notably the
+ source and destination addresses. It also
+ determines the encapsulated protocol within the IP packet, and
+ displays some important information about that as well.
+</para>
+<para>
+ There are two windows in the traffic monitor, both of which can be
+ scrolled with the Up and Down cursor keys. Just press W to
+ move the <computeroutput>Active</computeroutput> indicator to the window you
+ want to control.
+</para>
+<figure>
+<title>The IP traffic monitor</title>
+<graphic format="png" fileref="iptraf-iptm1">
+</figure>
+
+<sect1 id="upperwin">
+<title>The Upper Window</title>
+<para>
+ The upper window of the traffic monitor displays the currently
+ detected TCP
+ connections. Information about TCP packets are displayed here. The
+ window contains these pieces of information:
+</para>
+
+<itemizedlist spacing="compact">
+<listitem><para>Source address and port</para></listitem>
+<listitem><para>Packet count</para></listitem>
+<listitem><para>Byte count</para></listitem>
+<listitem><para>Source MAC address</para></listitem>
+<listitem><para>Packet Size</para></listitem>
+<listitem><para>Window Size</para></listitem>
+<listitem><para>TCP flag statuses</para></listitem>
+<listitem><para>Interface</para></listitem>
+</itemizedlist>
+
+<note> <title>Note</title>
+<para> Previous versions of IPTraf showed
+ both the source and destination addresses on each line. IPTraf 2 and
+higher show
+only the <computeroutput><replaceable>source
+host</replaceable>:<replaceable>port</replaceable></computeroutput> combination to save
+on screen real estate. TCP
+ connection endpoints are still indicated with the green
+ brackets (on color terminals) along the left edge of the screen.
+</para>
+</note>
+
+<para>
+ The Up and Down cursor keys move an indicator bar between entries in the
+ TCP monitor, scrolling the window if necessary. The PgUp and PgDn keys
+ display the previous and next screenfuls of entries respectively.
+</para>
+<para>
+ The IP traffic monitor computes the data flow rate
+ of the currently highlighted TCP flow and displays it on the lower-right
+ corner of the screen. The flow rate is in kilobits or kilobytes per
+ second depending on the <emphasis>Activity mode</emphasis> switch
+in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+<para>
+ Because this monitoring system relies solely on packet information, it
+ does not determine which endpoint initiated the connection. In other
+ words, it does not know which endpoints are the client and server.
+ This is necessary because it can operate in promiscuous
+ mode, and as such cannot determine the socket statuses for other
+ machines on the LAN. However, a little knowledge of the well-known TCP
+port numbers can give a good idea about which address is that of the server.
+</para>
+<para>
+ The system therefore displays two entries for each connection, one for
+ each direction of the TCP connection. To make it easier to determine the
+ direction pairs of each connection, a bracket is used to "join" both
+ together. This bracket appears at the leftmost part of each entry.
+</para>
+<para>
+ Just because a host entry appears at the upper end of a
+ connection bracket doesn't mean it was the initiator of the connection.
+</para>
+<para>
+ Each entry in the window contains these fields:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><emphasis role="bold">Source address and port</emphasis></term>
+<listitem><para>
+ The source address and port indicator is
+in <replaceable>address</replaceable>:<replaceable>port</replaceable> format.
+ This indicates the source machine and TCP port on that machine
+ from which this data is coming.
+</para>
+<para>
+ The destination is the host:port at the other end of the bracket.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Packet count</emphasis></term>
+<listitem><para>
+ The number of packets received for this direction of the TCP connection
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Byte count</emphasis></term>
+<listitem><para>
+ The number of bytes received for this direction
+ of the TCP connection. These bytes include total IP and TCP header
+ information, in addition to the actual data. Data link
+ header (e.g. Ethernet and FDDI) data are not included.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Source MAC address</emphasis></term>
+<listitem><para>
+ The address of the host on your local LAN that delivered this packet.
+ This can be viewed by pressing M once if <emphasis>Source MAC
+addrs</emphasis> in traffic
+ monitor is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Packet Size</emphasis></term>
+<listitem><para>
+ The size of the most recently received packet. This item
+ is visible if you press M for more TCP information. This is the size
+ of the IP datagram only, not including the data link header.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Window Size</emphasis></term>
+<listitem><para>
+ The advertised window size of the most recently received packet. This
+ item is visible if you press M for more TCP information.
+</para></listitem>
+</varlistentry>
+<varlistentry>
+<term><emphasis role="bold">Flag statuses</emphasis></term>
+<listitem><para>
+ The flags of the most recently received packet.
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>S</computeroutput></term>
+<listitem><para>
+ SYN. A synchronization is taking place in preparation for
+ connection establishment. If only an <computeroutput>S</computeroutput>
+ is present (<computeroutput>S---</computeroutput>) the source is trying
+ to initiate a connection. If an <computeroutput>A</computeroutput> is
+ also present (<computeroutput>S-A-</computeroutput>), this is an
+ acknowledgment of a previous connection request, and is responding.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><computeroutput>A</computeroutput></term>
+<listitem><para>
+ ACK. This is an acknowledgment of a previously received packet
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>P</computeroutput></term>
+<listitem><para>
+ PSH. A request to push all data to the top of the receiving queue
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>U</computeroutput></term>
+<listitem><para>
+ URG. This packet contains urgent data
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>RESET</computeroutput></term>
+<listitem><para>
+ RST. The source machine indicated in this direction reset the entire connection. The direction entries for reset connections become available for new connections.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>DONE</computeroutput></term>
+<listitem><para>
+ The connection is done sending data in this direction, and has sent a FIN (finished) packet, but has not yet been acknowledged by the other host.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>CLOSED</computeroutput></term>
+<listitem><para>
+ The FIN has been acknowledged by the other host. When both directions of a connection are marked CLOSED, the entries they occupy become available for new connection entries.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term><computeroutput>-</computeroutput></term>
+<listitem><para>
+ The flag is not set
+</para></listitem>
+</varlistentry>
+</variablelist>
+</para></listitem>
+</varlistentry>
+</variablelist>
+
+<para>
+ Some other pieces of information can be viewed as well. The M key
+ displays more TCP information. Pressing M once
+ displays the MAC addresses of the LAN hosts
+ that delivered the packets (if the <emphasis>Source MAC addrs in traffic
+monitor</emphasis>
+ option is enabled in the <emphasis><link linkend="config">Configure...</link></emphasis>
+menu). <computeroutput>N/A</computeroutput> is displayed if
+ no packets have been received from the source yet, or if the interface
+ doesn't support MAC addresses (such as PPP interfaces).
+</para>
+<para>
+ If the <emphasis>Source MAC addrs in traffic monitor</emphasis> option is not enabled,
+ pressing M simply toggles between the counts and the packet and window
+ sizes.
+</para>
+<para>
+ By default, only IP addresses are displayed, but if you have access to a
+ name server or host table, you may enable reverse lookup for the
+ IP addresses. Just enable reverse lookup
+in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+
+<sidebar>
+<title>The rvnamed Process</title>
+<para>
+ The IP traffic monitor starts a daemon called
+ <command>rvnamed</command> to help speed
+ up reverse lookups without sacrificing too much keyboard control and
+ accuracy of the counts. While reverse lookup is being conducted in the
+ background, IP addresses will be used until the resolution is complete.
+</para>
+<para>
+ If for some reason <command>rvnamed</command> cannot start (probably due to
+ improper installation or lack of memory), and you are
+ on the Internet, and you enable reverse lookup, your
+ keyboard control can become very slow. This is because the standard
+ lookup functions do not return until they have completed their
+ tasks, and it can take several seconds for a name resolution
+ in the foreground to complete.
+</para>
+<para>
+ <command>rvnamed</command> will spawn up to 200 children to process reverse DNS queries.
+</para>
+</sidebar>
+
+<tip>
+<title>Tip</title>
+<para>If you notice unusual SYN activity (too many
+initial (<computeroutput>S---</computeroutput>) but frozen SYN entries, or rapidly
+increasing initial SYN packets for a single connection), you may
+be under a SYN flooding attack or TCP port scan. Apply appropriate measures, or the
+targeted machines may begin denying network services.
+</para>
+</tip>
+
+<para>
+ Entries not updated within a user-configurable amount of
+ time may get replaced with new connections. The default time is 15
+ minutes. This is regardless of whether the connection is closed or
+ not. (Some unclosed connections may be due to extremely slow links
+ or crashes at either end of the connection.) This figure can be changed
+ at the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+<para>
+ Some early entries may have a > symbol in front of its packet
+ count. This means the connection was already established
+ when the monitor started. In other words, the figures indicated do not
+ reflect the counts since the start
+ of the TCP connection, but rather, since the start of the traffic
+ monitor. Eventually, these > entries will close (or time out) and
+ disappear. TCP entries without the >
+ were initiated after the traffic monitor started, and the counts
+ indicate the totals of the connection itself. Just consider entries
+ with > partial.
+</para>
+<para>
+ Some > entries may go idle if the traffic monitor was started
+ when these connections were already half-closed (FIN sent
+ by one host, but data still being sent by the other). This
+ is because the traffic monitor cannot determine if a
+ connection was already half-closed when it started. These entries will
+ eventually time out. (To minimize these entries, an entry is not added
+ by the monitor until a packet with data or a SYN packet is received.)
+</para>
+<para>
+ Direction entries also become available for reuse if an ICMP Destination
+ Unreachable message is received for the connection.
+</para>
+<para>
+ The lower part of the screen contains a summary line showing the IP,
+ TCP, UDP, ICMP, and non-IP byte counts since the start of the
+ monitor. The IP, TCP, UDP, and ICMP counts include only the IP
+ datagram header and data, not the data-link headers. The
+ non-IP count includes the data-link headers.
+</para>
+
+<note>
+<title>
+ Technical note: IP Forwarding and Masquerading
+</title>
+<para>
+ Previous versions of IPTraf issued a warning if the kernel had
+ IP masquerading enabled due to the way the
+ kernel masqueraded and translated the IP addresses. The new kernels no
+ longer do it as before and IPTraf now gives output properly on
+ masquerading machines. The <computeroutput>-q</computeroutput> parameter is no
+ longer required to suppress the warning screen.
+</para>
+<para>
+ On forwarding (non-masquerading)
+ machines packets and TCP connections simply appear twice, one
+ each for the incoming and outgoing interfaces if all interafaces
+ are being monitored.
+</para>
+<para>
+ On masquerading machines, packets and connections from the
+ internal network to the external network also appear
+ twice, one for the internal and external interface. Packets coming
+ from the internal network will be indicated as coming from the internal
+ IP address that sourced them, and also as coming from the IP address
+ of the external interface on your masquerading machine. In much the same
+ way, packets coming in from the external network will look
+ like they're destined for the external interface's IP address, and again
+ as destined for the final host on the internal network.
+</para>
+</note>
+
+<sect2>
+ <title>Closed/Idle/Timed Out Connections</title>
+<para>
+ A TCP connection entry that closes, gets reset, or stays idle too long
+ normally gets replaced with new connections. However,
+ if there are too many of these, active connections may become
+ interspersed among closed, reset, or idle entries.
+</para>
+<para>
+ IPTraf can be set to automatically remove all closed, reset, and
+ idle entries with the <emphasis>TCP closed/idle
+ persistence...</emphasis> configuration option. You can also press the F key to
+ immediately clear them at any time.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+The <emphasis>TCP timeout...</emphasis> option only tells
+IPTraf how long it should take before a connection should be considered
+idle and open to replacement by new connections. This
+does not determine how long it remains on-screen. The <emphasis>TCP closed/idle
+persistence...</emphasis> parameter flushes entries that have been idle for the
+number of minutes defined by the <emphasis>TCP timeout...</emphasis> option.
+</para> </note>
+</sect2>
+<sect2>
+<title>Sorting TCP Entries</title>
+<para>
+ The TCP connection entries can be sorted by pressing the S key, then
+ by selecting a sort criterion. Pressing S will display a box showing the
+ available sort criteria. Press P to sort by packet count, B to sort by
+ byte count. Pressing any other key cancels the sort.
+</para>
+<para>
+ The sort operation compares the larger values in each connection entry
+ pair and sorts the counts in descending order.
+</para>
+<para>
+ Over time, the entries will go out of order as counts proceed at varying
+ rates. Sorting is not done automatically so as not to degrade performance
+and accuracy.
+</para>
+<figure>
+<title>The IP traffic monitor sort criteria</title>
+<graphic format="png" fileref="iptraf-iptmsort">
+</figure>
+</sect2>
+</sect1>
+<sect1 id="lowerwin">
+<title>Lower Window</title>
+<para>
+ The lower window displays information about the other types of traffic
+ on your network. The following protocols are detected internally:
+</para>
+<itemizedlist spacing="compact">
+<listitem><para>User Datagram Protocol (UDP)</para></listitem>
+
+<listitem><para>Internet Control Message Protocol (ICMP)</para></listitem>
+
+<listitem><para>Open Shortest-Path First (OSPF)</para></listitem>
+
+<listitem><para>Interior Gateway Routing Protocol (IGRP)</para></listitem>
+
+<listitem><para>Interior Gateway Protocol (IGP)</para></listitem>
+
+<listitem><para>Internet Group Management Protocol (IGMP)</para></listitem>
+
+<listitem><para>General Routing Encapsulation (GRE)</para></listitem>
+
+<listitem><para>Layer 2 Tunneling Protocol (L2TP)</para></listitem>
+
+<listitem><para>IPSec AH and ESP protocols (IPSec AH and IPSec ESP)</para></listitem>
+
+<listitem><para>Address Resolution Protocol (ARP)</para></listitem>
+
+<listitem><para>Reverse Address Resolution Protocol (RARP)</para></listitem>
+</itemizedlist>
+
+<para>
+ Other IP protocols are looked up from the <filename>/etc/services</filename>
+ file. If <filename>/etc/services</filename> doesn't contain information about
+ that protocol, the protocol number is indicated.
+</para>
+<para>
+ Non-IP packets are indicated as
+<computeroutput>Non-IP</computeroutput> in the lower window.
+</para>
+
+<note>
+<title>Note</title>
+<para>The source and destination addresses for ARP and
+RARP entries are MAC addresses.
+</para>
+<para>
+ Strictly speaking, ARP and RARP packets aren't IP packets, since
+ they are not encapsulated in an IP datagram. They're
+ just indicated because they are integral to proper IP operation on LANs.
+</para>
+</note>
+
+<para>
+ For all packets in the lower window, only the first IP fragment is
+ indicated (since that contains the header
+ of the IP-encapsulated protocol) but with no further information
+ from the encapsulated protocol.
+</para>
+<para>
+UDP packets are also displayed
+in
+<computeroutput><replaceable>address</replaceable>:<replaceable>port</replaceable>
+</computeroutput> format while ICMP entries also contain the
+ICMP message type. For easier location, each type of protocol
+is color-coded (only on color terminals such as the Linux console).
+</para>
+
+<variablelist>
+<varlistentry><term>UDP</term><listitem><para>Red on White</para></listitem></varlistentry>
+<varlistentry><term>ICMP</term><listitem><para>Yellow on Blue</para></listitem></varlistentry>
+<varlistentry><term>OSPF</term><listitem><para>Black on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGRP</term><listitem><para>Bright white on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGP</term><listitem><para>Red on Cyan</para></listitem></varlistentry>
+<varlistentry><term>IGMP</term><listitem><para>Bright green on Blue</para></listitem></varlistentry>
+<varlistentry><term>GRE</term><listitem><para>Blue on white</para></listitem></varlistentry>
+<varlistentry><term>ARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
+<varlistentry><term>RARP</term><listitem><para>Bright white on Red</para></listitem></varlistentry>
+<varlistentry><term>Other IP</term><listitem><para>Yellow on red</para></listitem></varlistentry>
+<varlistentry><term>Non-IP</term><listitem><para>Yellow on Red</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ The lower window can hold up to 512 entries. You can
+ scroll the lower window by using the W key to move the Active indicator
+ to it, and by using the Up and Down cursor keys. The lower
+ window automatically scrolls every time a new entry is added, and either
+ the first entry or last entry is visible. Upon reaching 512 entries, old
+ entries are thrown out as new entries are added.
+</para>
+<para>
+ Some entries may be too long to completely fit in a screen line. You can
+ use the Left and Right cursor keys to vertically scroll the lower window
+ when it is marked <computeroutput>Active</computeroutput>. If your
+terminal can be resized (e.g. xterm), you may do so before starting
+IPTraf.
+</para>
+<para>
+ Entries for packets received on LAN interfaces also include the
+ source MAC address of the LAN host which delivered it. This behavior
+ is enabled by turning on the Source MAC addrs in traffic monitor toggle
+ in the <emphasis><link linkend="config">Configure...</link></emphasis> menu.
+</para>
+
+<sect2>
+<title>Entry Details</title>
+<para>
+ In general, the entries in the lower window indicate the protocol, the
+ IP datagram size (full frame size for non-IP, including ARP and
+ RARP), the source address, the destination
+ address, and the network interface the packet was detected on.
+ However, some protocols have a little more information.
+</para>
+<sect3>
+<title>ICMP</title>
+<para>
+ ICMP entries are displayed in this format:
+</para>
+<synopsis>
+ICMP <replaceable>type</replaceable> [(<replaceable>subtype</replaceable>)] (<replaceable>size</replaceable> bytes) from <replaceable>source</replaceable> to <replaceable>destination</replaceable>
+[(src HWaddr <replaceable>srcMACaddress</replaceable>)] on <replaceable>interface</replaceable>
+</synopsis>
+<para>
+ where type could be any of the following:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>echo req, echo rply</computeroutput></term>
+<listitem><para>
+ ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest unrch</computeroutput></term>
+<listitem><para>
+ ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper
+ window to be made available for reuse by new connections.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>redirct</computeroutput></term>
+<listitem><para>
+ ICMP redirect. Usually generated by a router to tell a host that a better gateway is available.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src qnch</computeroutput></term>
+<listitem><para>
+ The ICMP source quench is used to stop a host from transmitting. It's a
+flow control mechanism for IP.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>time excd</computeroutput></term>
+<listitem><para>
+ Indicates a packet's time-to-live value expired before it got
+to its destination. Mostly happens if a destination is too far away.
+Also used by the traceroute program.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>router adv</computeroutput></term>
+<listitem><para>
+ ICMP router advertisement
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>router sol</computeroutput></term>
+<listitem><para>
+ ICMP router solicitation
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>timestmp req</computeroutput></term>
+<listitem><para>
+ ICMP timestamp request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>timestmp rep</computeroutput></term>
+<listitem><para>
+ ICMP timestamp reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>info req</computeroutput></term>
+<listitem><para>
+ ICMP information request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>info rep</computeroutput></term>
+<listitem><para>
+ ICMP information reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>addr mask req</computeroutput></term>
+<listitem><para>
+ ICMP address mask request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>addr mask rep</computeroutput></term>
+<listitem><para>
+ ICMP address mask reply
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>param prob</computeroutput></term>
+<listitem><para>
+ ICMP parameter problem
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>bad/unknown</computeroutput></term>
+<listitem><para>
+ An unrecognized ICMP packet was received, or the packet is corrupted.
+</para></listitem></varlistentry>
+</variablelist>
+<para>
+ The destination unreachable message also includes information on the
+ type of error encountered. Here are the destination unreachable codes:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>ntwk</computeroutput></term>
+<listitem><para>
+ network unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host</computeroutput></term>
+<listitem><para>
+ host unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>proto</computeroutput></term>
+<listitem><para>
+ protocol unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>port</computeroutput></term>
+<listitem><para>
+ port unreachable
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>pkt fltrd</computeroutput></term>
+<listitem><para>
+ packet filtered (normally by an access rule on a router or firewall)
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>DF set</computeroutput></term>
+<listitem><para>
+ the packet has to be fragmented somewhere, but its don't fragment
+ (DF) bit is set.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src rte fail</computeroutput></term>
+<listitem><para>
+ source route failed
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>src isltd</computeroutput></term>
+<listitem><para>
+ source isolated (obsolete)
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>net comm denied</computeroutput></term>
+<listitem><para>
+ network communication denied
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host comm denied</computeroutput></term>
+<listitem><para>
+ host communication denied
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>net unrch for TOS</computeroutput></term>
+<listitem><para>
+ network unreachable for specified IP type-of-service
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>host unrch for TOS</computeroutput></term>
+<listitem><para>
+ host unreachable for specified IP type-of-service
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>prec violtn</computeroutput></term>
+<listitem><para>
+ precedence violation
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>prec cutoff</computeroutput></term>
+<listitem><para>
+ precedence cutoff
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest net unkn</computeroutput></term>
+<listitem><para>
+ destination network unknown
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>dest host unkn</computeroutput></term>
+<listitem><para>
+ destination network unknown
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ For more information on ICMP, see RFC 792.
+</para>
+</sect3>
+
+<sect3>
+<title>OSPF</title>
+
+<para>
+OSPF messages also include a little more information. The format of an
+OSPF message in the window is:
+</para>
+
+<synopsis>
+OSPF <replaceable>type</replaceable> (a=<replaceable>area</replaceable> r=<replaceable>router</replaceable>) (<replaceable>size</replaceable>bytes) from <replaceable>source</replaceable> to <replaceable>destination</replaceable>
+[(src HWaddr <replaceable>srcMACaddress</replaceable>)] on <replaceable>interface</replaceable>
+</synopsis>
+
+<para>
+ The type can be one of the following:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>hlo</computeroutput></term>
+<listitem><para>
+ OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence.
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>DB desc</computeroutput></term>
+<listitem><para>
+ OSPF Database Description
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSR</computeroutput></term>
+<listitem><para>
+ OSPF Link State Request
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSU</computeroutput></term>
+<listitem><para>
+ OSPF Link State Update. Messages indicating the states of the OSPF network links
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>LSA</computeroutput></term>
+<listitem><para>
+ OSPF Link State Acknowledgment
+</para></listitem></varlistentry>
+</variablelist>
+<para>
+ The entries in parentheses:
+</para>
+<variablelist>
+<varlistentry>
+<term><computeroutput>a=<replaceable>area</replaceable></computeroutput></term>
+<listitem><para>
+ The area number of the OSPF message
+</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>r=<replaceable>router</replaceable></computeroutput></term>
+<listitem><para>
+ The IP address of the router that generated the message. It
+ is not necessarily the same as the source address
+ of the encapsulating IP packet.
+</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ Many times, the destination addresses for OSPF packets are class D
+ multicast addresses in standard dotted decimal notation or (if reverse
+ lookup is enabled), hosts under the <computeroutput>MCAST.NET</computeroutput> domain. Such multicast
+ addresses are defined as follows:
+</para>
+
+<variablelist>
+<varlistentry>
+<term><computeroutput>224.0.0.5 (OSPF-ALL.MCAST.NET)</computeroutput></term>
+<listitem><para>OSPF all routers</para></listitem></varlistentry>
+<varlistentry>
+<term><computeroutput>224.0.0.6 (OSPF-DSIG.MCAST.NET)</computeroutput></term>
+<listitem><para>OSPF all designated routers</para></listitem></varlistentry>
+</variablelist>
+
+<para>
+ See RFC 1247 for details on the OSPF protocol.
+</para>
+</sect3>
+</sect2>
+</sect1>
+<sect1>
+<title>Additional Information</title>
+<para>
+ When started from the main menu and logging is enabled, the IP traffic
+ monitor prompts you for a log file name. The default name is
+<filename>ip_traffic-<replaceable>n</replaceable>.log (where
+<replaceable>n</replaceable></filename> is what
+ instance of the traffic monitor this is (1, 2, 3, and so on). (e.g. if
+ this is the first instance, the default file name will
+ be <filename>ip_traffic-1.log</filename>.)
+</para>
+<para>
+ When started with the <computeroutput>-i</computeroutput> parameter,
+ the log filename can be specified with the <computeroutput>-L</computeroutput>
+ parameter. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<para>
+On busy networks, the display may become cluttered with traffic you're not
+interested in. To control the traffic monitor's output, you can apply a
+<emphasis>filter</emphasis>. See Chapter 7, <link
+linkend="filters">Filters</link> for more information on IPTraf's filters.
+</para>
+<para>
+ At any time, you can press X or Q to return to the main menu (or back to
+ the shell if the monitor was started with <command>iptraf -i</command>).
+</para>
+</sect1>
+</chapter>
+
+<chapter id="netstats">
+<title>Network Interface Statistics</title>
+<para>
+There are two network interface
+statistics facilities: the general interface statistics, which
+displays a statistical summary of all attached interfaces, and the
+detailed interface statistics, which shows more statistical and
+load information about a single selected interface.
+</para>
+<sect1 id="genstats">
+
+<title>General Interface Statistics</title>
+<para>
+ The second menu option displays a list of
+ attached network interfaces, and some general
+ packet counts. Specifically, it displays counts of IP, non-IP, and bad
+ IP packets (packets with IP checksum errors). It also includes an
+ activity indicator, which shows the number of kilobits and packets the
+ interface sees per second. All figures are for incoming and outgoing
+ packets. (Again, considering promiscuous
+ mode for LAN interfaces, which simply causes the machine
+ to intercept all packets). This is useful for general monitoring
+ of all attached interfaces. If byte counts and
+ additional information are needed for a specific interface, the <emphasis>Detailed
+ interface statistics</emphasis> option is also available.
+</para>
+<para>
+ The activity indicators can be toggled between kbits/s and kbytes/s with
+ the <emphasis>Activity mode</emphasis> configuration option.
+</para>
+<para>
+ The general statistics window will dynamically add new entries
+ as packets from newly-created interfaces (e.g. new PPP interfaces) are
+ intercepted. Long lists can be scrolled with the Up, Down, PgUp, and
+ PgDn keys.
+</para>
+<para>
+This monitor is affected by IPTraf's <link
+linkend="filters">filters</link> as described in Chapter 7.
+</para>
+<para>
+ Copies of the statistics are written to the log file
+ <filename>iface_stats_general.log</filename> at regular intervals if logging is
+ enabled. See the <emphasis>Logging</emphasis>
+option int the <link linkend="config">Configuration</link> chapter.
+</para>
+<para>
+ This facility can be started directly from the command line with the
+ <command>-g</command> option to the <command>iptraf</command> command.
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<figure>
+<title>The general interface statistics screen</title>
+<graphic format="png" fileref="iptraf-gstat1">
+</figure>
+<para>
+ You can press X or Q to return to the main menu.
+</para>
+</sect1>
+<sect1 id="detstats">
+<title>Detailed Interface Statistics</title>
+<para>
+ The third menu option displays packet statistics for any
+ selected interface. It provides basically the same information
+ as the <emphasis>General interface statistics</emphasis>
+ option, with additional details.
+ This facility provides the following information:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>
+ Total packet and byte counts
+</para></listitem>
+<listitem><para>
+ IP packet and byte counts
+</para></listitem>
+<listitem><para>
+ TCP packet and byte counts
+</para></listitem>
+<listitem><para>
+ UDP packet and byte count
+</para></listitem>
+<listitem><para>
+ ICMP packet and byte counts
+</para></listitem>
+<listitem><para>
+ Other IP-type packet and byte counts
+</para></listitem>
+<listitem><para>
+ Non-IP packet and byte counts
+</para></listitem>
+<listitem><para>
+ Checksum error count
+</para></listitem>
+<listitem><para>
+ Interface activity
+</para></listitem>
+<listitem><para>
+ Broadcast packet and byte counts
+</para></listitem>
+</itemizedlist>
+<para>
+ All IP byte counts (IP, TCP, UDP, ICMP, other IP) include IP header data
+ and payload. The data link header is not included. The full frame length
+ (including data-link header) is included in the non-IP and Total
+ byte count. All data-link headers are also included in the Total byte
+ counts.
+</para>
+<figure>
+<title>The detailed interface statistics screen</title>
+<graphic format="png" fileref="iptraf-dstat1">
+</figure>
+<para>
+ The upper portion of the screen
+ contains the packet and byte counts for all IP and
+ non-IP packets intercepted on the interface. The lower portion
+ contains the total, incoming, and outgoing interface data rates.
+</para>
+<para>
+ This facility also displays incoming and outgoing counts and data rates.
+ The packet size breakdown in versions prior to 2.0.0 has been moved
+ to its own facility under <emphasis>Statistical breakdowns.../By packet
+ size</emphasis> as described in <link linkend="pktsize">Chapter 5</link>.
+</para>
+<para>
+ An outgoing packet is one that exits your interface, regardless
+ of whether it originated from your machine or came
+ from another machine and was routed through yours. An incoming packet is
+ one that enters your interface, either addressed
+ to you directly, broadcast, multicast, or captured promiscuously.
+</para>
+<para>
+ The rate indicators can be set to display kbits/s or kbytes/s with the
+ <emphasis>Activity mode</emphasis> configuration option.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>
+ Buffering and some other factors may affect the data rates, notably
+ the outgoing rate, causing it to reflect a higher figure than the actual
+ rate at which the interface is sending.
+</para>
+</note>
+<para>
+ The figures are logged at regular intervals if logging is enabled. The
+ default log file name at the prompt is
+ <filename>iface_stats_detailed-<replaceable>iface</replaceable>.log</filename>
+ where iface is the selected interface for this session (for example,
+ <filename>iface_stats_detailed-eth0.log</filename>).
+</para>
+<para>
+ If you wish to start this facility directly
+ from the command line, you can specify the
+<computeroutput>-d</computeroutput> parameter and an interface
+ to monitor. For example,
+</para>
+<synopsis>
+iptraf -d eth0
+</synopsis>
+<para>
+ starts the statistics for <filename>eth0</filename>. The interface must be specified, or
+ IPTraf will not start the facility.
+</para>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<note>
+ <title>Note</title>
+ <para>
+ In both the general and detailed statistics screens, as well as
+ in the IP traffic monitor, the packet counts are for
+ actual network packets (layer 2), not the logical IP packets (layer 3)
+ that may be reconstructed after fragmentation. That means, if a
+ packet was fragmented into four pieces, and these four fragments pass
+ over your interface, the packet counts will indicate four separate
+ packets.
+ </para>
+</note>
+<para>
+ The figure for the IP checksum errors is a packet count only, because the
+ corrupted IP header cannot be relied upon to give a correct IP
+ packet length value.
+</para>
+<para>
+ This facility's output is also affected by IPTraf's <link
+linkend="filters">filters</link>. See Chapter 7 for more information
+on filters.
+</para>
+<para>
+ Pressing X or Q takes you back to the main menu (if this
+ facility was started with the command-line option, X or Q drops you back
+ to the shell).
+</para>
+</sect1>
+</chapter>
+
+<chapter id="statbreakdowns">
+<title>Statistical Breakdowns</title>
+<para>
+ Statistical breakdowns contain two facilities that break
+ down traffic counts by either packet size or TCP/UDP port.
+</para>
+<sect1 id="pktsize">
+<title>Packet Sizes</title>
+
+<para>
+ The packet size breakdown facility used to be incorporated
+ into the detailed interface statistics. It has since been moved
+ to its own facility. It is entered
+ by selecting <emphasis>Statistical Breakdowns/By packet size</emphasis>.
+</para>
+<para>
+ The packet size breakdown takes the interface's Maximum Transmission
+ Unit (MTU) size and divides it into 20 brackets, each bracket
+ containing a range of sizes. As a packet is captured, its size
+ is determined and the appropriate bracket is incremented.
+</para>
+<para>
+ This facility provides an idea as to the packet sizes passing over
+ your network, and can aid in network (re)design decisions.
+</para>
+<figure>
+<title>The packet size statistical breakdown</title>
+<graphic format="png" fileref="iptraf-pktsize">
+</figure>
+<para>
+ If logging is enabled, copies of the statistics are written at regular
+ intervals to a log file. The default log file name
+ is
+ <filename>packet_size-<replaceable>iface</replaceable>.log</filename> where
+ <replaceable>iface</replaceable>
+ is the selected interface for this session (for example,
+ <filename>packet_size-eth0.log</filename>).
+</para>
+<para>
+IPTraf's filters do not affect this facility.
+</para>
+<para>
+ The packet size breakdown can also be invoked straight
+ from the command line by specifying the <computeroutput>-z</computeroutput> iface
+ parameter. The interface parameter is required. For example,
+ this command runs the facility on interface <filename>eth0</filename>.
+</para>
+<synopsis>
+iptraf -z eth0
+</synopsis>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+<para>
+ To exit, press X or Ctrl+X.
+</para>
+</sect1>
+
+<sect1 id="servmon">
+<title>TCP and UDP Traffic Statistics</title>
+<para>
+ IPTraf also includes a facility that generates statistics on TCP and UDP
+ traffic. This facility displays counts of all TCP and UDP packets with
+ source or destination ports numbered less than 1024. Ports 1 to 1023 are
+ reserved for the TCP/IP application protocols (well-known ports).
+</para>
+<figure>
+<title>The TCP/UDP service monitor</title>
+<graphic format="png" fileref="iptraf-tcpudp">
+</figure>
+<para>
+ The statistics window indicates the protocol (TCP or UDP), the
+ port number, the total packets and bytes counted for this particular
+ protocol/port combination, the packets and bytes destined for that
+ protocol and port, and the packets and bytes coming
+ from that protocol and port.
+</para>
+<para>
+ Byte counts include the IP header and payload only. The data link header
+ is not included.
+</para>
+<para>
+ The protocol/port indicators are color-coded for easier identification
+ on color terminals. TCP indicators are in yellow, UDP in bright green.
+</para>
+<para>
+ Some network applications or protocols may use port numbers higher
+ than 1023. Examples
+ of these include application proxy servers (HTTP proxy servers typically
+ use values like 8000, 8080, 8888, and the like), and IRC
+ (IRC servers commonly accept connections on ports 6660 to 6669). These
+ ports are by default not included in the counts. If you do want
+ to include a higher-numbered port in the statistics, you can add
+ them yourself from the <emphasis><link linkend="config">Configure...</link>/Additional ports...</emphasis>
+ menu item. See the section below.
+</para>
+<para>
+ If logging is enabled, The statistics are also written to a log file
+ (the default name is
+<filename>tcp_udp_services-<replaceable>iface</replaceable>.log</filename>, where iface
+ is the selected interface (for example,
+<filename>tcp_udp_services-eth0.log</filename>).
+</para>
+<para>
+ IPTraf computes the total, incoming, outgoing, and data rates of the
+ protocol currently indicated by the facility's highlight bar. The data
+ rates are indicated at the bottom of the screen. If logging is
+ enabled, the average data rates since the start of the facility are
+ placed in the log file.
+</para>
+<para>
+ The Up and Down cursor keys move the highlight bar. Pressing X or Ctrl+X
+ exits and returns to the main menu (or the shell if it was started
+ from the command line).
+</para>
+
+<sect2>
+ <title>Sorting TCP/UDP Entries</title>
+<para>
+ Pressing the S key brings up a window which allows you to
+ select the field by which the entries will be sorted. You can press R to
+ sort by port, P to sort by total packets, B to sort by total bytes, T to
+ sort by incoming packets (packets to), O to sort by incoming bytes
+ (bytes to), F to sort by outgoing packets (packets from) and M to sort
+ by outgoing bytes (bytes from). Pressing any other key cancels the sort.
+</para>
+<para>
+ Port numbers are sorted in ascending order (least first) but
+ statistics are sorted in descending order (largest counts first).
+</para>
+<para>
+ As with the IP traffic monitor, sorting is performed only with
+ this sequence. Automatic sorting is not performed so as not to
+ affect performance.
+</para>
+<figure>
+<title>The TCP/UDP monitor's sort criteria</title>
+<graphic format="png" fileref="iptraf-tcpudpsort">
+</figure>
+</sect2>
+<sect2>
+<title>Additional Information</title>
+<para>
+IPTraf's filters affect the output of this facility. See Chapter 7, <link
+linkend="filters">Filters</link> for more information about filters.
+</para>
+<para>
+ If you wish to start this facility from the command line, you can
+ use the <computeroutput>-s</computeroutput> option followed by an interface to monitor. For example,
+</para>
+<synopsis>
+iptraf -s eth0
+</synopsis>
+<para>
+ brings up this module for traffic on
+ <filename>eth0</filename>. The interface must be specified, or
+ IPTraf will drop back to the shell.
+</para>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+</sect2>
+</sect1>
+</chapter>
+
+<chapter id="hostmon">
+<title>LAN Station Statistics</title>
+<para>
+ The LAN station monitor (Ethernet station monitor on versions prior to
+ 1.3.0) discovers MAC addresses and displays statistics on the number
+ of incoming, and outgoing packets. It also includes figures for incoming
+ and outgoing kilobits per second for each discovered station.
+</para>
+<para>
+ The entry above each line of statistics is the station's LAN
+ type (Ethernet, PLIP, Token Ring, or FDDI) and the hardware MAC address.
+ Each statistics line consists of the following information:
+</para>
+
+<itemizedlist spacing="compact" mark="bullet">
+<listitem><para>Total packets incoming</para></listitem>
+
+ <listitem><para>IP packets incoming</para></listitem>
+
+ <listitem><para>Total bytes incoming</para></listitem>
+
+ <listitem><para>Incoming rate</para></listitem>
+
+ <listitem><para>Total packets outgoing</para></listitem>
+
+ <listitem><para>IP packets outgoing</para></listitem>
+
+ <listitem><para>Total bytes outgoing</para></listitem>
+
+ <listitem><para>Outgoing rate</para></listitem>
+</itemizedlist>
+<para>
+ The byte counts include the data link header. The activity
+ indicators can be set to display kbits/s or kbytes/s with the <emphasis>Activity
+ mode</emphasis> configuration option.
+</para>
+<para>
+ This facility works only for Ethernet, PLIP, Token Ring, and
+ FDDI frames. Loopback. ISDN, and SLIP/PPP networks are not monitored here.
+</para>
+<figure>
+<title>The LAN station monitor</title>
+<graphic format="png" fileref="iptraf-hw">
+</figure>
+<para>
+ Copies of the statistics are written to a log file at regular intervals
+ if logging is enabled. The default log file name
+ is <filename>lan_statistics-<replaceable>n</replaceable>.log</filename>, where n is the instance number of this facility
+ (for example, if this is the first instance, the generated default log
+ file name is <filename>lan_statistics-1.log</filename>).
+</para>
+<sect1 id="sortinglan">
+ <title>Sorting the LAN Station Monitor Entries</title>
+<para>
+ Press S to sort the entries. A box will pop up and display the
+ keys you can press to select the field by which the entries will
+ be sorted. Press P to sort by total incoming packets, I to sort by
+ incoming IP packets, B to sort by total incoming bytes, K to sort
+ by total outgoing packets, O to sort by outgoing IP packets, and Y to
+ sort by total outgoing bytes. Pressing any other key cancels the sort.
+</para>
+<figure>
+<title>The LAN station monitor's sort criteria</title>
+<graphic format="png" fileref="iptraf-hwsort"
+</figure>
+<para>
+ When started from the command line, the log filename and log interval can be
+ specified with the <computeroutput>-L</computeroutput> and <computeroutput>-I</computeroutput>
+ parameters respectively. See the <link linkend="cmdline">Command-line Parameters</link>
+ section above for more information.
+</para>
+</sect1>
+<sect1 id="morelanmoninfo">
+<title>Additional Information</title>
+<para>
+ The window can be scrolled with the Up and Down cursor keys. Press X
+ or Q to return to the main menu (or the shell if this
+ facility was started with the <computeroutput>-l</computeroutput> command-line option).
+</para>
+<para>
+The output of this facility is affected by any applied IPTraf filter.
+</para>
+</sect1>
+</chapter>
+
+<chapter id="filters">
+ <title>Filters</title>
+
+<para>
+ Filters are used to control the information displayed by all facilities.
+ You may want to view statistics only on particular traffic
+ so you must restrict the information displayed. The filters also apply
+ to logging activity.
+</para>
+
+<para>
+ The IPTraf filter management system is accessible through the
+ <emphasis>Filters...</emphasis> submenu.
+</para>
+<figure>
+<title>The Filters submenu</title>
+<graphic format="png" fileref="iptraf-filtermenu">
+</figure>
+
+<sect1 id="ipfilters">
+ <title>IP Filters</title>
+
+ <para>
+ The <emphasis>Filters/IP...</emphasis> menu option
+ allows you to define a set of rules that determine what IP traffic
+ to pass to the monitors. Selecting this option pops up another menu with
+ the tasks used to define and apply custom IP filters.
+</para>
+<figure>
+<title>The IP filter menu</title>
+<graphic format="png" fileref="iptraf-ipfltmenu">
+</figure>
+<sect2>
+ <title>Defining a New Filter</title>
+<para>
+ A freshly installed program will have no filters defined, so
+ before anything else, you will have to define a filter. You can do this
+ by selecting the <emphasis>Define new filter...</emphasis> option.
+</para>
+<para>
+ Selecting this option displays a box asking you to enter a short
+ description of the filter you are going to define. Just enter any text
+ that clearly identifies the nature of the filter.
+</para>
+<figure>
+<title>The IP filter name dialog</title>
+<graphic format="png" fileref="iptraf-ipfltnamedlg">
+</figure>
+<para>
+ Press Enter when you're done with that box. As an alternative, you can
+ also press Ctrl+X to cancel the operation.
+</para>
+<sect3>
+<title>The Filter Rule Selection Screen</title>
+<para>
+After you enter the filter's description, you will be taken to a blank
+rule selection box. At this screen you manage the various rules you
+define for this filter. You can opt to insert, append, edit, or delete
+rules.
+</para>
+<figure>
+<title>The filter rule selection screen. Selecting an entry
+displays that set for editing</title>
+<graphic format="png" fileref="iptraf-ipfltlist">
+</figure>
+<para>
+Any rules defined will appear here. You will see the
+source and destination
+addresses, masks and ports (long addresses and masks may
+be truncated) and whether this rule includes or excludes matching
+packets.
+</para>
+<para>Between the source and destination parameters is an arrow that
+indicates whether the rule matches packets (single-headed) only exactly or whether
+it matches packets flowing in the opposite direction (double-headed).
+</para>
+<para>
+At this screen, press I to insert at the current position of the selection
+bar, A to append a rule to the end of the list, Enter to
+edit the highlighted rule and D to delete the selected rule. With
+an empty list, A or I can be used to add the first rule.
+</para>
+<para>To add the first rule, press A or I. You will then be presented with
+a dialog box that allows you to enter the rule's parameters.
+</para>
+</sect3>
+<sect3>
+<title>Entering Filter Rules</title>
+<para>
+ You can enter addresses of individual hosts, networks,
+ or a catch-all address. The nature of the address will be determined
+ by the wildcard mask.
+</para>
+<para>
+ You'll notice two sets of fields, marked <computeroutput>Source</computeroutput>
+ and <computeroutput>Destination</computeroutput>. You fill these out
+ with the information about your source and targets.
+</para>
+<para>
+ Fill out the host name or IP address of the hosts or networks in
+ the first field
+ marked <computeroutput>Host name/IP Address</computeroutput>. Enter it in
+ standard dotted-decimal notation. When done, press Tab to move to the
+ <computeroutput>Wildcard mask</computeroutput> field. The wildcard mask
+ is similar but not exactly identical to the standard IP subnet
+ mask. The wildcard mask is used to determine which bits to ignore
+ when processing the filter. In most cases, it will work very closely
+ like a subnet mask. Place ones (1) under the bits you want the filter to
+ recognize, and keep zeros (0) under the bits you want the filter
+ to ignore. For example:
+</para>
+<para>
+To recognize the host 207.0.115.44
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+To recognize all hosts belonging to network
+202.47.132.<replaceable>x</replaceable>
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>202.47.132.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.0</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+To recognize all hosts with any address:
+</para>
+<informaltable pgwide="1" frame="none">
+<tgroup cols="2">
+<colspec colname="c1">
+<colspec colname="c2">
+<tbody>
+<row><entry>IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ The IP address/wildcard mask mechanism of the display filter doesn't
+ recognize IP address class. It uses a simple bit- pattern matching
+ algorithm.
+</para>
+<para>
+ The wildcard mask also does not have to end on a
+ byte boundary; you may mask right into a byte itself. For example,
+ 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in
+ binary).
+</para>
+<para>
+ IPTraf also accepts host names in place of the IP addresses. IPTraf will
+ resolve the host name when the filter is loaded. When the filter
+ is interpreted, the wildcard mask will also be applied. This can be
+ useful in cases where a single host name may resolve to several IP
+ addresses.
+</para>
+
+<tip> <title>Tip</title>
+ <para> See the <emphasis>Linux Network Administrator's Guide</emphasis>
+ if you need more information on IP addresses and subnet masking.
+</para>
+</tip>
+
+<tip><title>Tip</title>
+<para>
+IPTraf allows you to specify the wildcard mask in Classless Interdomain Routing
+(CIDR) format. This format allows you to specify the number of 1-bits that
+mask the address. CIDR notation is the form
+<emphasis><computeroutput>address/bits</computeroutput></emphasis> where the
+<emphasis><computeroutput>address</computeroutput></emphasis> is the IP
+address or host name and
+<emphasis><computeroutput>bits</computeroutput></emphasis> is the number of
+1-bits in the mask. For example, if you want to mask 10.1.1.0 with
+<computeroutput>255.255.255.0</computeroutput>, note that
+<computeroutput>255.255.255.0</computeroutput> has 24 1-bits, so instead
+of specifying <computeroutput>255.255.255.0</computeroutput> in the wildcard
+mask field, you can just enter <computeroutput>10.1.1.0/24</computeroutput>
+in the address field. IPTraf will translate the mask bits into an
+appropriate wildcard mask and fill in the mask field the next time you edit
+the filter rule.
+</para>
+<para>
+If you specify the mask in CIDR notation, leave the wildcard mask fields
+blank. If you fill them up, the wildcard mask fields will take precedence.
+</para>
+</tip>
+
+<para>
+ The <computeroutput>Port</computeroutput> fields should contain a
+ port number or range of any TCP or UDP service you may be
+ interested in. If you want to match only a single port number, fill
+ in the first field, while leaving the second blank or set to zero.
+ Fill in the second field if you want to match a range of ports (e.g. 80 to
+ 90).
+ Leave the first field blank or set to zero to let the filter ignore
+ the ports altogether.
+ You will most likely be interested in target ports rather than source ports
+ (which are usually unpredictable anyway, perhaps with the exception
+ of FTP data).
+</para>
+<para>
+Non-TCP and non-UDP packets are not affected by these fields, and these
+are used only when filtering TCP or UDP packets.
+</para>
+<para>
+ Fill out the second set of fields with the parameters of the
+ opposite end of the connection.
+</para>
+<tip>
+<title>Tip</title>
+<para>
+Any address or mask fields left blank default to
+0.0.0.0 while blank
+<computeroutput>Port</computeroutput> fields default to 0.
+This makes it easy to define
+filter rules if you're interested only in either the source or destination,
+but not the other. For example, you may be interested
+in traffic originating from network 61.9.88.0, in which case you just enter
+the source address, mask and port
+in the
+<computeroutput>Source</computeroutput> fields, while leaving the
+<computeroutput>Destination</computeroutput> fields blank.
+</para>
+</tip>
+<para>
+The next fields let you specify which IP-type protocols you want matched by
+this filter rule. Any packet whose protocol's corresponding field
+is marked with a <computeroutput>Y</computeroutput> is matched against the
+filter's defined IP addresses and ports, otherwise
+they don't pass through this filter rule.
+</para>
+<para>
+If you want to evaluate all IP packets just mark
+with <computeroutput>Y</computeroutput> the <computeroutput>All
+IP</computeroutput> field.
+</para>
+<para>
+For example, if you want to see only all TCP traffic, mark the
+<computeroutput>TCP</computeroutput> field
+with <computeroutput>Y</computeroutput>.
+</para>
+<para>
+The long field marked <computeroutput>Additional
+protocols</computeroutput> allows you to specify other protocols
+by their IANA number. (You can view the common IP protocol number
+in the <filename>/etc/protocols</filename> file). You can specify a list
+of protocol numbers or ranges separated by commas,
+Ranges have the beginning and ending protocol numbers separated with a
+hyphen.
+</para>
+<para>
+For example, to see the RSVP (46), IP mobile (55), and protocols
+(101 to 104), you use an entry that looks like this:
+</para>
+<synopsis>
+46, 55, 101-104
+</synopsis>
+<para>
+It's certainly possible to specify any of the protocols listed above in
+this field. Entering <computeroutput>1-255</computeroutput> is
+functionally identical
+to marking <computeroutput>All IP</computeroutput>
+with a <computeroutput>Y</computeroutput>.
+</para>
+<para>
+ The next field is marked <computeroutput>Include/Exclude</computeroutput>.
+ This field allows you to decide whether to include or filter out matching
+ packets. Setting this field to <computeroutput>I</computeroutput> causes the filter to
+ pass matching packets, while setting it to <computeroutput>E</computeroutput> causes
+ the filter to drop them. This field is set to
+ <computeroutput>I</computeroutput> by default.
+</para>
+<para>
+The last field in the dialog is labeled <computeroutput>Match opposite</computeroutput>. When set
+to <computeroutput>Y</computeroutput>, the filter will match packets flowing in the opposite direction.
+Previous versions of IPTraf used to match TCP packets flowing in either direction, so the source
+and destination address/mask/port combinations were actually interchangeable. Starting with
+IPTraf 3.0, when filters extended to more than just the IP traffic monitor, this behavior is no longer
+the default throughout IPTraf except in the IP traffic monitor's TCP window.
+</para>
+<note>
+<title>Note</title>
+<para>
+For TCP packets, this field is used in all facilities except the IP traffic monitor. Because
+the IP traffic monitor must capture TCP packets in both directions
+to properly determine a closed connection, the filter automatically matches
+packets in the opposite direction, regardless of this field's setting. However
+iin all other facilities, automatic matching of the reverse packets is not performed
+unless you set this field to <computeroutput>Y</computeroutput>.
+</para>
+<para>
+Filters for UDP and other IP protocols do not automatically match packets in the opposite direction
+unless you set the field to <computeroutput>Y</computeroutput>, even in the IP traffic monitor.
+</para>
+</note>
+<para>
+ Press Enter to accept all parameters when done. The parameters will be
+ accepted and you'll be taken back to the rule selection box. You can
+then add more rules by pressing A or you can insert new rules at any point
+by pressing I. Should you make a mistake, you can press Enter to
+edit the selected filter. You may enter
+ as many sets of parameters as you wish. Press Ctrl+X when done.
+</para>
+<note>
+<title>Note</title>
+<para>
+Because of the major changes in the filtering system since IPTraf 2.7,
+old filters will no longer work and will have to be redefined.
+</para>
+</note>
+<figure>
+<title>The IP filter parameters dialog</title>
+<graphic format="png" fileref="iptraf-ipfltdlg">
+</figure>
+</sect3>
+<sect3>
+ <title>Examples</title>
+<para>
+To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>202.47.132.2</computeroutput></entry><entry><computeroutput>207.0.115.44</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+To see all traffic from host 207.0.115.44 to all hosts
+on network 202.47.132.x
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry><entry><computeroutput>202.47.132.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all Web traffic (to and from port 80)
+ regardless of source or destination
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>80</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all IRC traffic from port 6666 to 6669
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>6666</computeroutput>
+to <computeroutput>6669</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all DNS traffic, (TCP and UDP, destination port 53)
+ regardless of source or destination
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard
+mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>53</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y UDP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<para>
+ To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>202.47.132.2</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>25</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+
+</tbody>
+</tgroup>
+
+</informaltable>
+<para>
+ To see traffic from from/to host sunsite.unc.edu to/from cebu.mozcom.com
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>sunsite.unc.edu</computeroutput></entry><entry><computeroutput>cebu.mozcom.com</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>255.255.255.255</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+ To omit display of traffic to/from 140.66.5.x from/to anywhere
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP Address</entry><entry><computeroutput>140.66.5.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+<para>
+ You can enter as many parameters as you wish. All of them will
+ be interpreted until the first match is found.
+</para>
+</sect3>
+<sect3>
+ <title>Excluding Certain Sites</title>
+<para>
+
+ Filters follow an implicit "no-match" policy, that is, only packets
+ matching defined rules will be matched, others will be filtered out.
+ This is similar
+ to the access-list policy "whatever is not explicitly permitted is
+ denied". If you want to show all traffic to/from everywhere,
+ except certain places, you can specify the sites you wish to exclude,
+ mark them with <computeroutput>E</computeroutput> in the <computeroutput>Include/Exclude
+field</computeroutput>, and
+ define a general catch-all entry with source address
+<computeroutput>0.0.0.0</computeroutput>, mask
+ <computeroutput>0.0.0.0</computeroutput>, port <computeroutput>0</computeroutput>, and destination
+<computeroutput>0.0.0.0</computeroutput>, mask <computeroutput>0.0.0.0</computeroutput>,
+port <computeroutput>0</computeroutput>, tagged
+ with an <computeroutput>I</computeroutput>
+in the <computeroutput>Include/Exclude</computeroutput> field as the last entry.
+</para>
+
+<para>
+ For example:
+</para>
+<para>
+To see all traffic except all SMTP (both directions), Web (both directions), and traffic
+(only) from 207.0.115.44
+</para>
+<informaltable frame="none" pgwide="1">
+<tgroup cols="3">
+<colspec colname="c1">
+<colspec colname="c2">
+<colspec colname="c3">
+<tbody>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>25</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput> 0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>80</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>TCP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>Y</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>207.0.115.44</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>255.255.255.255</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>E</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+<row><entry></entry></row>
+<row><entry>Host name/IP address</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Wildcard mask</entry><entry><computeroutput>0.0.0.0</computeroutput></entry><entry><computeroutput>0.0.0.0</computeroutput></entry></row>
+<row><entry>Port</entry><entry><computeroutput>0</computeroutput></entry><entry><computeroutput>0</computeroutput></entry></row>
+<row><entry>Protocols</entry><entry><computeroutput>All IP: Y</computeroutput></entry></row>
+<row><entry>Include/Exclude</entry><entry><computeroutput>I</computeroutput></entry></row>
+<row><entry>Match opposite</entry><entry><computeroutput>N</computeroutput></entry></row>
+</tbody>
+</tgroup>
+</informaltable>
+
+<tip>
+ <title>Tip</title>
+ <para>
+ To filter out all TCP, define a filter with a single entry, with a source of
+ <computeroutput>0.0.0.0</computeroutput> mask
+<computeroutput>0.0.0.0</computeroutput> port <computeroutput>0</computeroutput>, and a destination
+ of <computeroutput>0.0.0.0</computeroutput> mask <computeroutput>0.0.0.0</computeroutput>
+port <computeroutput>0</computeroutput>,
+with the <computeroutput>Include/Exclude</computeroutput> field
+ marked <computeroutput>E</computeroutput> (exclude). Then apply this filter.
+</para>
+</tip>
+</sect3>
+</sect2>
+<sect2>
+
+ <title>Applying a Filter</title>
+<para>
+ The above steps only add the filter to a defined list. To actually apply
+ the filter, you must select <emphasis>Apply filter...</emphasis> from the menu. You will be
+ presented with a list of filters you already defined. Select the one you
+ want to apply, and press Enter.
+</para>
+<para>
+ The applied filter stays in effect over exits and restarts of the IPTraf program until it is detached.
+</para>
+</sect2>
+<sect2>
+ <title>Editing a Defined Filter</title>
+<para>
+ Select <emphasis>Edit filter...</emphasis> to modify an existing filter. Once you select this
+ option, you will be presented with the list of defined filters.
+ Select the filter you want to edit by moving the selection bar and press
+ Enter.
+</para>
+<para>
+ Edit the description if you wish. Pressing Ctrl+X at this point
+ will abort the operation, and the filter will remain unmodified. Press
+ Enter to accept any changes to the filter description.
+</para>
+<para>
+ After pressing Enter, you will see the filter's rules. To edit an
+ existing filter rule, move the selection bar
+ to the desired entry and press Enter. A prefilled dialog box
+ will appear. Edit its contents as desired. Press Enter to accept the
+ changes or Ctrl+X to discard.
+</para>
+<para>
+ You can add a new filter rule by pressing I to insert at the selection
+ bar's current position. When you press I, you will be presented with a
+ dialog box asking you to enter the new rule data. Pressing A results
+ in a similar operation, except the rule will be appended as the
+ last entry in the rule list.
+</para>
+<para>
+ Pressing D deletes the currently pointed entry.
+</para>
+<para>
+ Press X or Ctrl+X to end the edit and save the changes.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>If you're editing the currently applied filter, you will need
+ to re-apply the filter for the changes to take effect.
+ </para>
+</note>
+
+
+<note>
+ <title>Note</title>
+<para>
+ Be aware that the filter processes the rules in order. In other
+ words, if a packet matches more than one rule, only the first matching
+ rule is followed.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>Deleting a Defined Filter</title>
+<para>
+ Select <emphasis>Delete filter...</emphasis> from the menu to remove a filter
+ from the list. Just move the selection bar to the filter you want to
+ delete, and press Enter.
+</para>
+</sect2>
+<sect2>
+ <title>Detaching a Filter</title>
+<para>
+ The <emphasis>Detach filter</emphasis> option deactivates the filter currently in
+ use. Selecting this option causes all TCP traffic to be passed
+ to the monitors.
+</para>
+<para>
+ When you're done with the menu, just select the Exit menu option.
+</para>
+</sect2>
+</sect1>
+<sect1 id="nonipfilters">
+<title>ARP, RARP, and other Non-IP Packet Filters</title>
+<para>
+ The <emphasis>Non-IP</emphasis> filter option toggles the display and logging of all non-IP
+ packets, except ARP and RARP, which are toggled separately.
+</para>
+</sect1>
+</chapter>
+<chapter id="config">
+<title>Configuring IPTraf</title>
+
+<para>
+ IPTraf can be easily configured
+with the <emphasis><link linkend="config">Configure...</link></emphasis> item in the
+ main menu. The configuration is stored in the
+ <filename>/var/local/iptraf/iptraf.cfg</filename> file. If the file is not found, IPTraf uses
+ the default settings. Any changes to the configuration immediately get
+ stored in the configuration file.
+</para>
+<figure>
+<title>The IPTraf configuration menu</title>
+<graphic format="png" fileref="iptraf-configmenu">
+</figure>
+<sect1 id="toggles">
+ <title>Toggles</title>
+
+<sect2> <title>Reverse DNS Lookups</title>
+<para>
+ Activating reverse lookup
+ causes IPTraf to find out the name of the hosts with the addresses
+ in the IP packets. When this option is enabled, IPTraf's
+ IP traffic monitor starts the rvnamed DNS lookup server to help resolve
+ IP addresses in the background while allowing IPTraf to
+ continue capturing packets.
+</para>
+<para>
+ This option is off by default.
+</para>
+</sect2>
+<sect2>
+ <title>TCP/UDP Service Names</title>
+<para>
+
+ This option, when on, causes IPTraf to display the TCP/UDP service names
+ (<computeroutput>smtp</computeroutput>, <computeroutput>www</computeroutput>,
+ <computeroutput>pop3</computeroutput>, etc.) instead of their numeric ports (25, 80,
+ 110, etc). The number-to-name mappings will depend on the systems
+ services database file (usually <filename>/etc/services</filename>).
+ Should there be no corresponding service name for the
+ port number, the numeric form will still be displayed.
+
+</para>
+<para>
+ This setting is off by default.
+</para>
+
+<note>
+ <title>Note</title>
+ <para>
+ Reverse lookup and service name lookup take some
+ time and may impact performance and increase the chances of dropped
+ packets. Performance and results are best (albeit more cryptic) with both
+ these settings off.
+</para>
+</note>
+</sect2>
+
+<sect2>
+ <title>Force promiscuous</title>
+<para>
+
+ If this option is enabled, your LAN interfaces will capture all packets
+ on your LAN. Using this option enables you
+ to see all TCP connections and packets passing your LAN segment, even if
+ they're not from or for your machine. When this option is active
+ in the statistics windows, the Activity indicators will show a
+ good estimate of the load on your LAN segment.
+</para>
+<para>
+ When this option is disabled, you'll
+ only receive information about packets coming from and entering your
+ machine.
+</para>
+<para>
+ The setting of this option affects all LAN (
+ Ethernet, FDDI, some Token Ring) interfaces on your machine, if you have more than one.
+</para>
+<para>
+ The interface's promiscuous flag is set only when a facility is started,
+ and turned off when it exits. However, if promiscuous
+ mode was already set when a facility was started, it remains set on exit.
+</para>
+<para>
+ If multiple instances of IPTraf are started, the promiscuous setting
+ is restored only upon exit of the last facility.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ Do not use other programs that change the interface's promiscuous flag at
+ the same time you're using IPTraf. The programs can interfere with
+ each other's expected operations. While IPTraf tries to obtain the
+ initial setting of any promiscuous flags for restoration
+ upon exit, other programs may not be as well-behaved, and they may
+ turn off the promiscuous flags while IPTraf is still monitoring.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>Color</title>
+<para>
+ Turn this on with color monitors. Turn it off with
+ black-and- white monitors or non-color terminals (like xterms). Changes
+ to this setting will take effect the next time the program is started.
+</para>
+<para>
+ Color is on by default on consoles and color xterms, off on non-color terminals like xterms and VT100s.
+</para>
+</sect2>
+<sect2>
+ <title>Logging</title>
+<para>
+ When this option is active, IPTraf will log information to a
+ disk file, which can be examined or analyzed later. Since IPTraf
+ 2.4.0, IPTraf prompts you for the name of the file to which to write the
+ logs. It will provide a default name, which you are free to accept
+ or change. The IP traffic monitor and LAN station monitor will
+ generate a log file name that is based on what instance they are (first,
+ second, and so on). The general interface statistics' default log file
+ name is constant, because it listens to all interfaces at once, and only
+ one instance can run at one time.
+</para>
+<para>
+ The other facilities generate a log file name based
+ on the interface they're listening on.
+</para>
+<para>
+ See the descriptions on the facilities above for the default log file names.
+</para>
+<para>
+ Press Enter to accept the log file name, or Ctrl+X to cancel. Canceling will turn logging off for that session.
+</para>
+<para>
+ The IP traffic monitor will write the following pieces of information to its log file:
+</para>
+<itemizedlist spacing="compact" mark="bullet">
+ <listitem><para>Start of the traffic monitor</para></listitem>
+
+ <listitem><para>Receipt of the first TCP packet for a connection. If that packet is a
+ SYN, (SYN) will be indicated in the log entry. (Of course, the traffic
+ monitor may start in the middle of established connections. It
+ will still count those packets. This also explains why some connection
+ entries may become idle if the traffic monitor is started in the
+ middle of a half-closed connection, and miss the first FIN.
+ Such entries time out in a while.)</para></listitem>
+
+ <listitem><para>Receipt of a FIN (with average flow rate)</para></listitem>
+
+ <listitem><para>ACK of a FIN</para></listitem>
+
+ <listitem><para>Timeouts of TCP entries (with average flow rate)</para></listitem>
+
+ <listitem><para>Reset connections (with average flow rate)</para></listitem>
+
+ <listitem><para>Everything that appears in the bottom window of the traffic monitor</para></listitem>
+
+ <listitem><para>Stopping of the traffic monitor</para></listitem>
+</itemizedlist>
+<para>
+ Each log entry includes the date and time the entry was written. Logging
+ is also affected by the defined filters.
+</para>
+<para>
+ Log files can grow very fast, so be prepared with plenty of
+ free space and delete unneeded logs. Log write errors are not indicated.
+</para>
+<para>
+ Copies of the interface statistics, TCP/UDP statistics, packet
+ size statistics, and LAN host statistics are also written
+ to the log files at regular intervals. See <emphasis>Log
+Interval...</emphasis> in this chapter.
+</para>
+<para>
+ IPTraf closes and reopens the active log file when it receives a
+ <computeroutput>USR1</computeroutput> signal. This is useful in cases where a facility is run for
+ long periods of time but the log files have to be cleared or moved.
+</para>
+<para>
+ To clear or move an active log file, rename it first. IPTraf will
+ continue to write to the file despite the new name. Then use the UNIX
+ kill command to send the running IPTraf process a <computeroutput>USR1</computeroutput> signal. IPTraf
+ will then close the log file and open another with the
+ original name. You can then safely remove or delete the renamed file.
+</para>
+<para>
+ Do not delete an open log file. Doing so will only result in a file just
+ as large but filled with null characters (ASCII code 0).
+</para>
+<para>
+ Logging comes disabled by default. The <computeroutput>USR1</computeroutput> signal is caught only if
+ logging is enabled, it is ignored otherwise.
+</para>
+<para>
+ A valid specification of <computeroutput>-L</computeroutput> on the command line with automatically
+ enable logging for that particular session. The saved configuration setting is not affected.
+</para>
+</sect2>
+<sect2>
+ <title>Activity mode</title>
+<para>
+ Toggles activity indicators in the interface and LAN statistics
+ facilities between kilobits per second (kbits/s) or kilobytes per second
+ (kbytes/s).
+</para>
+<para>
+ The default setting is kilobits per second.
+</para>
+</sect2>
+<sect2>
+ <title>Source MAC addrs in traffic monitor</title>
+<para>
+ When enabled, the IP traffic monitor retrieves the packets' source MAC
+ addresses if they came in on an Ethernet, FDDI, or PLIP interface. The
+ addresses appear in the lower window for non-TCP
+ packets, while for TCP connections, they can be viewed by pressing M.
+</para>
+<para>
+ No such information is displayed
+ if the network interface doesn't use MAC addresses (such
+ as PPP interfaces).
+</para>
+<para>
+ This can be used to determine the actual source of the packets on your local LAN.
+</para>
+<para>
+ The traffic monitor also logs the MAC addresses with this option
+ enabled. The default setting is off.
+</para>
+</sect2>
+</sect1>
+
+<sect1 id="timers">
+ <title>Timers</title>
+<para>
+ The <emphasis>Timers...</emphasis> submenu allows you to IPTraf's
+ interval and timeout functions.
+</para>
+<figure>
+<title>The Timers configuration submenu</title>
+<graphic format="png" fileref="iptraf-timermenu">
+</figure>
+<sect2>
+ <title>TCP Timeout</title>
+<para>
+ This figure determines the amount of time (in minutes) a
+ connection entry may remain idle before it becomes
+ eligible for replacement by a new connection. The default is 15 minutes.
+ You may want to reduce this on an isolated (not connected
+ to the Internet) LAN or a LAN connected to the Internet with
+ high-speed links. Just enter the new value and press
+ Enter. You can press Ctrl+X to leave the current value unchanged.
+</para>
+</sect2>
+<sect2>
+<title>Log Interval</title>
+<para>
+ This figure determines the number of minutes between logging
+ of interface statistics, TCP/UDP figures, and LAN host statistics. The
+ default is 60 minutes. This figure is meaningless if logging is disabled.
+</para>
+<para>
+ This configuration item can be overridden with the <computeroutput>-I</computeroutput> when
+ a facility is directly invoked from the command line (not accessed via the main menu), and
+ remains effective for that particular session. The configured value is not affected.
+</para>
+</sect2>
+<sect2>
+ <title>Screen Update Interval</title>
+<para>
+ This value determines the rate in seconds at which the screen is
+ updated. The default is 0, which means the screen is updated as fast
+ as possible, giving close-to-realtime reflection
+ of network activity. However, this high-speed update can cause
+ incredible amounts of traffic if IPTraf is run on a remote
+ terminal (e.g. a Telnet or Secure Shell session). You can set this
+ to a higher value, such as 1 or 2 seconds to slow down the updates.
+</para>
+<para>
+ This figure does not affect the rate of data capture. Only the
+ screen refresh is affected. The figures are still updated as fast as
+ possible, although the figure display will no longer be as close
+ to realtime.
+</para>
+<para>
+ The default setting is 0, which shouldn't be a problem on the
+ console. Set it to a slightly higher value on remote terminals or slow
+ links. The setting affects all monitoring facilities.
+</para>
+<note>
+ <title>Note</title>
+ <para>
+ Updating the screen is one of the slowest operations in a
+ program. Older versions of IPTraf had a problem once network
+ activity became very high. Because each packet caused a screen update,
+ IPTraf began spending more time with the screen updates, causing a loss
+ of packets once network activity reached a certain point.
+</para>
+<para>
+ However, since many users like rapid counts on their screen, a
+ compromise was incorporated. Even when the screen update interval is set
+ to 0, there is still a 50ms delay between screen updates (except the LAN
+ station monitor, which has a 100 ms delay). This is still visually fast,
+ but provides more time to the packet capture routine. Higher
+ delays may result in better accuracy of counts and activity.
+</para>
+<para>
+ In any case, this setting only affects screen updates. Capture still
+ proceeds as fast as possible.
+</para>
+</note>
+</sect2>
+<sect2>
+ <title>TCP closed/idle persistence</title>
+ <para>
+ This parameter
+ determines the interval (in minutes) at which the IP Traffic Monitor
+ clears from the TCP display window all closed, idle, and timed out
+ entries. Enter <computeroutput>0</computeroutput> to keep such entries on the
+ screen indefinitely, disappearing only when replaced by new connections.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ The <emphasis>TCP timeout...</emphasis> option
+ only tells IPTraf how long it should take before a connection should
+ be considered idle and open to replacement by new connections. This does
+ not determine how long
+ it remains onscreen. The <emphasis>TCP closed/idle
+ persistence...</emphasis>
+ parameter flushes entries that have been closed or reset, or idle for the number
+ of minutes defined by the <emphasis>TCP timeout...</emphasis> option.
+</para>
+</note>
+</sect2>
+</sect1>
+
+<sect1 id="customports">
+ <title>Custom Information</title>
+<para>
+ The remaining configuration items allow you to enter information which
+ IPTraf uses for its displays and logs.
+</para>
+<sect2>
+ <title>Additional ports</title>
+ <para>Select this item to enter a port
+ number to be included in the TCP/UDP counts in the TCP/UDP service
+ statistics main menu item described above. By default,
+ port numbers above 1023 are not monitored. If you do
+ have a higher-numbered port to monitor, enter it here.
+</para>
+<para>
+ You will see two fields. If you have only one port to enter, just fill
+ up the first field. To specify a range, fill both fields, the first port
+ in the first field, the last port in the second field.
+</para>
+<para>
+ You can select this option multiple times to add more values or ranges.
+</para>
+</sect2>
+<sect2>
+ <title>Delete port/range</title>
+<para>
+ Select this item to remove a higher-numbered port number or
+ port range you entered earlier with the <emphasis>Additional
+ ports...</emphasis> option. A window will come up
+ containing the entered ports and ranges. Select the entry you want
+ delete and press Enter.
+</para>
+</sect2>
+<sect2>
+ <title>LAN Station Identifiers</title>
+
+<para>
+ The LAN station statistics facility monitors stations based
+ on their respective MAC addresses. The hexadecimal notation of these
+ addresses make them even more difficult to remember than the
+ dotted-decimal IP addresses, so these facilities were added to
+ help you better determine which station is which.
+</para>
+<para>
+ Selecting the <emphasis>Ethernet/PLIP host descriptions...</emphasis> or
+ <emphasis>FDDI/Token Ring host descriptions...</emphasis> options brings
+ up a submenu asking you to add, edit, or delete descriptions.
+</para>
+<para>
+ To add a new description, select the <emphasis>Add
+description...</emphasis> option. A dialog
+ box will appear, asking you for the MAC address and an appropriate
+ description. Type in the address in hexadecimal notation with no
+ punctuation of any kind. The dialog box is
+ case-insensitive for the address; the alphabetical digits A to F will be
+ stored in lowercase.
+</para>
+<para>
+ Use the Tab key to move between fields and Enter to accept. Press Ctrl+X
+ to discard this dialog and return to the main menu.
+</para>
+<para>
+ The description may be anything: the IP address, a fully-qualified
+ domain name, or a description of your liking as long
+ as the field can hold.
+</para>
+<para>
+ Enter as many descriptions as you need. Press Ctrl+X at a blank dialog
+ after you have entered the last entry
+</para>
+<para>
+ These descriptions will be displayed alongside the MAC addresses
+ in the LAN station monitor, together with the type of frame (Ethernet,
+ PLIP, or FDDI).
+</para>
+<para>
+ An existing address or description may be edited
+by selecting the <emphasis>Edit
+ description...</emphasis> option from the submenu. A panel will appear with a list
+ of existing address descriptions. Select the one you wish to
+ edit and press Enter. A dialog box identical to that
+ when you add a description will appear with prefilled fields. Just
+ backspace over and edit the fields. Press Enter to accept or Ctrl+X to
+ cancel.
+</para>
+<para>
+ Selecting the <emphasis>Delete description...</emphasis> submenu
+ item brings up the selection panel. Select the description you want to
+ delete and press Enter. You can also press Ctrl+X to cancel the operation.
+</para>
+<para>
+ IPTraf 2.4 and later also recognizes the <filename>/etc/ethers</filename> file.
+ Should a hardware address be present in the IPTraf definition files and
+ in <filename>/etc/ethers</filename>, the IPTraf definition will be used.
+</para>
+<note>
+ <title>Note</title>
+<para>
+ The description file for Ethernet and PLIP is
+ <filename>ethernet.desc</filename>, while the FDDI and Token Ring mappings are stored
+ in <filename>fddi.desc</filename> in the IPTraf working directory. These files are in
+ colon-delimited text format. Database engines or custom scripts can be
+ told to append data lines to those files. Each line follows this
+ simple format:
+</para>
+<synopsis>
+<replaceable>address</replaceable>:<replaceable>description</replaceable>
+</synopsis>
+<para>
+ For example
+</para>
+<synopsis>
+00201e457e:Cisco 3640 gateway
+</synopsis>
+<para>
+ Do not put colons, periods, or any invalid characters in the MAC address.
+</para>
+</note>
+</sect2>
+</sect1>
+</chapter>
+<chapter id="backop">
+<title>Background Operation</title>
+
+<para>
+ IPTraf's facilities can be placed in the background solely for
+ logging. When running in the background, it doesn't display any output
+ on the screen, and doesn't receive input
+ from the keyboard, and drops you back to the shell.
+</para>
+<para>
+ Before starting a statistical facility in the background, configure
+ IPTraf in the usual way (set filters, add TCP/UDP ports, etc).
+</para>
+<para>
+ Once that's done, exit all instances of IPTraf on the system, then
+ invoke IPTraf from the command line with the parameter
+ to start the facility you want, the timeout (<computeroutput>-t</computeroutput>) parameter
+ if you wish, and the <computeroutput>-B</computeroutput> parameter to actually daemonize the program.
+ For example, to run the IP traffic monitor in the
+ background for all interfaces, issue the command
+</para>
+<synopsis>
+iptraf -i all -B
+</synopsis>
+<para>
+ To run the detailed interface statistics
+on interface <filename>eth0</filename> for 5 minutes
+ in the background:
+</para>
+<synopsis>
+iptraf -d eth0 -t 5 -B
+</synopsis>
+<para>
+ If the timeout parameter is not specified, the facility
+ will run until the process receives a USR2 signal. To stop a facility in
+ the background, do a
+</para>
+<synopsis>
+ps x
+</synopsis>
+<para>
+ at the command line, and find the process id (pid) of the iptraf process
+ you're looking for. Then send that process a USR2 signal with the kill
+ command:
+</para>
+<synopsis>
+kill -USR2 pid
+</synopsis>
+<para>
+ Since IPTraf cannot send error messages to the terminal, all
+ messages are written to the file daemon.log in the
+ IPTraf logging directory.
+</para>
+<para>
+ The <computeroutput>-B</computeroutput> parameter automatically enables logging regardless of its configured
+ setting. The parameter is ignored if not used with one of the parameters
+ to start a facility from the command line.
+</para>
+<para>
+ The log file can be specified with the <computeroutput>-L</computeroutput> command-line parameter. If
+ this parameter is not specified, the default log file name for the
+ facility will be used (see the descriptions of the
+ facilities above for the default log name patterns).
+ If you don't specify an path, the log file will be placed in
+ <filename>/var/log/iptraf</filename>.
+</para>
+<para>
+ The logging interval for all facilities (except the IP traffic monitor) can also be overriden
+ with the <computeroutput>-I</computeroutput> command-line parameter.
+</para>
+</chapter>
+
+<appendix id="messages">
+ <title>Messages</title>
+<para>
+IPTraf's messages are presented in two ways. In interactive mode, messages
+are displayed in a distictive message box. In daemon (background) mode,
+appropriate messages are written to the <filename>iptraf.log</filename>
+file in the IPTraf log directory (normally
+<filename>/var/log/iptraf</filename>.
+</para>
+
+<sect1 id="iptrafmessages">
+<title>IPTraf Messages</title>
+<msgset>
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+Unable to create config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot create the configuration file. The most likely cause of
+ this is that you didn't properly install the
+ program, and the necessary directory
+<filename>/var/local/iptraf</filename> does not
+ exist. Can also be generated if you have a disk problem or if you
+ have too many files open.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to read config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The configuration record cannot be read. You most likely have a disk
+ problem.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write config file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The configuration file cannot be written. You either have a disk
+ problem, or (more likely), your disk is full.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Enter an appropriate description for this filter
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Enter something to clearly describe the filter you are defining.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error loading filter list file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot access the list of defined TCP or UDP filters. Can also be
+ an indicator of a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error writing filter list file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The filter list file cannot be written to. You may
+ have trouble accessing your filters.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to read TCP/UDP/misc IP filter file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot read the filter data off the file. Could be caused
+ by a bad disk.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error opening filter data file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot open the filter file. Could be caused by a shortage of
+ file descriptors or a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write filter data
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot add the newly defined filter to the filter list. This may
+ be due to a bad disk.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Cannot create filter data file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot create the filter record file. The defined filter is lost.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to save filter changes
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf cannot save the changes you made to the filter. You probably
+ have a disk error.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write filter state information
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The current state of the filters cannot be saved. IPTraf will be unable
+ to correctly reload the filters the next time it's started. This can
+ be caused by a bad disk or improper installation.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to save interface flags
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to save the flags of the network interfaces. This is
+ probably due to a bad installation or full filesystem.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to retrieve saved interface flags
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to retrieve the save interface flags.
+ Probably again due to a bad installation or full filesystem.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>
+<replaceable>protocol</replaceable> filter data file in use; try again later
+</computeroutput></para>
+<para><computeroutput>
+Filter state file in use; try again later
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ Another IPTraf process is modifying the TCP, UDP or miscellaneous IP
+ filter data or the filter state file and has locked the files
+ or file. Try again once the other IPTraf process has terminated or
+ completed its modifications and unlocked the files.
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to resolve hostname
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The indicated host name in the filter cannot be resolved into an
+ IP address. Check the local hosts database <filename>/etc/hosts</filename> or
+ your machine's DNS configuration or DNS server.
+</para>
+<para>
+ The filter parameters will not be used.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open host description file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot open the file containing the descriptions for Ethernet
+ or FDDI addresses. Could be due to a bad disk or a hit on the file
+ descriptor limit.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to write host description
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to write the description record for this Ethernet or
+ FDDI address. Could be due to a bad disk or corrupted filesystem.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No descriptions
+
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ You tried to edit or delete a description with no previous
+ descriptions defined.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Cannot open log file
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ There is a problem opening the log file. There is most
+ likely a problem with the disk, or there are too many open files.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface list
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to retrieve the list of network interfaces
+ from the <filename>/proc</filename> filesystem. This may be due
+ to a badly configured kernel. IPTraf needs <filename>/proc</filename>
+ filesystem support.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>
+No active interfaces. Check their status or the /proc filesystem.
+</computeroutput></para>
+</msgtext>
+<msgexplan>
+<para>
+
+ IPTraf found no active interfaces. Either all interfaces are down or the
+ <filename>/proc/net/dev</filename> file was empty or unavailable. Activate at least one
+ interface or check the <filename>/proc/net/dev</filename> file.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface parameters for interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The system call to retrieve the interface's flags failed. Check your
+ interface or kernel driver.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Promisc change failed for interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The system call to change the promiscuous flag failed. Check
+ your interface or its kernel driver.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open raw socket for flag change
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to open the necessary socket for the promiscuous
+ change operation. May be due to a shortage of file descriptors.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open socket for MTU determination
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Returned by the facility for detailed interface statistics
+ if the raw socket's opening sequence failed. The facility will abort.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to open raw socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ IPTraf was unable to open the raw socket for packet capture. May be due
+ to a shortage of file descriptors.
+</para>
+
+<note>
+ <title>Reminder</title>
+<para> IPTraf 2.x.x requires Linux kernel 2.2.x, with the Packet
+ Socket option compiled in or installed as a module. IPTraf 2.x will
+ return this error on a pre-2.2 kernel or on a 2.2 kernel without
+ Packet Socket.
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Unable to obtain interface MTU
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The detailed statistics facility was unable to
+ obtain the maximum transmission unit (MTU) for the selected
+ interface. The facility will abort.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Specified interface not supported
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The interface specified with the <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>, <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>,
+ or <computeroutput>-z</computeroutput> command-line parameters is not supported
+ by IPTraf.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Specified interface not active
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The interface specified with the <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>,
+ <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>, or
+ <computeroutput>-z</computeroutput> command-line parameters is
+ supported, but not currently activated.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Fatal: memory allocation error
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ May occur if you have too little memory to allocate for windows, the
+ menu system, or dialog boxes. IPTraf tries
+ to prevent further allocations if memory runs out during a
+ monitor. However, this could also mean a bug if you're reasonably sure
+ you're not out of memory. An instructional message
+ on bug reporting follows this message.
+</para>
+<note>
+ <title>Technical note</title>
+<para>This is actually a response to the
+ segmentation fault error (SIGSEGV).
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>This program can be run only by the system administrator
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf normally does not allow anybody but uid 0 (root) to run it.
+ This measure is included for safety reasons. See the section
+ on recompiling the program below if you want to override this.
+ This feature is built in, and not part of the configuration
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Your TERM variable is not set
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The <envar>TERM</envar> (terminal type) environment variable
+ must be set to a valid terminal type so that the screen management
+ routines can function properly. Set it to the appropriate terminal type.
+ Linux consoles typically have their <envar>TERM</envar> variables set to
+<computeroutput>linux</computeroutput>.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Received TERM signal
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ Not related to the previous message. The
+<computeroutput>TERM</computeroutput> (terminate) signal
+ is normally used to gracefully shut down a program. This message
+ simply indicates that the <computeroutput>TERM</computeroutput> signal was caught and IPTraf is
+ attempting to shut down as gracefully as possible.
+</para>
+</msgexplan>
+</simplemsgentry>
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Invalid option or missing parameter, use iptraf -h for help
+</computeroutput></para>
+</msgtext>
+<msgexplan>
+<para>
+ The <computeroutput>-i</computeroutput>,
+ <computeroutput>-d</computeroutput>,
+ <computeroutput>-s</computeroutput>, <computeroutput>-l</computeroutput>, or
+ <computeroutput>-z</computeroutput> options were specified but
+ no interface was specified on the command line. These
+ parameters require a valid interface name (or
+ <computeroutput>all</computeroutput> for <computeroutput>-i</computeroutput>
+or <computeroutput>-l</computeroutput>).
+</para>
+<para>
+ This message also appears if an unknown option is passed
+to the <command>iptraf</command> command.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>Warning: unable to tag this process
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf normally tags itself when it runs to prevent multiple instances
+ of the statistical facilities from running.
+ This message means the program was unable to
+ create the necessary tag file. This may be due to a bad or
+ improper installation. Try running the
+<command>make install</command> procedure or the
+<command>Setup</command> in the distribution's top-level directory.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Warning: unable to tag facility
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to create the tag file for the facility you
+ started. The facility will still run, but other instances of IPTraf that
+ may be running simultaneously will allow the same facility to run.
+ This may cause both instances of the facility to malfunction. This could
+ be due to a bad disk or bad installation.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput><replaceable>facility</replaceable> already running/listening on interface
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ The facility you tried to start is currently running
+ on the indicated interface in another IPTraf process on the machine.
+ This restriction is placed to prevent conflicts involving
+ internal sockets or the log files.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>General interface statistics already active in another process
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ Only one instance of the general interface statistics can run at a time.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Duplicate port/range entry
+
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ You entered a port number or range that was already added to the list of
+ additional ports to be monitored by the TCP/UDP service monitor
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No custom ports
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ There are no ports or port ranges earlier added. There's nothing
+ to delete.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Can't start rvnamed; lookups will block
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start the <command>rvnamed</command> daemon; probably due
+ to a bad installation. IPTraf will fall back to blocking lookups.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Can't spawn new process; lookups will block
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start a new process. This may be due to memory shortage.
+ IPTraf will fall back to blocking lookups.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Fork error, IPTraf cannot run in background
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf cannot start a new process, and can go into the background.
+ This may be due to memory shortage. IPTraf aborts.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>No memory for new filter entry
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ IPTraf was unable to allocate memory for a new filter entry. Most likely
+ due to memory shortage.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Memory Low
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ This indicator appears if memory runs low due to a lot of entries in a
+ facility. Should critical functions fail (window creation,
+ internal allocation), the program could terminate with a
+ segmentation violation.
+</para>
+
+<note>
+ <title>Note</title>
+<para>
+ Any message or indicator about low memory means that your system
+ does not have enough memory to handle the entries. It is
+ almost certain that sooner or later, IPTraf or other applications will
+ abort due to the failure of important system calls or library functions.
+ Memory must be added right away.
+</para>
+</note>
+</msgexplan>
+</simplemsgentry>
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>IPC Error
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ This indicator appears if an error occurs receiving data
+ from the <command>rvnamed</command> program (IPC stands for Interprocess Communication).
+ This indication should not occur under normal circumstances.
+ Report instances of this condition and the circumstances under which
+ it happens. You may also include data from the
+<filename>rvnamed.log</filename> file.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>Error opening terminal: <replaceable>terminal</replaceable>
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+ The screen management routines cannot find the
+<filename>terminfo</filename> entry for your
+ terminal. IPTraf expects the terminfo database located
+ in <filename>/usr/share/terminfo</filename>. This error could occur when your terminfo
+ database is located somewhere else.
+</para>
+<para>
+ See the section on controlling the <filename>terminfo</filename> search path.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+ <simplemsgentry>
+<msgtext>
+<para><computeroutput>This will end your IPTraf session
+ </computeroutput></para></msgtext>
+<msgexplan>
+<para>
+In interactive mode IPTraf asks you to confirm your exit
+command. Press Enter to return to the shell or any other key to cancel
+your command and return to the main menu.
+</para>
+</msgexplan>
+</simplemsgentry>
+</msgset>
+</sect1>
+<sect1 id="rvnamedmessages">
+<title>
+ rvnamed Messages
+</title>
+<para>
+ As a daemon, rvnamed does not send messages to the screen. It
+ writes its messages to the file <filename>rvnamed.log</filename> in the
+ IPTraf log directory.
+</para>
+<msgset>
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Unable to open child communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to open the communication endpoint for data reception
+ from the children it creates. This is highly unusual, and should it
+ occur, report the circumstances.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Unable to open client communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to open the communication endpoint for data exchange
+ with the IPTraf program. This is highly unusual, and should it
+ occur, report the circumstances.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Error binding client communication socket
+ Error binding child communication socket
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed was unable to assign a name
+ to the indicated communication socket. This may be due to a bad, full,
+ or corrupted filesystem.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Fatal error: no memory for descriptor monitoring
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed ran out of memory. IPTraf will resort to blocking, and may freeze.
+
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Error on fork, returning IP address
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed had a problem spawning a copy of itself to resolve the IP
+ address. rvnamed will simply return the IP address in its literal,
+ dotted-decimal notation. IPTraf will still function normally. This may
+ be due to lack of memory or a process limit hit.
+</para>
+</msgexplan>
+</simplemsgentry>
+
+
+
+<simplemsgentry>
+<msgtext>
+<para><computeroutput>
+ Maximum child process limit reached
+</computeroutput></para></msgtext>
+<msgexplan>
+<para>
+
+ rvnamed has reached its maximum number of child processes. This is
+ intended as a "brake" to prevent too many rvnamed children
+ from hogging your computer's resources and possibly crashing it.
+</para>
+<para>
+ Unless IPTraf is monitoring an extremely busy network without filters,
+ this shouldn't happen, at least, not that often. If you notice
+ this message, try applying filters or check your DNS server. Many times,
+ this can happen when the DNS server goes down for
+ whatever reason, and you have rvnamed children taking too long to resolve.
+</para>
+</msgexplan>
+</simplemsgentry>
+</msgset>
+</sect1>
+</appendix>
+<appendix id="gfdl">
+<title>GNU Free Documentation License</title>
+<!-- - GNU Project - Free Software Foundation (FSF) -->
+<!-- LINK REV="made" HREF="mailto:webmasters@gnu.org" -->
+
+
+ <!-- sect1>
+ <title>GNU Free Documentation License</title -->
+
+ <para>Version 1.1, March 2000</para>
+
+ <blockquote>
+ <para>Copyright (C) 2000 Free Software Foundation, Inc.
+59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.</para>
+ </blockquote>
+
+ <sect1 id="gfdl-0">
+ <title>PREAMBLE</title>
+
+ <para>The purpose of this License is to make a manual, textbook,
+ or other written document "free" in the sense of freedom: to
+ assure everyone the effective freedom to copy and redistribute it,
+ with or without modifying it, either commercially or
+ noncommercially. Secondarily, this License preserves for the
+ author and publisher a way to get credit for their work, while not
+ being considered responsible for modifications made by
+ others.</para>
+
+ <para>This License is a kind of "copyleft", which means that
+ derivative works of the document must themselves be free in the
+ same sense. It complements the GNU General Public License, which
+ is a copyleft license designed for free software.</para>
+
+ <para>We have designed this License in order to use it for manuals
+ for free software, because free software needs free documentation:
+ a free program should come with manuals providing the same
+ freedoms that the software does. But this License is not limited
+ to software manuals; it can be used for any textual work,
+ regardless of subject matter or whether it is published as a
+ printed book. We recommend this License principally for works
+ whose purpose is instruction or reference.</para>
+ </sect1>
+
+ <sect1 id="gfdl-1">
+ <title>APPLICABILITY AND DEFINITIONS</title>
+
+ <para>This License applies to any manual or other work that
+ contains a notice placed by the copyright holder saying it can be
+ distributed under the terms of this License. The "Document",
+ below, refers to any such manual or work. Any member of the
+ public is a licensee, and is addressed as "you".</para>
+
+ <para>A "Modified Version" of the Document means any work
+ containing the Document or a portion of it, either copied
+ verbatim, or with modifications and/or translated into another
+ language.</para>
+
+ <para>A "Secondary Section" is a named appendix or a front-matter
+ section of the Document that deals exclusively with the
+ relationship of the publishers or authors of the Document to the
+ Document's overall subject (or to related matters) and contains
+ nothing that could fall directly within that overall subject.
+ (For example, if the Document is in part a textbook of
+ mathematics, a Secondary Section may not explain any mathematics.)
+ The relationship could be a matter of historical connection with
+ the subject or with related matters, or of legal, commercial,
+ philosophical, ethical or political position regarding
+ them.</para>
+
+ <para>The "Invariant Sections" are certain Secondary Sections
+ whose titles are designated, as being those of Invariant Sections,
+ in the notice that says that the Document is released under this
+ License.</para>
+
+ <para>The "Cover Texts" are certain short passages of text that
+ are listed, as Front-Cover Texts or Back-Cover Texts, in the
+ notice that says that the Document is released under this
+ License.</para>
+
+ <para>A "Transparent" copy of the Document means a
+ machine-readable copy, represented in a format whose specification
+ is available to the general public, whose contents can be viewed
+ and edited directly and straightforwardly with generic text
+ editors or (for images composed of pixels) generic paint programs
+ or (for drawings) some widely available drawing editor, and that
+ is suitable for input to text formatters or for automatic
+ translation to a variety of formats suitable for input to text
+ formatters. A copy made in an otherwise Transparent file format
+ whose markup has been designed to thwart or discourage subsequent
+ modification by readers is not Transparent. A copy that is not
+ "Transparent" is called "Opaque".</para>
+
+ <para>Examples of suitable formats for Transparent copies include
+ plain ASCII without markup, Texinfo input format, LaTeX input
+ format, SGML or XML using a publicly available DTD, and
+ standard-conforming simple HTML designed for human modification.
+ Opaque formats include PostScript, PDF, proprietary formats that
+ can be read and edited only by proprietary word processors, SGML
+ or XML for which the DTD and/or processing tools are not generally
+ available, and the machine-generated HTML produced by some word
+ processors for output purposes only.</para>
+
+ <para>The "Title Page" means, for a printed book, the title page
+ itself, plus such following pages as are needed to hold, legibly,
+ the material this License requires to appear in the title page.
+ For works in formats which do not have any title page as such,
+ "Title Page" means the text near the most prominent appearance of
+ the work's title, preceding the beginning of the body of the
+ text.</para>
+ </sect1>
+
+ <sect1 id="gfdl-2">
+ <title>VERBATIM COPYING</title>
+
+ <para>You may copy and distribute the Document in any medium,
+ either commercially or noncommercially, provided that this
+ License, the copyright notices, and the license notice saying this
+ License applies to the Document are reproduced in all copies, and
+ that you add no other conditions whatsoever to those of this
+ License. You may not use technical measures to obstruct or
+ control the reading or further copying of the copies you make or
+ distribute. However, you may accept compensation in exchange for
+ copies. If you distribute a large enough number of copies you
+ must also follow the conditions in section 3.</para>
+
+ <para>You may also lend copies, under the same conditions stated
+ above, and you may publicly display copies.</para>
+ </sect1>
+
+ <sect1 id="gfdl-3">
+ <title>COPYING IN QUANTITY</title>
+
+ <para>If you publish printed copies of the Document numbering more
+ than 100, and the Document's license notice requires Cover Texts,
+ you must enclose the copies in covers that carry, clearly and
+ legibly, all these Cover Texts: Front-Cover Texts on the front
+ cover, and Back-Cover Texts on the back cover. Both covers must
+ also clearly and legibly identify you as the publisher of these
+ copies. The front cover must present the full title with all
+ words of the title equally prominent and visible. You may add
+ other material on the covers in addition. Copying with changes
+ limited to the covers, as long as they preserve the title of the
+ Document and satisfy these conditions, can be treated as verbatim
+ copying in other respects.</para>
+
+ <para>If the required texts for either cover are too voluminous to
+ fit legibly, you should put the first ones listed (as many as fit
+ reasonably) on the actual cover, and continue the rest onto
+ adjacent pages.</para>
+
+ <para>If you publish or distribute Opaque copies of the Document
+ numbering more than 100, you must either include a
+ machine-readable Transparent copy along with each Opaque copy, or
+ state in or with each Opaque copy a publicly-accessible
+ computer-network location containing a complete Transparent copy
+ of the Document, free of added material, which the general
+ network-using public has access to download anonymously at no
+ charge using public-standard network protocols. If you use the
+ latter option, you must take reasonably prudent steps, when you
+ begin distribution of Opaque copies in quantity, to ensure that
+ this Transparent copy will remain thus accessible at the stated
+ location until at least one year after the last time you
+ distribute an Opaque copy (directly or through your agents or
+ retailers) of that edition to the public.</para>
+
+ <para>It is requested, but not required, that you contact the
+ authors of the Document well before redistributing any large
+ number of copies, to give them a chance to provide you with an
+ updated version of the Document.</para>
+ </sect1>
+
+ <sect1 id="gfdl-4">
+ <title>MODIFICATIONS</title>
+
+ <para>You may copy and distribute a Modified Version of the
+ Document under the conditions of sections 2 and 3 above, provided
+ that you release the Modified Version under precisely this
+ License, with the Modified Version filling the role of the
+ Document, thus licensing distribution and modification of the
+ Modified Version to whoever possesses a copy of it. In addition,
+ you must do these things in the Modified Version:</para>
+
+ <orderedlist numeration="upperalpha">
+ <listitem><para>Use in the Title Page
+ (and on the covers, if any) a title distinct from that of the
+ Document, and from those of previous versions (which should, if
+ there were any, be listed in the History section of the
+ Document). You may use the same title as a previous version if
+ the original publisher of that version gives permission.</para>
+ </listitem>
+
+ <listitem><para>List on the Title Page,
+ as authors, one or more persons or entities responsible for
+ authorship of the modifications in the Modified Version,
+ together with at least five of the principal authors of the
+ Document (all of its principal authors, if it has less than
+ five).</para>
+ </listitem>
+
+ <listitem><para>State on the Title page
+ the name of the publisher of the Modified Version, as the
+ publisher.</para>
+ </listitem>
+
+ <listitem><para>Preserve all the
+ copyright notices of the Document.</para>
+ </listitem>
+
+ <listitem><para>Add an appropriate
+ copyright notice for your modifications adjacent to the other
+ copyright notices.</para>
+ </listitem>
+
+ <listitem><para>Include, immediately
+ after the copyright notices, a license notice giving the public
+ permission to use the Modified Version under the terms of this
+ License, in the form shown in the Addendum below.</para>
+ </listitem>
+
+ <listitem><para>Preserve in that license
+ notice the full lists of Invariant Sections and required Cover
+ Texts given in the Document's license notice.</para>
+ </listitem>
+
+ <listitem><para>Include an unaltered
+ copy of this License.</para>
+ </listitem>
+
+ <listitem><para>Preserve the section
+ entitled "History", and its title, and add to it an item stating
+ at least the title, year, new authors, and publisher of the
+ Modified Version as given on the Title Page. If there is no
+ section entitled "History" in the Document, create one stating
+ the title, year, authors, and publisher of the Document as given
+ on its Title Page, then add an item describing the Modified
+ Version as stated in the previous sentence.</para>
+ </listitem>
+
+ <listitem><para>Preserve the network
+ location, if any, given in the Document for public access to a
+ Transparent copy of the Document, and likewise the network
+ locations given in the Document for previous versions it was
+ based on. These may be placed in the "History" section. You
+ may omit a network location for a work that was published at
+ least four years before the Document itself, or if the original
+ publisher of the version it refers to gives permission.</para>
+ </listitem>
+
+ <listitem><para>In any section entitled
+ "Acknowledgements" or "Dedications", preserve the section's
+ title, and preserve in the section all the substance and tone of
+ each of the contributor acknowledgements and/or dedications
+ given therein.</para>
+ </listitem>
+
+ <listitem><para>Preserve all the
+ Invariant Sections of the Document, unaltered in their text and
+ in their titles. Section numbers or the equivalent are not
+ considered part of the section titles.</para>
+ </listitem>
+
+ <listitem><para>Delete any section
+ entitled "Endorsements". Such a section may not be included in
+ the Modified Version.</para>
+ </listitem>
+
+ <listitem><para>Do not retitle any
+ existing section as "Endorsements" or to conflict in title with
+ any Invariant Section.</para>
+ </listitem>
+ </orderedlist>
+
+ <para>If the Modified Version includes new front-matter sections
+ or appendices that qualify as Secondary Sections and contain no
+ material copied from the Document, you may at your option
+ designate some or all of these sections as invariant. To do this,
+ add their titles to the list of Invariant Sections in the Modified
+ Version's license notice. These titles must be distinct from any
+ other section titles.</para>
+
+ <para>You may add a section entitled "Endorsements", provided it
+ contains nothing but endorsements of your Modified Version by
+ various parties--for example, statements of peer review or that
+ the text has been approved by an organization as the authoritative
+ definition of a standard.</para>
+
+ <para>You may add a passage of up to five words as a Front-Cover
+ Text, and a passage of up to 25 words as a Back-Cover Text, to the
+ end of the list of Cover Texts in the Modified Version. Only one
+ passage of Front-Cover Text and one of Back-Cover Text may be
+ added by (or through arrangements made by) any one entity. If the
+ Document already includes a cover text for the same cover,
+ previously added by you or by arrangement made by the same entity
+ you are acting on behalf of, you may not add another; but you may
+ replace the old one, on explicit permission from the previous
+ publisher that added the old one.</para>
+
+ <para>The author(s) and publisher(s) of the Document do not by
+ this License give permission to use their names for publicity for
+ or to assert or imply endorsement of any Modified Version.</para>
+ </sect1>
+
+ <sect1 id="gfdl-5">
+ <title>COMBINING DOCUMENTS</title>
+
+ <para>You may combine the Document with other documents released
+ under this License, under the terms defined in section 4 above for
+ modified versions, provided that you include in the combination
+ all of the Invariant Sections of all of the original documents,
+ unmodified, and list them all as Invariant Sections of your
+ combined work in its license notice.</para>
+
+ <para>The combined work need only contain one copy of this
+ License, and multiple identical Invariant Sections may be replaced
+ with a single copy. If there are multiple Invariant Sections with
+ the same name but different contents, make the title of each such
+ section unique by adding at the end of it, in parentheses, the
+ name of the original author or publisher of that section if known,
+ or else a unique number. Make the same adjustment to the section
+ titles in the list of Invariant Sections in the license notice of
+ the combined work.</para>
+
+ <para>In the combination, you must combine any sections entitled
+ "History" in the various original documents, forming one section
+ entitled "History"; likewise combine any sections entitled
+ "Acknowledgements", and any sections entitled "Dedications". You
+ must delete all sections entitled "Endorsements."</para>
+ </sect1>
+
+ <sect1 id="gfdl-6">
+ <title>COLLECTIONS OF DOCUMENTS</title>
+
+ <para>You may make a collection consisting of the Document and
+ other documents released under this License, and replace the
+ individual copies of this License in the various documents with a
+ single copy that is included in the collection, provided that you
+ follow the rules of this License for verbatim copying of each of
+ the documents in all other respects.</para>
+
+ <para>You may extract a single document from such a collection,
+ and distribute it individually under this License, provided you
+ insert a copy of this License into the extracted document, and
+ follow this License in all other respects regarding verbatim
+ copying of that document.</para>
+ </sect1>
+
+ <sect1 id="gfdl-7">
+ <title>AGGREGATION WITH INDEPENDENT WORKS</title>
+
+ <para>A compilation of the Document or its derivatives with other
+ separate and independent documents or works, in or on a volume of
+ a storage or distribution medium, does not as a whole count as a
+ Modified Version of the Document, provided no compilation
+ copyright is claimed for the compilation. Such a compilation is
+ called an "aggregate", and this License does not apply to the
+ other self-contained works thus compiled with the Document, on
+ account of their being thus compiled, if they are not themselves
+ derivative works of the Document.</para>
+
+ <para>If the Cover Text requirement of section 3 is applicable to
+ these copies of the Document, then if the Document is less than
+ one quarter of the entire aggregate, the Document's Cover Texts
+ may be placed on covers that surround only the Document within the
+ aggregate. Otherwise they must appear on covers around the whole
+ aggregate.</para>
+ </sect1>
+
+ <sect1 id="gfdl-8">
+ <title>TRANSLATION</title>
+
+ <para>Translation is considered a kind of modification, so you may
+ distribute translations of the Document under the terms of section
+ 4. Replacing Invariant Sections with translations requires
+ special permission from their copyright holders, but you may
+ include translations of some or all Invariant Sections in addition
+ to the original versions of these Invariant Sections. You may
+ include a translation of this License provided that you also
+ include the original English version of this License. In case of
+ a disagreement between the translation and the original English
+ version of this License, the original English version will
+ prevail.</para>
+ </sect1>
+
+ <sect1 id="gfdl-9">
+ <title>TERMINATION</title>
+
+ <para>You may not copy, modify, sublicense, or distribute the
+ Document except as expressly provided for under this License. Any
+ other attempt to copy, modify, sublicense or distribute the
+ Document is void, and will automatically terminate your rights
+ under this License. However, parties who have received copies, or
+ rights, from you under this License will not have their licenses
+ terminated so long as such parties remain in full
+ compliance.</para>
+ </sect1>
+
+ <sect1 id="gfdl-10">
+ <title>FUTURE REVISIONS OF THIS LICENSE</title>
+
+ <para>The Free Software Foundation may publish new, revised
+ versions of the GNU Free Documentation License from time to time.
+ Such new versions will be similar in spirit to the present
+ version, but may differ in detail to address new problems or
+ concerns. See <ulink
+ url="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</ulink>.</para>
+
+ <para>Each version of the License is given a distinguishing
+ version number. If the Document specifies that a particular
+ numbered version of this License "or any later version" applies to
+ it, you have the option of following the terms and conditions
+ either of that specified version or of any later version that has
+ been published (not as a draft) by the Free Software Foundation.
+ If the Document does not specify a version number of this License,
+ you may choose any version ever published (not as a draft) by the
+ Free Software Foundation.</para>
+ </sect1>
+
+ <sect1 id="gfdl-11">
+ <title>How to use this License for your documents</title>
+
+ <para>To use this License in a document you have written, include
+ a copy of the License in the document and put the following
+ copyright and license notices just after the title page:</para>
+
+<blockquote><para>
+ Copyright (c) YEAR YOUR NAME.
+ Permission is granted to copy, distribute and/or modify this document
+ under the terms of the GNU Free Documentation License, Version 1.1
+ or any later version published by the Free Software Foundation;
+ with the Invariant Sections being LIST THEIR TITLES, with the
+ Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
+ A copy of the license is included in the section entitled "GNU
+ Free Documentation License".
+</para></blockquote>
+
+ <para>If you have no Invariant Sections, write "with no Invariant
+ Sections" instead of saying which ones are invariant. If you have
+ no Front-Cover Texts, write "no Front-Cover Texts" instead of
+ "Front-Cover Texts being LIST"; likewise for Back-Cover
+ Texts.</para>
+
+ <para>If your document contains nontrivial examples of program
+ code, we recommend releasing these examples in parallel under your
+ choice of free software license, such as the GNU General Public
+ License, to permit their use in free software.</para>
+ </sect1>
+
+</appendix>
+<!-- Keep this comment at the end of the file
+Local variables:
+mode: sgml
+sgml-omittag:nil
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:2
+sgml-parent-document: ("referenz.sgml" "appendix")
+sgml-exposed-tags:nil
+sgml-local-ecat-files:nil
+sgml-local-catalogs: CATALOG
+sgml-validate-command: "nsgmls -s referenz.sgml"
+ispell-skip-sgml: t
+End:
+-->
+</book>
diff --git a/Documentation/menus.html b/Documentation/menus.html
new file mode 100644
index 0000000..12ad39a
--- /dev/null
+++ b/Documentation/menus.html
@@ -0,0 +1,163 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Using the Menus</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE="Command-line Options"
+HREF="cmdline.html"><LINK
+REL="NEXT"
+TITLE="Exiting IPTraf"
+HREF="exiting.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="cmdline.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="exiting.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="MENUS"
+>Using the Menus</A
+></H1
+><P
+> Menu items with a trailing ellipsis (<TT
+CLASS="COMPUTEROUTPUT"
+>...</TT
+>) either
+ pop up a submenu with further items, or require additional information
+ before it can complete the task and return to the menu.
+ Menu items without an ellipsis execute immediately.</P
+><P
+> Use the Up and Down arrow keys on your keyboard to move the selection
+ bar. Press Enter to execute the selected item. Alternatively, you can
+ also directly press the highlighted letter of the item you want. This
+ will immediately execute the option.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN374"
+></A
+><P
+><IMG
+SRC="iptraf-mmenu.png"></P
+><P
+><B
+>Figure 1. The IPTraf Main Menu</B
+></P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="cmdline.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="exiting.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Command-line Options</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Exiting IPTraf</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/messages.html b/Documentation/messages.html
new file mode 100644
index 0000000..a2f7d81
--- /dev/null
+++ b/Documentation/messages.html
@@ -0,0 +1,1191 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Messages</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Background Operation"
+HREF="backop.html"><LINK
+REL="NEXT"
+TITLE=" rvnamed Messages"
+HREF="rvnamedmessages.html"></HEAD
+><BODY
+CLASS="APPENDIX"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="backop.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="rvnamedmessages.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="APPENDIX"
+><H1
+><A
+NAME="MESSAGES"
+>Messages</A
+></H1
+><P
+>IPTraf's messages are presented in two ways. In interactive mode, messages
+are displayed in a distictive message box. In daemon (background) mode,
+appropriate messages are written to the <TT
+CLASS="FILENAME"
+>iptraf.log</TT
+>
+file in the IPTraf log directory (normally
+<TT
+CLASS="FILENAME"
+>/var/log/iptraf</TT
+>.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="IPTRAFMESSAGES"
+>IPTraf Messages</A
+></H1
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2131"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to create config file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot create the configuration file. The most likely cause of
+ this is that you didn't properly install the
+ program, and the necessary directory
+<TT
+CLASS="FILENAME"
+>/var/local/iptraf</TT
+> does not
+ exist. Can also be generated if you have a disk problem or if you
+ have too many files open.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2138"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to read config file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The configuration record cannot be read. You most likely have a disk
+ problem.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2144"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to write config file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The configuration file cannot be written. You either have a disk
+ problem, or (more likely), your disk is full.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2150"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Enter an appropriate description for this filter</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> Enter something to clearly describe the filter you are defining. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2156"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Error loading filter list file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot access the list of defined TCP or UDP filters. Can also be
+ an indicator of a bad disk.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2162"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Error writing filter list file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The filter list file cannot be written to. You may
+ have trouble accessing your filters. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2168"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to read TCP/UDP/misc IP filter file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot read the filter data off the file. Could be caused
+ by a bad disk. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2174"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Error opening filter data file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot open the filter file. Could be caused by a shortage of
+ file descriptors or a bad disk.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2180"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to write filter data</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot add the newly defined filter to the filter list. This may
+ be due to a bad disk.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2186"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Cannot create filter data file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot create the filter record file. The defined filter is lost.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2192"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to save filter changes</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot save the changes you made to the filter. You probably
+ have a disk error.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2198"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to write filter state information</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The current state of the filters cannot be saved. IPTraf will be unable
+ to correctly reload the filters the next time it's started. This can
+ be caused by a bad disk or improper installation.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2204"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to save interface flags</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to save the flags of the network interfaces. This is
+ probably due to a bad installation or full filesystem.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2210"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to retrieve saved interface flags</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to retrieve the save interface flags.
+ Probably again due to a bad installation or full filesystem.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2216"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+><TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+> filter data file in use; try again later</TT
+></P
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Filter state file in use; try again later</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> Another IPTraf process is modifying the TCP, UDP or miscellaneous IP
+ filter data or the filter state file and has locked the files
+ or file. Try again once the other IPTraf process has terminated or
+ completed its modifications and unlocked the files.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2225"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to resolve hostname</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The indicated host name in the filter cannot be resolved into an
+ IP address. Check the local hosts database <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> or
+ your machine's DNS configuration or DNS server. The filter parameters will not be used.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2233"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to open host description file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot open the file containing the descriptions for Ethernet
+ or FDDI addresses. Could be due to a bad disk or a hit on the file
+ descriptor limit. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2239"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to write host description</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to write the description record for this Ethernet or
+ FDDI address. Could be due to a bad disk or corrupted filesystem. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2245"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>No descriptions </TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> You tried to edit or delete a description with no previous
+ descriptions defined. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2251"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Cannot open log file</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> There is a problem opening the log file. There is most
+ likely a problem with the disk, or there are too many open files. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2257"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to obtain interface list</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to retrieve the list of network interfaces
+ from the <TT
+CLASS="FILENAME"
+>/proc</TT
+> filesystem. This may be due
+ to a badly configured kernel. IPTraf needs <TT
+CLASS="FILENAME"
+>/proc</TT
+>
+ filesystem support. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2265"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>No active interfaces. Check their status or the /proc filesystem.</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf found no active interfaces. Either all interfaces are down or the
+ <TT
+CLASS="FILENAME"
+>/proc/net/dev</TT
+> file was empty or unavailable. Activate at least one
+ interface or check the <TT
+CLASS="FILENAME"
+>/proc/net/dev</TT
+> file. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2273"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to obtain interface parameters for interface</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The system call to retrieve the interface's flags failed. Check your
+ interface or kernel driver. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2279"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Promisc change failed for interface</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The system call to change the promiscuous flag failed. Check
+ your interface or its kernel driver. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2285"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to open raw socket for flag change</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to open the necessary socket for the promiscuous
+ change operation. May be due to a shortage of file descriptors. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2291"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to open socket for MTU determination</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> Returned by the facility for detailed interface statistics
+ if the raw socket's opening sequence failed. The facility will abort.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2297"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to open raw socket</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to open the raw socket for packet capture. May be due
+ to a shortage of file descriptors.<DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Reminder</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> IPTraf 2.x.x requires Linux kernel 2.2.x, with the Packet
+ Socket option compiled in or installed as a module. IPTraf 2.x will
+ return this error on a pre-2.2 kernel or on a 2.2 kernel without
+ Packet Socket.</P
+></TD
+></TR
+></TABLE
+></DIV
+></BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2306"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Unable to obtain interface MTU</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The detailed statistics facility was unable to
+ obtain the maximum transmission unit (MTU) for the selected
+ interface. The facility will abort. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2312"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Specified interface not supported</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The interface specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-d</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-s</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+>,
+ or <TT
+CLASS="COMPUTEROUTPUT"
+>-z</TT
+> command-line parameters is not supported
+ by IPTraf.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2323"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Specified interface not active</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The interface specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-d</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-s</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+>, or
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-z</TT
+> command-line parameters is
+ supported, but not currently activated. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2334"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Fatal: memory allocation error</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> May occur if you have too little memory to allocate for windows, the
+ menu system, or dialog boxes. IPTraf tries
+ to prevent further allocations if memory runs out during a
+ monitor. However, this could also mean a bug if you're reasonably sure
+ you're not out of memory. An instructional message
+ on bug reporting follows this message.<DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Technical note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>This is actually a response to the
+ segmentation fault error (SIGSEGV).</P
+></TD
+></TR
+></TABLE
+></DIV
+></BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2343"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>This program can be run only by the system administrator</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf normally does not allow anybody but uid 0 (root) to run it.
+ This measure is included for safety reasons. See the section
+ on recompiling the program below if you want to override this.
+ This feature is built in, and not part of the configuration </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2349"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Your TERM variable is not set</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The <TT
+CLASS="ENVAR"
+>TERM</TT
+> (terminal type) environment variable
+ must be set to a valid terminal type so that the screen management
+ routines can function properly. Set it to the appropriate terminal type.
+ Linux consoles typically have their <TT
+CLASS="ENVAR"
+>TERM</TT
+> variables set to
+<TT
+CLASS="COMPUTEROUTPUT"
+>linux</TT
+>. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2358"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Received TERM signal</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> Not related to the previous message. The
+<TT
+CLASS="COMPUTEROUTPUT"
+>TERM</TT
+> (terminate) signal
+ is normally used to gracefully shut down a program. This message
+ simply indicates that the <TT
+CLASS="COMPUTEROUTPUT"
+>TERM</TT
+> signal was caught and IPTraf is
+ attempting to shut down as gracefully as possible.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2366"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Invalid option or missing parameter, use iptraf -h for help</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-d</TT
+>,
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-s</TT
+>, <TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+>, or
+ <TT
+CLASS="COMPUTEROUTPUT"
+>-z</TT
+> options were specified but
+ no interface was specified on the command line. These
+ parameters require a valid interface name (or
+ <TT
+CLASS="COMPUTEROUTPUT"
+>all</TT
+> for <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+>
+or <TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+>). This message also appears if an unknown option is passed
+to the <B
+CLASS="COMMAND"
+>iptraf</B
+> command. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2382"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Warning: unable to tag this process</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf normally tags itself when it runs to prevent multiple instances
+ of the statistical facilities from running.
+ This message means the program was unable to
+ create the necessary tag file. This may be due to a bad or
+ improper installation. Try running the
+<B
+CLASS="COMMAND"
+>make install</B
+> procedure or the
+<B
+CLASS="COMMAND"
+>Setup</B
+> in the distribution's top-level directory. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2390"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Warning: unable to tag facility</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to create the tag file for the facility you
+ started. The facility will still run, but other instances of IPTraf that
+ may be running simultaneously will allow the same facility to run.
+ This may cause both instances of the facility to malfunction. This could
+ be due to a bad disk or bad installation. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2396"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+><TT
+CLASS="REPLACEABLE"
+><I
+>facility</I
+></TT
+> already running/listening on interface</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The facility you tried to start is currently running
+ on the indicated interface in another IPTraf process on the machine.
+ This restriction is placed to prevent conflicts involving
+ internal sockets or the log files. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2403"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>General interface statistics already active in another process</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> Only one instance of the general interface statistics can run at a time. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2409"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Duplicate port/range entry </TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> You entered a port number or range that was already added to the list of
+ additional ports to be monitored by the TCP/UDP service monitor </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2415"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>No custom ports</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> There are no ports or port ranges earlier added. There's nothing
+ to delete. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2421"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Can't start rvnamed; lookups will block</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot start the <B
+CLASS="COMMAND"
+>rvnamed</B
+> daemon; probably due
+ to a bad installation. IPTraf will fall back to blocking lookups. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2428"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Can't spawn new process; lookups will block</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot start a new process. This may be due to memory shortage.
+ IPTraf will fall back to blocking lookups. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2434"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Fork error, IPTraf cannot run in background</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf cannot start a new process, and can go into the background.
+ This may be due to memory shortage. IPTraf aborts. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2440"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>No memory for new filter entry</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> IPTraf was unable to allocate memory for a new filter entry. Most likely
+ due to memory shortage. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2446"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Memory Low</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> This indicator appears if memory runs low due to a lot of entries in a
+ facility. Should critical functions fail (window creation,
+ internal allocation), the program could terminate with a
+ segmentation violation.<DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Any message or indicator about low memory means that your system
+ does not have enough memory to handle the entries. It is
+ almost certain that sooner or later, IPTraf or other applications will
+ abort due to the failure of important system calls or library functions.
+ Memory must be added right away.</P
+></TD
+></TR
+></TABLE
+></DIV
+></BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2455"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>IPC Error</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> This indicator appears if an error occurs receiving data
+ from the <B
+CLASS="COMMAND"
+>rvnamed</B
+> program (IPC stands for Interprocess Communication).
+ This indication should not occur under normal circumstances.
+ Report instances of this condition and the circumstances under which
+ it happens. You may also include data from the
+<TT
+CLASS="FILENAME"
+>rvnamed.log</TT
+> file. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2463"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>Error opening terminal: <TT
+CLASS="REPLACEABLE"
+><I
+>terminal</I
+></TT
+></TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> The screen management routines cannot find the
+<TT
+CLASS="FILENAME"
+>terminfo</TT
+> entry for your
+ terminal. IPTraf expects the terminfo database located
+ in <TT
+CLASS="FILENAME"
+>/usr/share/terminfo</TT
+>. This error could occur when your terminfo
+ database is located somewhere else. See the section on controlling the <TT
+CLASS="FILENAME"
+>terminfo</TT
+> search path.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2474"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>This will end your IPTraf session
+ </TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+>In interactive mode IPTraf asks you to confirm your exit
+command. Press Enter to return to the shell or any other key to cancel
+your command and return to the main menu.</BLOCKQUOTE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="backop.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="rvnamedmessages.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Background Operation</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>rvnamed Messages</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/morelanmoninfo.html b/Documentation/morelanmoninfo.html
new file mode 100644
index 0000000..cc151a3
--- /dev/null
+++ b/Documentation/morelanmoninfo.html
@@ -0,0 +1,146 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Additional Information</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="LAN Station Statistics"
+HREF="hostmon.html"><LINK
+REL="PREVIOUS"
+TITLE="LAN Station Statistics"
+HREF="hostmon.html"><LINK
+REL="NEXT"
+TITLE="Filters"
+HREF="filters.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="hostmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>LAN Station Statistics</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="filters.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="MORELANMONINFO"
+>Additional Information</A
+></H1
+><P
+> The window can be scrolled with the Up and Down cursor keys. Press X
+ or Q to return to the main menu (or the shell if this
+ facility was started with the <TT
+CLASS="COMPUTEROUTPUT"
+>-l</TT
+> command-line option).</P
+><P
+>The output of this facility is affected by any applied IPTraf filter.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="hostmon.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="filters.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>LAN Station Statistics</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="hostmon.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Filters</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/netstats.html b/Documentation/netstats.html
new file mode 100644
index 0000000..238dbb5
--- /dev/null
+++ b/Documentation/netstats.html
@@ -0,0 +1,228 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Network Interface Statistics</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Additional Information"
+HREF="x1077.html"><LINK
+REL="NEXT"
+TITLE="Detailed Interface Statistics"
+HREF="detstats.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="x1077.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="detstats.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="NETSTATS"
+>Network Interface Statistics</A
+></H1
+><P
+>There are two network interface
+statistics facilities: the general interface statistics, which
+displays a statistical summary of all attached interfaces, and the
+detailed interface statistics, which shows more statistical and
+load information about a single selected interface.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="GENSTATS"
+>General Interface Statistics</A
+></H1
+><P
+> The second menu option displays a list of
+ attached network interfaces, and some general
+ packet counts. Specifically, it displays counts of IP, non-IP, and bad
+ IP packets (packets with IP checksum errors). It also includes an
+ activity indicator, which shows the number of kilobits and packets the
+ interface sees per second. All figures are for incoming and outgoing
+ packets. (Again, considering promiscuous
+ mode for LAN interfaces, which simply causes the machine
+ to intercept all packets). This is useful for general monitoring
+ of all attached interfaces. If byte counts and
+ additional information are needed for a specific interface, the <I
+CLASS="EMPHASIS"
+>Detailed
+ interface statistics</I
+> option is also available.</P
+><P
+> The activity indicators can be toggled between kbits/s and kbytes/s with
+ the <I
+CLASS="EMPHASIS"
+>Activity mode</I
+> configuration option.</P
+><P
+> The general statistics window will dynamically add new entries
+ as packets from newly-created interfaces (e.g. new PPP interfaces) are
+ intercepted. Long lists can be scrolled with the Up, Down, PgUp, and
+ PgDn keys.</P
+><P
+>This monitor is affected by IPTraf's <A
+HREF="filters.html"
+>filters</A
+> as described in Chapter 7.</P
+><P
+> Copies of the statistics are written to the log file
+ <TT
+CLASS="FILENAME"
+>iface_stats_general.log</TT
+> at regular intervals if logging is
+ enabled. See the <I
+CLASS="EMPHASIS"
+>Logging</I
+>
+option int the <A
+HREF="config.html"
+>Configuration</A
+> chapter.</P
+><P
+> This facility can be started directly from the command line with the
+ <B
+CLASS="COMMAND"
+>-g</B
+> option to the <B
+CLASS="COMMAND"
+>iptraf</B
+> command.
+ When started from the command line, the log filename and log interval can be
+ specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> and <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+>
+ parameters respectively. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1115"
+></A
+><P
+><IMG
+SRC="iptraf-gstat1.png"></P
+><P
+><B
+>Figure 1. The general interface statistics screen</B
+></P
+></DIV
+><P
+> You can press X or Q to return to the main menu. </P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="x1077.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="detstats.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Additional Information</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Detailed Interface Statistics</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/nonipfilters.html b/Documentation/nonipfilters.html
new file mode 100644
index 0000000..c0ce670
--- /dev/null
+++ b/Documentation/nonipfilters.html
@@ -0,0 +1,143 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>ARP, RARP, and other Non-IP Packet Filters</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Filters"
+HREF="filters.html"><LINK
+REL="PREVIOUS"
+TITLE="Filters"
+HREF="filters.html"><LINK
+REL="NEXT"
+TITLE="Configuring IPTraf"
+HREF="config.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="filters.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Filters</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="config.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="NONIPFILTERS"
+>ARP, RARP, and other Non-IP Packet Filters</A
+></H1
+><P
+> The <I
+CLASS="EMPHASIS"
+>Non-IP</I
+> filter option toggles the display and logging of all non-IP
+ packets, except ARP and RARP, which are toggled separately.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="filters.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="config.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Filters</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="filters.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Configuring IPTraf</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/preface.html b/Documentation/preface.html
new file mode 100644
index 0000000..1db8e6f
--- /dev/null
+++ b/Documentation/preface.html
@@ -0,0 +1,151 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>About This Document</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="NEXT"
+TITLE="Document Conventions"
+HREF="conventions.html"></HEAD
+><BODY
+CLASS="PREFACE"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="manual.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="conventions.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="PREFACE"
+><H1
+><A
+NAME="PREFACE"
+>About This Document</A
+></H1
+><P
+>This document contains the instructions on how to use the IPTraf network
+monitoring software version 3.0. This manual details the
+different statistical facilities, the user
+interface, and the important features of the software.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="ADDINFO"
+>For Additional Information</A
+></H1
+><P
+>See the included README file for summarized and late-breaking information.
+Also read the RELEASE-NOTES file for important new information about
+this new version. The CHANGES file contains a record of the changes made
+to the software since 1.0.0. README.rvnamed contains information on the
+rvnamed reverse resolution program. See the other
+README files for support and development information.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="manual.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="conventions.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>IPTraf User's Manual</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Document Conventions</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/preparingtouse.html b/Documentation/preparingtouse.html
new file mode 100644
index 0000000..2dc018f
--- /dev/null
+++ b/Documentation/preparingtouse.html
@@ -0,0 +1,221 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Preparing to Use IPTraf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Exiting IPTraf"
+HREF="exiting.html"><LINK
+REL="NEXT"
+TITLE="Instances and Logging"
+HREF="instances.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="exiting.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="instances.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="PREPARINGTOUSE"
+>Preparing to Use IPTraf</A
+></H1
+><P
+>This chapter provides information applicable to all of IPTraf's statistical
+monitors.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="NUMBERS"
+>Number Display Notations</A
+></H1
+><P
+> IPTraf initially returns exact counts of bytes and packets. However, as they
+ grow larger, IPTraf begins displaying them in increasingly higher denominations.</P
+><P
+> A number standing alone with no suffix represents an exact count. A
+ number with a K following is a kilo (thousand) figure. An M,
+ G, and T suffix represents mega (million), giga (billion), and
+ tera (trillion) respectively. The following table shows examples.</P
+><DIV
+CLASS="TABLE"
+><A
+NAME="AEN391"
+></A
+><P
+><B
+>Table 1. Numeric Display Notations</B
+></P
+><TABLE
+BORDER="1"
+BGCOLOR="#E0E0E0"
+CELLSPACING="0"
+CELLPADDING="4"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>1024067</TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>exactly 1024067</TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>1024K</TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>approximately 1024000</TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>1024M</TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>approximately 1024000000</TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>1024G</TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>approximately 1024000000000</TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>1024T</TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+>approximately 1024000000000000</TD
+></TR
+></TBODY
+></TABLE
+></DIV
+><P
+> These notations apply to both packet and byte counts.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="exiting.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="instances.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Exiting IPTraf</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Instances and Logging</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/rvnamedmessages.html b/Documentation/rvnamedmessages.html
new file mode 100644
index 0000000..0afb82d
--- /dev/null
+++ b/Documentation/rvnamedmessages.html
@@ -0,0 +1,244 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+> rvnamed Messages</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Messages"
+HREF="messages.html"><LINK
+REL="PREVIOUS"
+TITLE="Messages"
+HREF="messages.html"><LINK
+REL="NEXT"
+TITLE="GNU Free Documentation License"
+HREF="gfdl.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="messages.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Messages</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="gfdl.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="RVNAMEDMESSAGES"
+>rvnamed Messages</A
+></H1
+><P
+> As a daemon, rvnamed does not send messages to the screen. It
+ writes its messages to the file <TT
+CLASS="FILENAME"
+>rvnamed.log</TT
+> in the
+ IPTraf log directory.</P
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2485"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Unable to open child communication socket</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed was unable to open the communication endpoint for data reception
+ from the children it creates. This is highly unusual, and should it
+ occur, report the circumstances.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2491"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Unable to open client communication socket</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed was unable to open the communication endpoint for data exchange
+ with the IPTraf program. This is highly unusual, and should it
+ occur, report the circumstances.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2497"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Error binding client communication socket
+ Error binding child communication socket</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed was unable to assign a name
+ to the indicated communication socket. This may be due to a bad, full,
+ or corrupted filesystem. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2503"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Fatal error: no memory for descriptor monitoring</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed ran out of memory. IPTraf will resort to blocking, and may freeze. </BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2509"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Error on fork, returning IP address</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed had a problem spawning a copy of itself to resolve the IP
+ address. rvnamed will simply return the IP address in its literal,
+ dotted-decimal notation. IPTraf will still function normally. This may
+ be due to lack of memory or a process limit hit.</BLOCKQUOTE
+></DIV
+><DIV
+CLASS="SIMPLEMSGENTRY"
+><A
+NAME="AEN2515"
+></A
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+> Maximum child process limit reached</TT
+></P
+><BLOCKQUOTE
+CLASS="MSGEXPLAN"
+> rvnamed has reached its maximum number of child processes. This is
+ intended as a "brake" to prevent too many rvnamed children
+ from hogging your computer's resources and possibly crashing it. Unless IPTraf is monitoring an extremely busy network without filters,
+ this shouldn't happen, at least, not that often. If you notice
+ this message, try applying filters or check your DNS server. Many times,
+ this can happen when the DNS server goes down for
+ whatever reason, and you have rvnamed children taking too long to resolve.</BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="messages.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="gfdl.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Messages</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="messages.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>GNU Free Documentation License</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/servmon.html b/Documentation/servmon.html
new file mode 100644
index 0000000..add9614
--- /dev/null
+++ b/Documentation/servmon.html
@@ -0,0 +1,300 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>TCP and UDP Traffic Statistics</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Statistical Breakdowns"
+HREF="statbreakdowns.html"><LINK
+REL="PREVIOUS"
+TITLE="Statistical Breakdowns"
+HREF="statbreakdowns.html"><LINK
+REL="NEXT"
+TITLE="LAN Station Statistics"
+HREF="hostmon.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="statbreakdowns.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Statistical Breakdowns</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="hostmon.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="SERVMON"
+>TCP and UDP Traffic Statistics</A
+></H1
+><P
+> IPTraf also includes a facility that generates statistics on TCP and UDP
+ traffic. This facility displays counts of all TCP and UDP packets with
+ source or destination ports numbered less than 1024. Ports 1 to 1023 are
+ reserved for the TCP/IP application protocols (well-known ports).</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1208"
+></A
+><P
+><IMG
+SRC="iptraf-tcpudp.png"></P
+><P
+><B
+>Figure 2. The TCP/UDP service monitor</B
+></P
+></DIV
+><P
+> The statistics window indicates the protocol (TCP or UDP), the
+ port number, the total packets and bytes counted for this particular
+ protocol/port combination, the packets and bytes destined for that
+ protocol and port, and the packets and bytes coming
+ from that protocol and port.</P
+><P
+> Byte counts include the IP header and payload only. The data link header
+ is not included.</P
+><P
+> The protocol/port indicators are color-coded for easier identification
+ on color terminals. TCP indicators are in yellow, UDP in bright green.</P
+><P
+> Some network applications or protocols may use port numbers higher
+ than 1023. Examples
+ of these include application proxy servers (HTTP proxy servers typically
+ use values like 8000, 8080, 8888, and the like), and IRC
+ (IRC servers commonly accept connections on ports 6660 to 6669). These
+ ports are by default not included in the counts. If you do want
+ to include a higher-numbered port in the statistics, you can add
+ them yourself from the <I
+CLASS="EMPHASIS"
+><A
+HREF="config.html"
+>Configure...</A
+>/Additional ports...</I
+>
+ menu item. See the section below.</P
+><P
+> If logging is enabled, The statistics are also written to a log file
+ (the default name is
+<TT
+CLASS="FILENAME"
+>tcp_udp_services-<TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+>.log</TT
+>, where iface
+ is the selected interface (for example,
+<TT
+CLASS="FILENAME"
+>tcp_udp_services-eth0.log</TT
+>).</P
+><P
+> IPTraf computes the total, incoming, outgoing, and data rates of the
+ protocol currently indicated by the facility's highlight bar. The data
+ rates are indicated at the bottom of the screen. If logging is
+ enabled, the average data rates since the start of the facility are
+ placed in the log file.</P
+><P
+> The Up and Down cursor keys move the highlight bar. Pressing X or Ctrl+X
+ exits and returns to the main menu (or the shell if it was started
+ from the command line).</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1223"
+>Sorting TCP/UDP Entries</A
+></H2
+><P
+> Pressing the S key brings up a window which allows you to
+ select the field by which the entries will be sorted. You can press R to
+ sort by port, P to sort by total packets, B to sort by total bytes, T to
+ sort by incoming packets (packets to), O to sort by incoming bytes
+ (bytes to), F to sort by outgoing packets (packets from) and M to sort
+ by outgoing bytes (bytes from). Pressing any other key cancels the sort.</P
+><P
+> Port numbers are sorted in ascending order (least first) but
+ statistics are sorted in descending order (largest counts first).</P
+><P
+> As with the IP traffic monitor, sorting is performed only with
+ this sequence. Automatic sorting is not performed so as not to
+ affect performance.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1228"
+></A
+><P
+><IMG
+SRC="iptraf-tcpudpsort.png"></P
+><P
+><B
+>Figure 3. The TCP/UDP monitor's sort criteria</B
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1231"
+>Additional Information</A
+></H2
+><P
+>IPTraf's filters affect the output of this facility. See Chapter 7, <A
+HREF="filters.html"
+>Filters</A
+> for more information about filters.</P
+><P
+>
+ If you wish to start this facility from the command line, you can
+ use the <TT
+CLASS="COMPUTEROUTPUT"
+>-s</TT
+> option followed by an interface to monitor. For example,</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf -s eth0</PRE
+></TD
+></TR
+></TABLE
+><P
+> brings up this module for traffic on
+ <TT
+CLASS="FILENAME"
+>eth0</TT
+>. The interface must be specified, or
+ IPTraf will drop back to the shell.</P
+><P
+> When started from the command line, the log filename and log interval can be
+ specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> and <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+>
+ parameters respectively. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="statbreakdowns.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="hostmon.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Statistical Breakdowns</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="statbreakdowns.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>LAN Station Statistics</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/startstop.html b/Documentation/startstop.html
new file mode 100644
index 0000000..c956763
--- /dev/null
+++ b/Documentation/startstop.html
@@ -0,0 +1,313 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Starting and Stopping IPTraf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE=" Upgrading from Earlier Versions"
+HREF="upgrading.html"><LINK
+REL="NEXT"
+TITLE="Command-line Options"
+HREF="cmdline.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="upgrading.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="cmdline.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="STARTSTOP"
+>Starting and Stopping IPTraf</A
+></H1
+><P
+> After installation, you can start the program by simply entering</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf</PRE
+></TD
+></TR
+></TABLE
+><P
+> at the shell prompt. You will see a copyright notice, with
+ an instruction to press any key to get started. Just press any character
+ key, and you will be immediately taken to the main menu. All major
+ functions of the program are found there.</P
+><P
+> Entering the IPTraf command without any command-line parameters brings
+ up the program's main menu. From there, you can select the
+ facilities you want.</P
+><P
+> IPTraf determines and makes use of the maximum number
+ of lines and columns on the terminal.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> IPTraf does not have a SIGWINCH handler; it does not
+ adjust itself when an xterm or some other X terminal is resized.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Technical note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>
+ IPTraf needs to refer to the terminfo database
+in <TT
+CLASS="FILENAME"
+>/usr/share/terminfo</TT
+>.
+ If the supplied executable program fails with <TT
+CLASS="COMPUTEROUTPUT"
+>Error
+opening
+ terminal</TT
+>, your terminfo database may be located somewhere else. You can
+ control the terminfo search path
+by using the <TT
+CLASS="ENVAR"
+>TERMINFO</TT
+> environment
+ variable. For example, if you're using the <B
+CLASS="COMMAND"
+>sh</B
+>
+or <B
+CLASS="COMMAND"
+>bash</B
+> shell, and
+ your terminfo database is in <TT
+CLASS="FILENAME"
+>/usr/lib/terminfo</TT
+>
+ (typical for Slackware distributions), you can use the commands: </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>TERMINFO=/usr/lib/terminfo
+export TERMINFO</PRE
+></TD
+></TR
+></TABLE
+><P
+> You can place these commands in your <TT
+CLASS="FILENAME"
+>~/.profile</TT
+> or the
+ systemwide <TT
+CLASS="FILENAME"
+>/etc/profile</TT
+> startup files.</P
+><P
+> You can also create a symbolic
+ link named <TT
+CLASS="FILENAME"
+>/usr/share/terminfo</TT
+> to let
+ it point to your existing terminfo (assuming again your terminfo is in
+ <TT
+CLASS="FILENAME"
+>/usr/lib/terminfo</TT
+>):</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>ln -s /usr/lib/terminfo /usr/share/terminfo</PRE
+></TD
+></TR
+></TABLE
+><P
+> Or you can recompile your program to use your existing ncurses library
+ installation. If you do this, make sure you have ncurses 4.2 or later.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="upgrading.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="cmdline.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Upgrading from Earlier Versions</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Command-line Options</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/statbreakdowns.html b/Documentation/statbreakdowns.html
new file mode 100644
index 0000000..752fc3c
--- /dev/null
+++ b/Documentation/statbreakdowns.html
@@ -0,0 +1,236 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Statistical Breakdowns</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="PREVIOUS"
+TITLE="Detailed Interface Statistics"
+HREF="detstats.html"><LINK
+REL="NEXT"
+TITLE="TCP and UDP Traffic Statistics"
+HREF="servmon.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="detstats.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="servmon.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="STATBREAKDOWNS"
+>Statistical Breakdowns</A
+></H1
+><P
+> Statistical breakdowns contain two facilities that break
+ down traffic counts by either packet size or TCP/UDP port.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="PKTSIZE"
+>Packet Sizes</A
+></H1
+><P
+> The packet size breakdown facility used to be incorporated
+ into the detailed interface statistics. It has since been moved
+ to its own facility. It is entered
+ by selecting <I
+CLASS="EMPHASIS"
+>Statistical Breakdowns/By packet size</I
+>.</P
+><P
+> The packet size breakdown takes the interface's Maximum Transmission
+ Unit (MTU) size and divides it into 20 brackets, each bracket
+ containing a range of sizes. As a packet is captured, its size
+ is determined and the appropriate bracket is incremented.</P
+><P
+> This facility provides an idea as to the packet sizes passing over
+ your network, and can aid in network (re)design decisions.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN1187"
+></A
+><P
+><IMG
+SRC="iptraf-pktsize.png"></P
+><P
+><B
+>Figure 1. The packet size statistical breakdown</B
+></P
+></DIV
+><P
+> If logging is enabled, copies of the statistics are written at regular
+ intervals to a log file. The default log file name
+ is
+ <TT
+CLASS="FILENAME"
+>packet_size-<TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+>.log</TT
+> where
+ <TT
+CLASS="REPLACEABLE"
+><I
+>iface</I
+></TT
+>
+ is the selected interface for this session (for example,
+ <TT
+CLASS="FILENAME"
+>packet_size-eth0.log</TT
+>).</P
+><P
+>IPTraf's filters do not affect this facility.</P
+><P
+> The packet size breakdown can also be invoked straight
+ from the command line by specifying the <TT
+CLASS="COMPUTEROUTPUT"
+>-z</TT
+> iface
+ parameter. The interface parameter is required. For example,
+ this command runs the facility on interface <TT
+CLASS="FILENAME"
+>eth0</TT
+>.</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>iptraf -z eth0</PRE
+></TD
+></TR
+></TABLE
+><P
+> When started from the command line, the log filename and log interval can be
+ specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+> and <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+>
+ parameters respectively. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+><P
+> To exit, press X or Ctrl+X.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="detstats.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="servmon.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Detailed Interface Statistics</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>TCP and UDP Traffic Statistics</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/stylesheet-images/next.gif b/Documentation/stylesheet-images/next.gif
new file mode 100644
index 0000000..8c502e7
Binary files /dev/null and b/Documentation/stylesheet-images/next.gif differ
diff --git a/Documentation/stylesheet-images/note.gif b/Documentation/stylesheet-images/note.gif
new file mode 100644
index 0000000..7322e8e
Binary files /dev/null and b/Documentation/stylesheet-images/note.gif differ
diff --git a/Documentation/stylesheet-images/prev.gif b/Documentation/stylesheet-images/prev.gif
new file mode 100644
index 0000000..0894d9e
Binary files /dev/null and b/Documentation/stylesheet-images/prev.gif differ
diff --git a/Documentation/stylesheet-images/tip.gif b/Documentation/stylesheet-images/tip.gif
new file mode 100644
index 0000000..f062955
Binary files /dev/null and b/Documentation/stylesheet-images/tip.gif differ
diff --git a/Documentation/stylesheet-images/up.gif b/Documentation/stylesheet-images/up.gif
new file mode 100644
index 0000000..e899a27
Binary files /dev/null and b/Documentation/stylesheet-images/up.gif differ
diff --git a/Documentation/timers.html b/Documentation/timers.html
new file mode 100644
index 0000000..e4ff892
--- /dev/null
+++ b/Documentation/timers.html
@@ -0,0 +1,339 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Timers</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Configuring IPTraf"
+HREF="config.html"><LINK
+REL="PREVIOUS"
+TITLE="Configuring IPTraf"
+HREF="config.html"><LINK
+REL="NEXT"
+TITLE="Custom Information"
+HREF="customports.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="config.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Configuring IPTraf</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="customports.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="TIMERS"
+>Timers</A
+></H1
+><P
+> The <I
+CLASS="EMPHASIS"
+>Timers...</I
+> submenu allows you to IPTraf's
+ interval and timeout functions.</P
+><DIV
+CLASS="FIGURE"
+><A
+NAME="AEN2027"
+></A
+><P
+><IMG
+SRC="iptraf-timermenu.png"></P
+><P
+><B
+>Figure 2. The Timers configuration submenu</B
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2030"
+>TCP Timeout</A
+></H2
+><P
+> This figure determines the amount of time (in minutes) a
+ connection entry may remain idle before it becomes
+ eligible for replacement by a new connection. The default is 15 minutes.
+ You may want to reduce this on an isolated (not connected
+ to the Internet) LAN or a LAN connected to the Internet with
+ high-speed links. Just enter the new value and press
+ Enter. You can press Ctrl+X to leave the current value unchanged.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2033"
+>Log Interval</A
+></H2
+><P
+> This figure determines the number of minutes between logging
+ of interface statistics, TCP/UDP figures, and LAN host statistics. The
+ default is 60 minutes. This figure is meaningless if logging is disabled.</P
+><P
+> This configuration item can be overridden with the <TT
+CLASS="COMPUTEROUTPUT"
+>-I</TT
+> when
+ a facility is directly invoked from the command line (not accessed via the main menu), and
+ remains effective for that particular session. The configured value is not affected.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2038"
+>Screen Update Interval</A
+></H2
+><P
+> This value determines the rate in seconds at which the screen is
+ updated. The default is 0, which means the screen is updated as fast
+ as possible, giving close-to-realtime reflection
+ of network activity. However, this high-speed update can cause
+ incredible amounts of traffic if IPTraf is run on a remote
+ terminal (e.g. a Telnet or Secure Shell session). You can set this
+ to a higher value, such as 1 or 2 seconds to slow down the updates.</P
+><P
+> This figure does not affect the rate of data capture. Only the
+ screen refresh is affected. The figures are still updated as fast as
+ possible, although the figure display will no longer be as close
+ to realtime.</P
+><P
+> The default setting is 0, which shouldn't be a problem on the
+ console. Set it to a slightly higher value on remote terminals or slow
+ links. The setting affects all monitoring facilities.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Updating the screen is one of the slowest operations in a
+ program. Older versions of IPTraf had a problem once network
+ activity became very high. Because each packet caused a screen update,
+ IPTraf began spending more time with the screen updates, causing a loss
+ of packets once network activity reached a certain point.</P
+><P
+> However, since many users like rapid counts on their screen, a
+ compromise was incorporated. Even when the screen update interval is set
+ to 0, there is still a 50ms delay between screen updates (except the LAN
+ station monitor, which has a 100 ms delay). This is still visually fast,
+ but provides more time to the packet capture routine. Higher
+ delays may result in better accuracy of counts and activity.</P
+><P
+> In any case, this setting only affects screen updates. Capture still
+ proceeds as fast as possible.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2048"
+>TCP closed/idle persistence</A
+></H2
+><P
+> This parameter
+ determines the interval (in minutes) at which the IP Traffic Monitor
+ clears from the TCP display window all closed, idle, and timed out
+ entries. Enter <TT
+CLASS="COMPUTEROUTPUT"
+>0</TT
+> to keep such entries on the
+ screen indefinitely, disappearing only when replaced by new connections.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="./stylesheet-images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Note</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> The <I
+CLASS="EMPHASIS"
+>TCP timeout...</I
+> option
+ only tells IPTraf how long it should take before a connection should
+ be considered idle and open to replacement by new connections. This does
+ not determine how long
+ it remains onscreen. The <I
+CLASS="EMPHASIS"
+>TCP closed/idle
+ persistence...</I
+>
+ parameter flushes entries that have been closed or reset, or idle for the number
+ of minutes defined by the <I
+CLASS="EMPHASIS"
+>TCP timeout...</I
+> option.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="config.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="customports.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Configuring IPTraf</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="config.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Custom Information</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/updates.html b/Documentation/updates.html
new file mode 100644
index 0000000..a62404b
--- /dev/null
+++ b/Documentation/updates.html
@@ -0,0 +1,151 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Screen Update Delays</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Preparing to Use IPTraf"
+HREF="preparingtouse.html"><LINK
+REL="PREVIOUS"
+TITLE="Instances and Logging"
+HREF="instances.html"><LINK
+REL="NEXT"
+TITLE="Supported Network Interfaces"
+HREF="ifaces.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="instances.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Preparing to Use IPTraf</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="ifaces.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="UPDATES"
+>Screen Update Delays</A
+></H1
+><P
+> Older versions of IPTraf updated the screen as soon as a
+ packet was received. However, screen update is one
+ of the slowest operations the program performs. Since version 1.3, a
+ configuration option has been available to control screen update speed.</P
+><P
+> See the <I
+CLASS="EMPHASIS"
+>Screen update interval...</I
+> configuration option under the
+ <A
+HREF="config.html"
+>Configuration</A
+> chapter of this manual.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="instances.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="ifaces.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Instances and Logging</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="preparingtouse.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Supported Network Interfaces</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/upgrading.html b/Documentation/upgrading.html
new file mode 100644
index 0000000..f8313c9
--- /dev/null
+++ b/Documentation/upgrading.html
@@ -0,0 +1,147 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+> Upgrading from Earlier Versions</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="Getting Started"
+HREF="gettingstarted.html"><LINK
+REL="PREVIOUS"
+TITLE=" Installation"
+HREF="installation.html"><LINK
+REL="NEXT"
+TITLE="Starting and Stopping IPTraf"
+HREF="startstop.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="installation.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>Getting Started</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="startstop.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="UPGRADING"
+>Upgrading from Earlier Versions</A
+></H1
+><P
+>IPTraf 3.0 is a major revision from IPTraf 2.7. The
+filter subsystem has been completely redesigned and as such, is
+incompatible with previous filter formats. Therefore old
+IPTraf filters can no longer be used. The installation procedure for
+IPTraf 3.0 will rename the filter list files but not delete them.</P
+><P
+>If you install a distribution package (e.g. RPM,
+dpkg), old filters may still appear in the filter selection
+list but the new IPTraf version will be unable to load them.</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="installation.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="startstop.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Installation</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="gettingstarted.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Starting and Stopping IPTraf</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/Documentation/version b/Documentation/version
new file mode 100644
index 0000000..3eefcb9
--- /dev/null
+++ b/Documentation/version
@@ -0,0 +1 @@
+1.0.0
diff --git a/Documentation/version.awk b/Documentation/version.awk
new file mode 100644
index 0000000..23fb7a3
--- /dev/null
+++ b/Documentation/version.awk
@@ -0,0 +1,2 @@
+{print $1 "." $2}
+
diff --git a/Documentation/x1077.html b/Documentation/x1077.html
new file mode 100644
index 0000000..8327a77
--- /dev/null
+++ b/Documentation/x1077.html
@@ -0,0 +1,191 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<HTML
+><HEAD
+><TITLE
+>Additional Information</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.64
+"><LINK
+REL="HOME"
+TITLE="IPTraf User's Manual"
+HREF="manual.html"><LINK
+REL="UP"
+TITLE="The IP Traffic Monitor"
+HREF="itrafmon.html"><LINK
+REL="PREVIOUS"
+TITLE="Lower Window"
+HREF="lowerwin.html"><LINK
+REL="NEXT"
+TITLE="Network Interface Statistics"
+HREF="netstats.html"></HEAD
+><BODY
+CLASS="SECT1"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>IPTraf User's Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="lowerwin.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+>The IP Traffic Monitor</TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="netstats.html"
+>Next >>></A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1077"
+>Additional Information</A
+></H1
+><P
+> When started from the main menu and logging is enabled, the IP traffic
+ monitor prompts you for a log file name. The default name is
+<TT
+CLASS="FILENAME"
+>ip_traffic-<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+>.log (where
+<TT
+CLASS="REPLACEABLE"
+><I
+>n</I
+></TT
+></TT
+> is what
+ instance of the traffic monitor this is (1, 2, 3, and so on). (e.g. if
+ this is the first instance, the default file name will
+ be <TT
+CLASS="FILENAME"
+>ip_traffic-1.log</TT
+>.)</P
+><P
+> When started with the <TT
+CLASS="COMPUTEROUTPUT"
+>-i</TT
+> parameter,
+ the log filename can be specified with the <TT
+CLASS="COMPUTEROUTPUT"
+>-L</TT
+>
+ parameter. See the <A
+HREF="cmdline.html"
+>Command-line Parameters</A
+>
+ section above for more information.</P
+><P
+>On busy networks, the display may become cluttered with traffic you're not
+interested in. To control the traffic monitor's output, you can apply a
+<I
+CLASS="EMPHASIS"
+>filter</I
+>. See Chapter 7, <A
+HREF="filters.html"
+>Filters</A
+> for more information on IPTraf's filters.</P
+><P
+> At any time, you can press X or Q to return to the main menu (or back to
+ the shell if the monitor was started with <B
+CLASS="COMMAND"
+>iptraf -i</B
+>).</P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="lowerwin.html"
+><<< Previous</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="manual.html"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="netstats.html"
+>Next >>></A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Lower Window</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="itrafmon.html"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Network Interface Statistics</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/FAQ b/FAQ
new file mode 100644
index 0000000..d2b61a7
--- /dev/null
+++ b/FAQ
@@ -0,0 +1,88 @@
+This is the beginning of a FAQ for IPTraf.
+---
+
+Q: Could you include support for <this-and-that> interface?
+
+A: Please read the README.interfaces file for what is needed for a new
+interface type to be supported.
+
+Q: I try to start IPTraf but it tells me that <facility> is already active
+in another process. But I'm sure IPTraf isn't running at the time!
+
+A: Probably due to a faulty installation or abnormal termination. If
+you're sure you've installed the software properly, you may have stale
+lock files from a previous abort. Just issue the iptraf command with the
+-f parameter (iptraf -f). This will override stale locks and IPTraf should
+proceed normally.
+
+Q: I want to configure IPTraf but it tells me only the first instance can
+configure.
+
+A: Similar to the previous question. Issue the iptraf command with the -f
+parameter.
+
+NOTE: Versions prior to 2.6.2 did not properly erase stale lock files
+when IPTraf aborted due to an insufficient screen size.
+
+Q: Is there a way to make IPTraf run in the background and collect
+statistics to a log file?
+
+A: Prior to 2.1.0, there was no elegant way of doing so. Version 2.1.0
+and later have the -B command-line parameter to force IPTraf to dump all
+its screen output into oblivion and move into the background. See the
+manual for details on background operation.
+
+Q: I get the error message "Unable to open raw socket".
+
+A: If you're using IPTraf 2.x, you must be running version 2.2.x of the
+Linux kernel. Furthermore, the "Packet Socket" driver must be installed.
+Most stock kernels include this driver already. Be sure to include it if
+you're compiling a custom kernel.
+
+Q: I'm getting a "cannot allocate memory" error but I've got loads of
+memory available.
+
+A: The "cannot allocate memory" error is a reponse to the "segmentation
+fault" condition (SIGSEGV). If you're sure it's not a memory condition on
+your machine, please report it to me, and if possible, include a gdb trace
+or strace output to help me debug.
+
+Q: Is there Web/HTTP/HTML/whatever version available?
+
+A: I've received several requests for this one. Perhaps in time, I've
+been caught up in some work and some personal stuff. Suggestions on
+implementation of such a feature are welcome. (Addition: I hope to get
+this incorporated into the next major release. Who knows? If I have the
+time, I might be able to WAP it in the near future :))
+
+Q: It would be great if the statistics could be sorted.
+
+A: As of version 2.3, sorting is now available with the IP traffic
+monitor, TCP/UDP statistical breakdown, and LAN station monitor. Sorting
+is invoked by pressing the S key and selecting a sort criterion.
+
+(Note: versions 2.5.0 and later sorts the entries with the Quicksort
+algorithm, which significantly cuts down the time to sort.)
+
+Q: I want to run IPTraf from a Secure Shell terminal but the output of the
+program causes a heavy load on the network. What should I do?
+
+A: The output of the program is returned over the network, which in turn
+tells IPTraf about the new traffic, which IPTraf then outputs, which is
+then sent over the network... in other words, it's a feedback effect. The
+solution to this is to set the screen update interval to 1 second or more.
+To do that, go to Configuration... then select Timers... then Screen
+update interval... and enter the interval value in seconds. One second
+should be fine.
+
+Q: Does IPTraf run on FreeBSD?
+
+A: I wish it did. IPTraf was designed from the ground up to use the Linux
+PF_PACKET mechanism, not libpcap. The main reasons for doing this are
+less overhead and more control over the captured packets. Since Linux
+kernel 2.2, the raw socket API featured more goodies, like the direction
+of the packets.
+
+I hope to be able to successfully port to FreeBSD, but I do not have the
+resources to do so now.
+
diff --git a/GEN-VERSION-FILE b/GEN-VERSION-FILE
new file mode 100755
index 0000000..a3e59fc
--- /dev/null
+++ b/GEN-VERSION-FILE
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+GVF=VERSION-FILE
+DEF_VER=1.1.4
+LF='
+'
+
+# First see if there is a version file (included in release tarballs),
+# then try git-describe, then default.
+if test -f version
+then
+ VN=$(cat version) || VN="$DEF_VER"
+elif test -d .git -o -f .git &&
+ VN=$(git describe --tags --match "[0-9]*" --abbrev=4 HEAD 2>/dev/null) &&
+ case "$VN" in
+ *$LF*) (exit 1) ;;
+ [0-9]*)
+ git update-index -q --refresh
+ test -z "$(git diff-index --name-only HEAD --)" || VN="$VN-dirty"
+ esac
+then
+ VN=$(echo "$VN" | sed -e 's/-/./g');
+else
+ VN="$DEF_VER"
+fi
+
+
+VN=$(expr "$VN" : v*'\(.*\)')
+
+if test -r $GVF
+then
+ VC=$(sed -e 's/^IPTRAF_VERSION = //' <$GVF)
+else
+ VC=unset
+fi
+test "$VN" = "$VC" || {
+ echo >&2 "IPTRAF_VERSION = $VN"
+ echo "IPTRAF_VERSION = $VN" >$GVF
+}
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..a2c8722
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,181 @@
+Basic Installation
+==================
+
+ These are generic installation instructions.
+
+ The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation. It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions. Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, a file
+`config.cache' that saves the results of its tests to speed up
+reconfiguring, and a file `config.log' containing compiler output
+(useful mainly for debugging `configure').
+
+ If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release. If at some point `config.cache'
+contains results you don't want to keep, you may remove or edit it.
+
+ The file `configure.in' is used to create `configure' by a program
+called `autoconf'. You only need `configure.in' if you want to change
+it or regenerate `configure' using a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+ 1. `cd' to the directory containing the package's source code and type
+ `./configure' to configure the package for your system. If you're
+ using `csh' on an old version of System V, you might need to type
+ `sh ./configure' instead to prevent `csh' from trying to execute
+ `configure' itself.
+
+ Running `configure' takes awhile. While running, it prints some
+ messages telling which features it is checking for.
+
+ 2. Type `make' to compile the package.
+
+ 3. Optionally, type `make check' to run any self-tests that come with
+ the package.
+
+ 4. Type `make install' to install the programs and any data files and
+ documentation.
+
+ 5. You can remove the program binaries and object files from the
+ source code directory by typing `make clean'. To also remove the
+ files that `configure' created (so you can compile the package for
+ a different kind of computer), type `make distclean'. There is
+ also a `make maintainer-clean' target, but that is intended mainly
+ for the package's developers. If you use it, you may have to get
+ all sorts of other programs in order to regenerate files that came
+ with the distribution.
+
+Compilers and Options
+=====================
+
+ Some systems require unusual options for compilation or linking that
+the `configure' script does not know about. You can give `configure'
+initial values for variables by setting them in the environment. Using
+a Bourne-compatible shell, you can do that on the command line like
+this:
+ CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
+
+Or on systems that have the `env' program, you can do it like this:
+ env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
+
+Compiling For Multiple Architectures
+====================================
+
+ You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory. To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'. `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script. `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+ If you have to use a `make' that does not supports the `VPATH'
+variable, you have to compile the package for one architecture at a time
+in the source code directory. After you have installed the package for
+one architecture, use `make distclean' before reconfiguring for another
+architecture.
+
+Installation Names
+==================
+
+ By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc. You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+ You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files. If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+ In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files. Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+ If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+ Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System). The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+ For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+ There may be some features `configure' can not figure out
+automatically, but needs to determine by the type of host the package
+will run on. Usually `configure' can figure that out, but if it prints
+a message saying it can not guess the host type, give it the
+`--host=TYPE' option. TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name with three fields:
+ CPU-COMPANY-SYSTEM
+
+See the file `config.sub' for the possible values of each field. If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the host type.
+
+ If you are building compiler tools for cross-compiling, you can also
+use the `--target=TYPE' option to select the type of system they will
+produce code for and the `--build=TYPE' option to select the type of
+system on which you are compiling the package.
+
+Sharing Defaults
+================
+
+ If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists. Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Operation Controls
+==================
+
+ `configure' recognizes the following options to control how it
+operates.
+
+`--cache-file=FILE'
+ Use and save the results of the tests in FILE instead of
+ `./config.cache'. Set FILE to `/dev/null' to disable caching, for
+ debugging `configure'.
+
+`--help'
+ Print a summary of the options to `configure', and exit.
+
+`--quiet'
+`--silent'
+`-q'
+ Do not print messages saying which checks are being made.
+
+`--srcdir=DIR'
+ Look for the package's source code in directory DIR. Usually
+ `configure' can determine that directory automatically.
+
+`--version'
+ Print the version of Autoconf used to generate the `configure'
+ script, and exit.
+
+`configure' also accepts some other, not widely useful, options.
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..21fdd9c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,341 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..46e5632
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,457 @@
+# The default target of this Makefile is this
+all::
+
+# Define V=1 to have a more verbose compile.
+#
+# Define NO_PANEL if you don't want to use -lpanel.
+#
+# Define NEEDS_NCURSES5 if you need linking with ncurses5.
+#
+# Define NEEDS_NCURSESW5 if you need linking with ncursesw5.
+#
+# Define NEEDS_NCURSES6 if you need linking with ncurses6.
+#
+# Define NEEDS_NCURSESW6 if you need linking with ncursesw6.
+
+
+VERSION-FILE: FORCE
+ @$(SHELL_PATH) ./GEN-VERSION-FILE
+-include VERSION-FILE
+
+CFLAGS = -g -O2 -Wall -W -std=gnu99
+LDFLAGS =
+ALL_CFLAGS = $(CPPFLAGS) $(CFLAGS)
+ALL_LDFLAGS = $(LDFLAGS)
+STRIP ?= strip
+
+prefix = $(HOME)
+sbindir_relative = sbin
+sbindir = $(prefix)/$(sbindir_relative)
+mandir = $(prefix)/share/man
+sharedir = $(prefix)/share
+localedir = $(sharedir)/locale
+lib = lib
+man8dir = $(mandir)/man8
+
+# DESTDIR=
+pathsep = :
+
+export prefix bindir sharedir sysconfdir gitwebdir localedir
+
+CC = cc
+RM = rm -f
+INSTALL = install
+RPMBUILD = rpmbuild
+TAR = tar
+
+### --- END CONFIGURATION SECTION ---
+
+
+# Those must not be GNU-specific; they are shared with perl/ which may
+# be built by a different compiler. (Note that this is an artifact now
+# but it still might be nice to keep that distinction.)
+BASIC_CFLAGS = -I. -Isrc/
+BASIC_LDFLAGS =
+
+# Guard against environment variables
+iptraf-h :=
+iptraf-o :=
+rvnamed-o :=
+rvnamed-h :=
+
+
+ALL_PROGRAMS =
+
+# Empty...
+EXTRA_PROGRAMS =
+
+ALL_PROGRAMS += iptraf-ng rvnamed-ng
+
+ifndef SHELL_PATH
+ SHELL_PATH = /bin/sh
+endif
+
+iptraf-h += src/tui/input.h
+iptraf-h += src/tui/labels.h
+iptraf-h += src/tui/listbox.h
+iptraf-h += src/tui/menurt.h
+iptraf-h += src/tui/msgboxes.h
+iptraf-h += src/tui/winops.h
+iptraf-h += src/iptraf-ng-compat.h
+iptraf-h += src/parse-options.h
+iptraf-h += src/packet.h
+iptraf-h += src/tcptable.h
+iptraf-h += src/othptab.h
+iptraf-h += src/ifstats.h
+iptraf-h += src/deskman.h
+iptraf-h += src/hostmon.h
+iptraf-h += src/fltedit.h
+iptraf-h += src/cidr.h
+iptraf-h += src/fltselect.h
+iptraf-h += src/ipfilter.h
+iptraf-h += src/fltmgr.h
+iptraf-h += src/ipfrag.h
+iptraf-h += src/serv.h
+iptraf-h += src/servname.h
+iptraf-h += src/timer.h
+iptraf-h += src/ifaces.h
+iptraf-h += src/error.h
+iptraf-h += src/revname.h
+iptraf-h += src/log.h
+iptraf-h += src/pktsize.h
+iptraf-h += src/landesc.h
+iptraf-h += src/dirs.h
+iptraf-h += src/getpath.h
+iptraf-h += src/options.h
+iptraf-h += src/promisc.h
+iptraf-h += src/parseproto.h
+iptraf-h += src/addproto.h
+iptraf-h += src/arphdr.h
+iptraf-h += src/attrs.h
+iptraf-h += src/fltdefs.h
+iptraf-h += src/logvars.h
+iptraf-h += src/list.h
+iptraf-h += src/counters.h
+iptraf-h += src/rate.h
+iptraf-h += src/built-in.h
+iptraf-h += src/sockaddr.h
+
+iptraf-o += src/tui/input.o
+iptraf-o += src/tui/labels.o
+iptraf-o += src/tui/listbox.o
+iptraf-o += src/tui/menurt.o
+iptraf-o += src/tui/msgboxes.o
+iptraf-o += src/tui/winops.o
+iptraf-o += src/error.o
+iptraf-o += src/log.o
+iptraf-o += src/getpath.o
+iptraf-o += src/parseproto.o
+iptraf-o += src/fltselect.o
+iptraf-o += src/ipfilter.o
+iptraf-o += src/fltmgr.o
+iptraf-o += src/ipfrag.o
+iptraf-o += src/serv.o
+iptraf-o += src/servname.o
+iptraf-o += src/timer.o
+iptraf-o += src/revname.o
+iptraf-o += src/pktsize.o
+iptraf-o += src/landesc.o
+iptraf-o += src/options.o
+iptraf-o += src/promisc.o
+iptraf-o += src/ifaces.o
+iptraf-o += src/usage.o
+iptraf-o += src/iptraf.o
+iptraf-o += src/itrafmon.o
+iptraf-o += src/wrapper.o
+iptraf-o += src/parse-options.o
+iptraf-o += src/packet.o
+iptraf-o += src/tcptable.o
+iptraf-o += src/othptab.o
+iptraf-o += src/ifstats.o
+iptraf-o += src/detstats.o
+iptraf-o += src/deskman.o
+iptraf-o += src/hostmon.o
+iptraf-o += src/fltedit.o
+iptraf-o += src/cidr.o
+iptraf-o += src/counters.o
+iptraf-o += src/rate.o
+iptraf-o += src/capture-pkt.o
+iptraf-o += src/sockaddr.o
+
+rvnamed-o += src/rvnamed.o
+rvnamed-o += src/getpath.o
+rvnamed-o += src/sockaddr.o
+rvnamed-o += src/usage.o
+
+-include config.mak.autogen
+-include config.mak
+
+ifndef sysconfdir
+ifeq ($(prefix),/usr)
+sysconfdir = /etc
+else
+sysconfdir = etc
+endif
+endif
+
+ifdef CHECK_HEADER_DEPENDENCIES
+COMPUTE_HEADER_DEPENDENCIES = no
+USE_COMPUTED_HEADER_DEPENDENCIES =
+endif
+
+ifndef COMPUTE_HEADER_DEPENDENCIES
+COMPUTE_HEADER_DEPENDENCIES = auto
+endif
+
+ifeq ($(COMPUTE_HEADER_DEPENDENCIES),auto)
+dep_check = $(shell $(CC) $(ALL_CFLAGS) \
+ -c -MF /dev/null -MMD -MP -x c /dev/null -o /dev/null 2>&1; \
+ echo $$?)
+ifeq ($(dep_check),0)
+override COMPUTE_HEADER_DEPENDENCIES = yes
+else
+override COMPUTE_HEADER_DEPENDENCIES = no
+endif
+endif
+
+ifeq ($(COMPUTE_HEADER_DEPENDENCIES),yes)
+USE_COMPUTED_HEADER_DEPENDENCIES = YesPlease
+else
+ifneq ($(COMPUTE_HEADER_DEPENDENCIES),no)
+$(error please set COMPUTE_HEADER_DEPENDENCIES to yes, no, or auto \
+(not "$(COMPUTE_HEADER_DEPENDENCIES)"))
+endif
+endif
+
+ifndef NCURSES_LDFLAGS
+ifdef NEEDS_NCURSES5
+ NCURSES_CFLAGS := $(shell ncurses5-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncurses5-config --libs 2>/dev/null)
+ ifndef NO_PANEL
+ NCURSES_LDFLAGS += -lpanel
+ endif
+endif
+endif
+
+ifndef NCURSES_LDFLAGS
+ifdef NEEDS_NCURSESW5
+ NCURSES_CFLAGS := $(shell ncursesw5-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncursesw5-config --libs 2>/dev/null)
+ ifndef NO_PANEL
+ NCURSES_LDFLAGS += -lpanel
+ endif
+endif
+endif
+
+ifndef NCURSES_LDFLAGS
+ifdef NEEDS_NCURSES6
+ NCURSES_CFLAGS := $(shell ncurses6-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncurses6-config --libs 2>/dev/null)
+ ifndef NO_PANEL
+ NCURSES_LDFLAGS += -lpanel
+ endif
+endif
+endif
+
+ifndef NCURSES_LDFLAGS
+ifdef NEEDS_NCURSESW6
+ NCURSES_CFLAGS := $(shell ncursesw6-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncursesw6-config --libs 2>/dev/null)
+ ifndef NO_PANEL
+ NCURSES_LDFLAGS += -lpanel
+ endif
+endif
+endif
+
+# try find ncuses by autodetect
+ifndef NCURSES_LDFLAGS
+ ifneq ($(shell ncursesw6-config --libs 2>/dev/null),)
+ NCURSES_CFLAGS := $(shell ncursesw6-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncursesw6-config --libs 2>/dev/null)
+ else ifneq ($(shell ncurses6-config --libs 2>/dev/null),)
+ NCURSES_CFLAGS := $(shell ncurses6-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncurses6-config --libs 2>/dev/null)
+ else ifneq ($(shell ncursesw5-config --libs 2>/dev/null),)
+ NCURSES_CFLAGS := $(shell ncursesw5-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncursesw5-config --libs 2>/dev/null)
+ else ifneq ($(shell ncurses5-config --libs 2>/dev/null),)
+ NCURSES_CFLAGS := $(shell ncurses5-config --cflags 2>/dev/null)
+ NCURSES_LDFLAGS := $(shell ncurses5-config --libs 2>/dev/null)
+ endif
+
+ ifneq ($(NCURSES_LDFLAGS),)
+ ifndef NO_PANEL
+ NCURSES_LDFLAGS += -lpanel
+ endif
+ endif
+endif
+
+QUIET_SUBDIR0 = +$(MAKE) -C # space to separate -C and subdir
+QUIET_SUBDIR1 =
+
+ifneq ($(findstring $(MAKEFLAGS),w),w)
+PRINT_DIR = --no-print-directory
+else # "make -w"
+NO_SUBDIR = :
+endif
+
+ifneq ($(findstring $(MAKEFLAGS),s),s)
+ifndef V
+ QUIET_CC = @echo ' ' CC $@;
+ QUIET_LINK = @echo ' ' LINK $@;
+ QUIET_GEN = @echo ' ' GEN $@;
+ QUIET_SUBDIR0 = +@subdir=
+ QUIET_SUBDIR1 = ;$(NO_SUBDIR) echo ' ' SUBDIR $$subdir; \
+ $(MAKE) $(PRINT_DIR) -C $$subdir
+ export V
+ export QUIET_GEN
+ export QUIET_BUILT_IN
+endif
+endif
+
+
+DESTDIR_SQ = $(subst ','\'',$(DESTDIR))
+sbindir_SQ = $(subst ','\'',$(sbindir))
+
+ALL_CFLAGS += $(BASIC_CFLAGS)
+ALL_LDFLAGS += $(BASIC_LDFLAGS)
+
+export TAR INSTALL DESTDIR SHELL_PATH
+
+### Build rules
+
+SHELL = $(SHELL_PATH)
+
+#all:: shell_compatibility_test
+#please_set_SHELL_PATH_to_a_more_modern_shell:
+# @$$(:)
+#shell_compatibility_test: please_set_SHELL_PATH_to_a_more_modern_shell
+
+
+all:: $(ALL_PROGRAMS)
+
+iptraf-ng: $(iptraf-o)
+ $(QUIET_LINK)$(CC) $(ALL_CFLAGS) -o $@ \
+ $(iptraf-o) $(ALL_LDFLAGS) $(NCURSES_LDFLAGS)
+
+src/deskman.o src/iptraf.o: VERSION-FILE
+src/deskman.o src/iptraf.o src/capture-pkt.o: EXTRA_CPPFLAGS = \
+ -DIPTRAF_VERSION='"$(IPTRAF_VERSION)"' \
+ -DIPTRAF_NAME='"iptraf-ng"'
+
+rvnamed-ng: $(rvnamed-o)
+ $(QUIET_LINK)$(CC) $(ALL_CFLAGS) -o $@ \
+ $(rvnamed-o) $(ALL_LDFLAGS)
+
+configure: configure.ac
+ $(QUIET_GEN)$(RM) $@ $<+ && \
+ sed -e 's/@@IPTRAF_VERSION@@/$(IPTRAF_VERSION)/g' \
+ $< > $<+ && \
+ autoconf -o $@ $<+ && \
+ $(RM) $<+
+
+OBJECTS := $(sort $(iptraf-o) $(rvnamed-o))
+
+dep_files := $(foreach f,$(OBJECTS),$(dir $f).depend/$(notdir $f).d)
+dep_dirs := $(addsuffix .depend,$(sort $(dir $(OBJECTS))))
+
+ifeq ($(COMPUTE_HEADER_DEPENDENCIES),yes)
+$(dep_dirs):
+ @mkdir -p $@
+
+missing_dep_dirs := $(filter-out $(wildcard $(dep_dirs)),$(dep_dirs))
+dep_file = $(dir $@).depend/$(notdir $@).d
+dep_args = -MF $(dep_file) -MMD -MP
+ifdef CHECK_HEADER_DEPENDENCIES
+$(error cannot compute header dependencies outside a normal build. \
+Please unset CHECK_HEADER_DEPENDENCIES and try again)
+endif
+endif
+
+.SUFFIXES:
+
+ifdef PRINT_HEADER_DEPENDENCIES
+$(OBJECTS): %.o: %.c FORCE
+ echo $^
+
+ifndef CHECK_HEADER_DEPENDENCIES
+$(error cannot print header dependencies during a normal build. \
+Please set CHECK_HEADER_DEPENDENCIES and try again)
+endif
+endif
+
+ifndef PRINT_HEADER_DEPENDENCIES
+ifdef CHECK_HEADER_DEPENDENCIES
+$(OBJECTS): %.o: %.c $(dep_files) FORCE
+ @set -e; echo CHECK $@; \
+ missing_deps="$(missing_deps)"; \
+ if test "$$missing_deps"; \
+ then \
+ echo missing dependencies: $$missing_deps; \
+ false; \
+ fi
+endif
+endif
+
+ifndef CHECK_HEADER_DEPENDENCIES
+$(OBJECTS): %.o: %.c $(missing_dep_dirs)
+ $(QUIET_CC)$(CC) -o $*.o -c $(dep_args) $(NCURSES_CFLAGS) $(ALL_CFLAGS) $(EXTRA_CPPFLAGS) $<
+endif
+
+ifdef USE_COMPUTED_HEADER_DEPENDENCIES
+# Take advantage of gcc's on-the-fly dependency generation
+# See <http://gcc.gnu.org/gcc-3.0/features.html>.
+dep_files_present := $(wildcard $(dep_files))
+ifneq ($(dep_files_present),)
+include $(dep_files_present)
+endif
+else
+# Dependencies on header files, for platforms that do not support
+# the gcc -MMD option.
+#
+# Dependencies on automatically generated headers such as common-cmds.h
+# should _not_ be included here, since they are necessary even when
+# building an object for the first time.
+#
+# XXX. Please check occasionally that these include all dependencies
+# gcc detects!
+
+$(OBJECTS): $(iptraf-h)
+endif
+
+
+### Maintainer's dist rules
+
+iptraf-ng.spec: iptraf-ng.spec.in
+ sed -e 's/@@IPTRAF_VERSION@@/$(IPTRAF_VERSION)/g' < $< > $@+
+ mv $@+ $@
+
+IPTRAF_TARNAME = iptraf-ng-$(IPTRAF_VERSION)
+dist: iptraf-ng.spec configure
+ @mkdir -p $(IPTRAF_TARNAME)
+ @cp iptraf-ng.spec configure $(IPTRAF_TARNAME)
+ @cp --parents `git ls-files` $(IPTRAF_TARNAME)
+ @echo $(IPTRAF_VERSION) > $(IPTRAF_TARNAME)/version
+ $(TAR) cf $(IPTRAF_TARNAME).tar $(IPTRAF_TARNAME)
+ @$(RM) -rf $(IPTRAF_TARNAME)
+ gzip -f -9 $(IPTRAF_TARNAME).tar
+
+rpm: dist
+ $(RPMBUILD) \
+ --define "_source_filedigest_algorithm md5" \
+ --define "_binary_filedigest_algorithm md5" \
+ -ta $(IPTRAF_TARNAME).tar.gz
+
+
+## TODO: use asciidoc to generate mans
+
+### Installation rules
+install: all
+ @echo $(DESTDIR_SQ)$(man8dir)
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sbindir_SQ)'
+ $(INSTALL) $(ALL_PROGRAMS) '$(DESTDIR_SQ)$(sbindir_SQ)'
+ $(INSTALL) -d -m 755 $(DESTDIR)$(man8dir)
+ $(INSTALL) -m 644 src/iptraf-ng.8 $(DESTDIR)$(man8dir)
+ $(INSTALL) -m 644 src/rvnamed-ng.8 $(DESTDIR)$(man8dir)
+
+### Cleaning rules
+
+distclean: clean
+ $(RM) configure
+
+clean:
+ $(RM) src/*.o src/tui/*.o
+ $(RM) $(ALL_PROGRAMS)
+ $(RM) -r autom4te.cache
+ $(RM) -r $(dep_dirs)
+ $(RM) *.spec
+ $(RM) $(IPTRAF_TARNAME).tar.gz
+ $(RM) config.log config.mak.autogen config.mak.append config.status config.cache
+ $(RM) VERSION-FILE
+
+.PHONY: gtags
+gtags:
+ $(QUIET_GEN) gtags
+
+.PHONY: clean distclean all install FORCE
+
diff --git a/README b/README
new file mode 100644
index 0000000..5d47d44
--- /dev/null
+++ b/README
@@ -0,0 +1,81 @@
+==========================================================================
+IPTraf 3.0 README
+--------------------------------------------------------------------------
+See the RELEASE-NOTES for important update information.
+See the INSTALL file for installation instructions.
+--------------------------------------------------------------------------
+
+DESCRIPTION
+-----------
+
+IPTraf is a console-based network monitoring program for Linux that
+displays information about IP traffic. It returns such information as:
+
+ Current TCP connections
+ UDP, ICMP, OSPF, and other types of IP packets
+ Packet and byte counts on TCP connections
+ IP, TCP, UDP, ICMP, non-IP, and other packet and byte counts
+ TCP/UDP counts by ports
+ Packet counts by packet sizes
+ Packet and byte counts by IP address
+ Interface activity
+ Flag statuses on TCP packets
+ LAN station statistics
+
+This program can be used to determine the type of traffic on your network,
+and what kind of service is the most heavily used on what machines, among
+others.
+
+IPTraf works on Ethernet, FDDI, ISDN, PLIP, loopback, and SLIP/PPP
+interfaces.
+
+Updates and announcements are at the iptraf-ng@lists.fedorahosted.org,
+see README.contact for more information.
+
+IMPORTANT CHANGES
+-----------------
+
+Important changes are detailed in the RELEASE-NOTES file, please take some
+time to read it. There are some changes in the log file names, and the
+policies on multiple instances have been somewhat relaxed.
+
+DISTRIBUTION NOTICE
+-------------------
+
+This is the general release of IPTraf. IPTraf has been incorporated into
+the Debian GNU/Linux, Turbolinux and S.u.S.E. distributions, as well as
+the Trinux security toolkit distribution and Red Hat Powertools.
+
+Linux distributions may have tailored the IPTraf package to suit their
+purposes. Direct questions, comments or inquiries about a
+distribution-specific package to its maintainer.
+
+SYSTEM REQUIREMENTS
+-------------------
+
+IPTraf 2 and later requires at least Linux kernel 2.2. It uses the new
+PF_PACKET socket family as its capture mechanism. This feature is new to
+the 2.2 kernel. Make sure you have the Packet Socket driver compiled in or
+installed as a module, or IPTraf will fail (and so will others like it:
+tcpdump, netwatch, etc).
+
+IPTraf also requires glibc 2.1 or later.
+
+COPYING AND DISTRIBUTION
+------------------------
+
+This software is OSI Certified Open Source Software
+OSI Certified is a certification mark of the Open Source Initiative.
+
+Redistribution and modification of this software is permitted under the
+terms of the GNU General Public License. See the included LICENSE file
+for details.
+
+FOR FURTHER INFORMATION
+-----------------------
+
+Full information is in the manual in the Documentation directory. See
+also the CHANGES file for a record of fixes and new features. Updates and
+announcements are in the IPTraf Web page indicated above. Other README
+files contain some other bits of information. The RELEASE-NOTES file
+contains important release-specific information.
diff --git a/README.contact b/README.contact
new file mode 100644
index 0000000..f371aff
--- /dev/null
+++ b/README.contact
@@ -0,0 +1,29 @@
+============================================================================
+CONTACT INFORMATION
+----------------------------------------------------------------------------
+
+==================
+Individual Contact
+~~~~~~~~~~~~~~~~~~
+ IPTraf was written and primarily maintained by Gerard Paul Java
+(riker@seul.org). Fork was made by Nikola Pajkovsky(npajkovs@redhat.com).
+
+===============
+Web information
+~~~~~~~~~~~~~~~
+The official IPTraf sites are http://cebu.mozcom.com/riker/iptraf and
+http://iptraf.seul.org. IPTraf-ng sites is https://fedorahosted.org/iptraf-ng/
+
+============
+Mailing list
+~~~~~~~~~~~~
+One mailing list is available: iptraf-ng@lists.fedorahosted.org
+
+Please register yourself here:
+https://fedorahosted.org/mailman/listinfo/iptraf-ng
+
+===
+IRC and Jabber
+~~~
+I'm reachable on irc channel iptraf-ng@irc.freenode.net or jabber nikis@isgeek.info
+
diff --git a/README.indent b/README.indent
new file mode 100644
index 0000000..44272eb
--- /dev/null
+++ b/README.indent
@@ -0,0 +1,19 @@
+Sources are indented using the GNU indent program with the following
+arguments:
+
+--k-and-r-style
+--indent-level8
+--blank-lines-after-declarations
+--blank-lines-after-procedures
+--braces-on-if-line
+--cuddle-else
+--space-special-semicolon
+--no-space-after-function-call-names
+--no-blank-before-sizeof
+--no-space-after-parentheses
+--continue-at-parentheses
+--line-length80
+--comment-line-length80
+--honour-newlines
+--case-indentation0
+--break-before-boolean-operator
diff --git a/README.interfaces b/README.interfaces
new file mode 100644
index 0000000..39b8a78
--- /dev/null
+++ b/README.interfaces
@@ -0,0 +1,64 @@
+============================================================================
+Supported Interface Information
+as of version 2.8, July 2002
+----------------------------------------------------------------------------
+
+IPTraf has been slowly improving with its interface support since its
+first release. IPTraf currently supports the following types of links:
+
+Local loopback
+Ethernet (10 and 100 Mbps)
+SLIP and variants
+Asynchronous PPP over analog telephone lines
+Synchronous PPP over digital ISDN lines
+ISDN using raw IP encapsulation
+ISDN using Cisco-HDLC encapsulation
+FDDI (now includes Ethernet-emulating interfces)
+Frame Relay FRAD/DLCI interfaces (new as of IPTraf 2.5.0)
+PLIP (Parallel Line IP)
+Token Ring
+DVB satellite-receive interfaces
+SBNI long-range modem interfaces
+Wireless LAN interfaces
+Free s/WAN logical interfaces
+IPsec logical interfaces
+Some tunnelling interfaces
+Some bridging interfaces
+
+ADDITIONAL INTERFACE SUPPORT
+
+As much as I would like to support every concievable interface in
+existence, we know that's just not possible. I myself do not have a lot
+of interface types. However, that does not mean I'm unwilling to support
+more.
+
+So here's the deal. If you'd like me to include support for a new type of
+interface I will need this information as much as possible:
+
+* Resulting link type in spkt_family after a recvfrom() on a (PF_PACKET,
+ SOCK_RAW) socket (ARPHRD_ETHER, ARPHRD_PPP, etc).
+* Standard interface name for the type of network medium (eth0, eth1,
+ ppp0, etc) after the recvfrom() mentioned above.
+* Packet structure. How many bytes are there in its data-link header
+ (with Ethernet, there are 14, with FDDI, 21) as returned by recvfrom on
+ a (PF_PACKET, SOCK_RAW) socket?
+* Pointers to other sources of information if possible. This is necessary
+ for cases like ISDN, which claim to be ARPHRD_ETHER, but have completely
+ different frame structures, so I needed the appropriate ioctl()
+ information. Token Ring packets may have a RIF structure or not. These
+ factors need to be taken into consideration.
+
+Then finally, if you come up with a request for support for a new
+interface, I'd really like an offer to have it tested, obviously, since I
+do not have the interface myself (for example, my country is primarily
+leased-line territory, and ISDN is only starting, and it isn't even in my
+city yet). If I do not receive an offer to test, then support cannot be
+included.
+
+Patches, even quick-and-dirty ones, are very much welcome.
+
+All information and patches will be fully credited in the CHANGES file.
+
+Looking forward to serving you.
+
+-- Gerard <riker@seul.org>
diff --git a/README.platforms b/README.platforms
new file mode 100644
index 0000000..bdaaa3e
--- /dev/null
+++ b/README.platforms
@@ -0,0 +1,20 @@
+============================================================================
+IPTraf Development Platform Information
+----------------------------------------------------------------------------
+
+As of IPTraf 2.8.0, development is primarily done on an Intel 1.6-GHz
+Pentium 4 development workstation, as well as a lower-end 400 MHz Pentium
+II. I have to make it clear that my development platform is Linux for the
+x86 family of processors *only*. I cannot always debug or troubleshoot
+quirks specific to non-x86 machines, as much as I would like to.
+However, I know I have to be accommodating so if you do give me a bug
+report, I will try my best to fix it, but I need:
+
+ 1. All the information needed describing the bug
+ 2. To the best extent possible, gdb or strace outputs.
+ 3. An offer to test the fixes.
+
+Without these, especially #3, I cannot exert effort on the quirk. I'm
+sorry, but it's just impossible without the necessary machines.
+
+
diff --git a/README.rvnamed b/README.rvnamed
new file mode 100644
index 0000000..129a246
--- /dev/null
+++ b/README.rvnamed
@@ -0,0 +1,64 @@
+============================================================================
+README DOCUMENT FOR RVNAMED
+----------------------------------------------------------------------------
+
+DESCRIPTION
+-----------
+
+rvnamed is a supplementary program distributed with IPTraf 1.1 and
+later. This is a reverse name resolution daemon used by IPTraf to
+resolve IP addresses to host names in the background, keeping IPTraf from
+waiting until the lookup is completed.
+
+Starting with version 1.1.0, if Reverse Lookup is enabled in the Options
+menu, the IP Traffic Monitor will attempt to start rvnamed. If for some
+reason rvnamed is already running, IPTraf will use it immediately.
+Otherwise, it will attempt to start rvnamed. As of IPTraf 1.2.0, the
+rvnamed is placed together with the main IPTraf executable in /usr/local/bin.
+
+When the traffic monitor is done, IPTraf tells rvnamed to quit.
+
+
+PROTOCOL
+--------
+
+rvnamed and IPTraf communicate with each other with the BSD UNIX domain
+socket IPC facility. They use datagram sockets.
+
+rvnamed recognizes only 4 types of messages:
+
+RVN_HELLO the Hello packet. This simply causes rvnamed to throw it
+ back to IPTraf, telling it rvnamed is active.
+
+RVN_REQUEST a reverse lookup request. This message includes an IP address
+ to resolve. When rvnamed receives this request, it
+ checks its internal cache to see if this IP address is
+ already resolved or being resolved. If it isn't in the cache
+ yet, rvnamed forks off a copy which resolves in the background,
+ while it returns the IP address in the meantime. Subsequent
+ requests will get the IP address until such time that the
+ child has completed the resolution, at which time, a request
+ will get the host name in reply.
+
+RVN_REPLY rvnamed marks reply packets with this tag. Reply packets
+ contain the resolved host name or the ASCII representation
+ of the IP address, and an indicator of the state of the
+ resolution for this address (NOTRESOLVED, RESOLVING, or
+ RESOLVED).
+
+RVN_QUIT Tells rvnamed to terminate.
+
+The datagram structure and #define's are found in the rvnamed.h header file.
+
+Important rvnamed messages are written to /var/log/iptraf/rvnamed.log.
+
+IPTraf 2.5.0 and 2.6.0 refined rvnamed's operation by including timeouts
+for child processes (5 minutes) and better management of the internal
+IP address/FQDN cache. See the CHANGES file.
+
+To reduce overhead, IPTraf will query rvnamed only once per invocation of
+the IP traffic monitor.
+
+rvnamed should work properly with a correct installation. Report any
+problems to me at riker@seul.org.
+
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
new file mode 100644
index 0000000..d9a0f5e
--- /dev/null
+++ b/RELEASE-NOTES
@@ -0,0 +1,108 @@
+===============================================================================
+RELEASE NOTES FOR IPTRAF 3.0.0
+-------------------------------------------------------------------------------
+This file contains important release information for IPTraf 3.0.0. Please
+read it in full before running this new version for the first time.
+-------------------------------------------------------------------------------
+
+CONTENTS OF THIS DOCUMENT
+-------------------------
+
+ UPGRADING TO IPTRAF 3.0.
+ NEW FILTER BEHAVIOR
+ BUG FIXES
+ ADDITIONAL NETWORK INTERFACE SUPPORT
+ DOCUMENTATION FORMAT CHANGES
+ FILE FORMATS
+ CODE CHANGES
+
+UPGRADING TO IPTRAF 3.0
+-----------------------
+
+IPTraf 3.0 is a major release. The most significant change is a completely
+redesigned IP filtering system. Starting with IPTraf 3.0, all IP
+traffic can be filtered with a unified set of filter rules, unlike previous
+versions wherein separate filters had to be defined for TCP, UDP, and all
+other IP traffic. The new filter design uses a single filter for IP
+traffic, which allows the user to specify, in addition to the addresses and
+ports, the IP protocols (TCP, UDP, ICMP, etc) to match.
+
+Because of the radical change in filter design, previous IPTraf filters will
+no longer work with IPTraf 3.0. Therefore the installation scripts will
+simply move the old filter lists to new files, and IP filters will have to be
+redefined.
+
+NEW FILTER BEHAVIOR
+-------------------
+
+A. UNIFIED IP FILTERS
+
+IP traffic is now filtered with a single defined filter for all IP-type
+protocols (TCP, UDP, etc) unlike previous versions which used three separate
+filters for TCP, UDP, and all other IP traffic. This makes it easier to
+define filters for for all IP traffic to or from a certain host or network
+without having to define three distinct filters.
+
+This redesign breaks compatibility with previous versions of IPTraf.
+
+A. REVERSE MATCHING
+
+Until IPTraf 3.0, TCP and UDP filters automatically matched in both
+directions, for example, a filter defined to match
+100.1.1.1/255.255.255.255 port 80 to 192.168.1.0/255.255.255.0 port 0
+matched all packets flowing from host 10.1.1.1, port 80 to any host on the
+network 192.168.1.0, as well as packets coming from the network
+192.168.1.0 to host 100.1.1.1 port 80.
+
+With IPTraf 3.0, this no longer is the case. Automatic reverse matching
+is done only in the IP traffic monitor's TCP window (because of TCP's
+full-duplex nature), but in all other places, automatic reverse matching
+is no longer done unless you set the "Match opposite" field in the filter
+definition dialog boxes to Y.
+
+The "Match opposite" fields in the filter dialog boxes allow you to match
+packets flowing in the opposite direction without having to define another
+filter. This is useful for such things as ICMP echo request/echo reply
+packets (pings), UDP DNS queries, and other things that come in "pairs".
+Or you can turn them off for more precise measurement of incoming and
+outgoing data rates.
+
+However as earlier stated, the "Match opposite" field in TCP filters are
+ignored in the IP traffic monitor's TCP window, because reverse matching
+is always performed there.
+
+C. MISCELLANEOUS IP PROTOCOLS
+
+The filter rule definition dialog contains some fields that match common IP
+protocols. However a longer field is provided for additional protocols
+to match. You can enter here a comma-separated list of individual
+protocol numbers or ranges (e.g. 49, 69, 88-100, 110).
+
+BUG FIXES
+---------
+
+IPTraf 3.0 fixes a minor bug where Token Ring interfaces' promiscuous
+modes were not toggled by the Force Promiscuous configuration option.
+
+Window borders don't appear in color when IPTraf is compiled under Red Hat
+Linux 7.3, possibly others. The window support library has been updated
+to fix this problem.
+
+Minor user interface quirks have also been fixed.
+
+ADDITIONAL NETWORK INTERFACE SUPPORT
+------------------------------------
+
+Support for tun and brg (tunnelling and bridging) interfaces has been
+added to this version.
+
+PROTOCOL RECOGNITION
+--------------------
+
+For not-so-common IP protocols, IPTraf's IP traffic monitor looks up the
+/etc/services file to determine the protocol names. More common protocols
+(ICMP, UDP) are looked up internally.
+
+L2TP, IPSec Authentication, and IPSec Encrypted Payload packets have been
+added to IPTraf's internal recognition.
+
diff --git a/config.mak.in b/config.mak.in
new file mode 100644
index 0000000..593a757
--- /dev/null
+++ b/config.mak.in
@@ -0,0 +1,26 @@
+# git Makefile configuration, included in main Makefile
+# @configure_input@
+
+CC = @CC@
+CFLAGS = @CFLAGS@
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+TAR = @TAR@
+#INSTALL = @INSTALL@ # needs install-sh or install.sh in sources
+
+prefix = @prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+datarootdir = @datarootdir@
+sysconfdir = @sysconfdir@
+
+mandir=@mandir@
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+export mandir
+export srcdir VPATH
+
+ASCIIDOC7=@ASCIIDOC7@
+NO_NCURSES=@NO_NCURSES@
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..accfc44
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,224 @@
+# -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+
+AC_PREREQ(2.59)
+AC_INIT([iptraf-ng], [@@IPTRAF_VERSION@@], [iptraf-ng@fedorahosted.org])
+
+AC_CONFIG_SRCDIR([src/iptraf.c])
+
+config_file=config.mak.autogen
+config_append=config.mak.append
+config_in=config.mak.in
+
+echo "# ${config_append}. Generated by configure." > "${config_append}"
+
+
+## Definitions of macros
+# CONF_APPEND_LINE(LINE)
+# --------------------------
+# Append LINE to file ${config_append}
+AC_DEFUN([CONF_APPEND_LINE],
+[echo "$1" >> "${config_append}"])# CONF_APPEND_LINE
+#
+# ARG_SET_PATH(PROGRAM)
+# -------------------------
+# Provide --with-PROGRAM=PATH option to set PATH to PROGRAM
+# Optional second argument allows setting NO_PROGRAM=YesPlease if
+# --without-PROGRAM version used.
+AC_DEFUN([ARG_SET_PATH],
+[AC_ARG_WITH([$1],
+ [AS_HELP_STRING([--with-$1=PATH],
+ [provide PATH to $1])],
+ [CONF_APPEND_PATH($1,$2)],[])
+])# ARG_SET_PATH
+#
+# CONF_APPEND_PATH(PROGRAM)
+# ------------------------------
+# Parse --with-PROGRAM=PATH option to set PROGRAM_PATH=PATH
+# Used by ARG_SET_PATH(PROGRAM)
+# Optional second argument allows setting NO_PROGRAM=YesPlease if
+# --without-PROGRAM is used.
+AC_DEFUN([CONF_APPEND_PATH],
+[PROGRAM=m4_toupper($1); \
+if test "$withval" = "no"; then \
+ if test -n "$2"; then \
+ m4_toupper($1)_PATH=$withval; \
+ AC_MSG_NOTICE([Disabling use of ${PROGRAM}]); \
+ CONF_APPEND_LINE(NO_${PROGRAM}=YesPlease); \
+ CONF_APPEND_LINE(${PROGRAM}_PATH=); \
+ else \
+ AC_MSG_ERROR([You cannot use git without $1]); \
+ fi; \
+else \
+ if test "$withval" = "yes"; then \
+ AC_MSG_WARN([You should provide path for --with-$1=PATH]); \
+ else \
+ m4_toupper($1)_PATH=$withval; \
+ AC_MSG_NOTICE([Setting m4_toupper($1)_PATH to $withval]); \
+ CONF_APPEND_LINE(${PROGRAM}_PATH=$withval); \
+ fi; \
+fi; \
+]) # CONF_APPEND_PATH
+#
+# PARSE_WITH(PACKAGE)
+# -----------------------
+# For use in AC_ARG_WITH action-if-found, for packages default ON.
+# * Set NO_PACKAGE=YesPlease for --without-PACKAGE
+# * Set PACKAGEDIR=PATH for --with-PACKAGE=PATH
+# * Unset NO_PACKAGE for --with-PACKAGE without ARG
+AC_DEFUN([PARSE_WITH],
+[PACKAGE=m4_toupper($1); \
+if test "$withval" = "no"; then \
+ m4_toupper(NO_$1)=YesPlease; \
+elif test "$withval" = "yes"; then \
+ m4_toupper(NO_$1)=; \
+else \
+ m4_toupper(NO_$1)=; \
+ m4_toupper($1)DIR=$withval; \
+ AC_MSG_NOTICE([Setting m4_toupper($1)DIR to $withval]); \
+ CONF_APPEND_LINE(${PACKAGE}DIR=$withval); \
+fi \
+])# PARSE_WITH
+#
+# PARSE_WITH_SET_MAKE_VAR(WITHNAME, VAR, HELP_TEXT)
+# ---------------------
+# Set VAR to the value specied by --with-WITHNAME.
+# No verification of arguments is performed, but warnings are issued
+# if either 'yes' or 'no' is specified.
+# HELP_TEXT is presented when --help is called.
+# This is a direct way to allow setting variables in the Makefile.
+AC_DEFUN([PARSE_WITH_SET_MAKE_VAR],
+[AC_ARG_WITH([$1],
+ [AS_HELP_STRING([--with-$1=VALUE], $3)],
+ if test -n "$withval"; then \
+ if test "$withval" = "yes" -o "$withval" = "no"; then \
+ AC_MSG_WARN([You likely do not want either 'yes' or 'no' as]
+ [a value for $1 ($2). Maybe you do...?]); \
+ fi; \
+ \
+ AC_MSG_NOTICE([Setting $2 to $withval]); \
+ CONF_APPEND_LINE($2=$withval); \
+ fi)])# PARSE_WITH_SET_MAKE_VAR
+
+dnl
+dnl CHECK_FUNC(FUNCTION, IFTRUE, IFFALSE)
+dnl -----------------------------------------
+dnl Similar to AC_CHECK_FUNC, but on systems that do not generate
+dnl warnings for missing prototypes (e.g. FreeBSD when compiling without
+dnl -Wall), it does not work. By looking for function definition in
+dnl libraries, this problem can be worked around.
+AC_DEFUN([CHECK_FUNC],[AC_CHECK_FUNC([$1],[
+ AC_SEARCH_LIBS([$1],,
+ [$2],[$3])
+],[$3])])
+
+dnl
+dnl STASH_FLAGS(BASEPATH_VAR)
+dnl -----------------------------
+dnl Allow for easy stashing of LDFLAGS and CPPFLAGS before running
+dnl tests that may want to take user settings into account.
+AC_DEFUN([STASH_FLAGS],[
+if test -n "$1"; then
+ old_CPPFLAGS="$CPPFLAGS"
+ old_LDFLAGS="$LDFLAGS"
+ CPPFLAGS="-I$1/include $CPPFLAGS"
+ LDFLAGS="-L$1/$lib $LDFLAGS"
+fi
+])
+
+dnl
+dnl UNSTASH_FLAGS(BASEPATH_VAR)
+dnl -----------------------------
+dnl Restore the stashed *FLAGS values.
+AC_DEFUN([UNSTASH_FLAGS],[
+if test -n "$1"; then
+ CPPFLAGS="$old_CPPFLAGS"
+ LDFLAGS="$old_LDFLAGS"
+fi
+])
+
+## Site configuration related to programs (before tests)
+## --with-PACKAGE[=ARG] and --without-PACKAGE
+#
+# Set lib to alternative name of lib directory (e.g. lib64)
+AC_ARG_WITH([lib],
+ [AS_HELP_STRING([--with-lib=ARG],
+ [ARG specifies alternative name for lib directory])],
+ [if test "$withval" = "no" || test "$withval" = "yes"; then \
+ AC_MSG_WARN([You should provide name for --with-lib=ARG]); \
+else \
+ lib=$withval; \
+ AC_MSG_NOTICE([Setting lib to '$lib']); \
+ CONF_APPEND_LINE(lib=$withval); \
+fi; \
+],[])
+
+if test -z "$lib"; then
+ AC_MSG_NOTICE([Setting lib to 'lib' (the default)])
+ lib=lib
+fi
+
+#
+# Define NO_CURL if you do not have curl installed. git-http-pull and
+# git-http-push are not built, and you cannot use http:// and https://
+# transports.
+#
+# Define CURLDIR=/foo/bar if your curl header and library files are in
+# /foo/bar/include and /foo/bar/lib directories.
+AC_ARG_WITH(ncurses,
+AS_HELP_STRING([--with-ncurses],[support http(s):// transports (default is YES)])
+AS_HELP_STRING([], [ARG can be also prefix for curl library and headers]),
+PARSE_WITH(ncurses))
+
+
+## Checks for programs.
+AC_MSG_NOTICE([CHECKS for programs])
+#
+AC_PROG_CC([cc gcc])
+AC_C_INLINE
+case $ac_cv_c_inline in
+ inline | yes | no) ;;
+ *) AC_SUBST([INLINE], [$ac_cv_c_inline]) ;;
+esac
+#AC_PROG_INSTALL # needs install-sh or install.sh in sources
+AC_CHECK_TOOLS(AR, [gar ar], :)
+AC_CHECK_PROGS(TAR, [gtar tar])
+
+AC_CHECK_PROGS(ASCIIDOC, [asciidoc])
+if test -n "$ASCIIDOC"; then
+ AC_MSG_CHECKING([for asciidoc version])
+ asciidoc_version=`$ASCIIDOC --version 2>/dev/null`
+ case "${asciidoc_version}" in
+ asciidoc' '7*)
+ ASCIIDOC7=YesPlease
+ AC_MSG_RESULT([${asciidoc_version} > 7])
+ ;;
+ asciidoc' '8*)
+ ASCIIDOC7=
+ AC_MSG_RESULT([${asciidoc_version}])
+ ;;
+ *)
+ ASCIIDOC7=
+ AC_MSG_RESULT([${asciidoc_version} (unknown)])
+ ;;
+ esac
+fi
+AC_SUBST(ASCIIDOC7)
+
+## Checks for libraries.
+AC_MSG_NOTICE([CHECKS for libraries])
+
+if test -z "$NO_NCURSES"; then
+STASH_FLAGS($NCURSESSDIR)
+AC_CHECK_LIB([ncurses], [initscr],
+[NO_NCURSES=],
+[NO_NCURSES=YesPlease])
+UNSTASH_FLAGS($NCURSESDIR)
+AC_SUBST(NO_NCURSES)
+fi
+
+CFLAGS="$CFLAGS -W -Wall -std=gnu99 -pedantic"
+
+## Output files
+AC_CONFIG_FILES(["${config_file}":"${config_in}":"${config_append}"])
+AC_OUTPUT
diff --git a/iptraf-ng-logrotate.conf b/iptraf-ng-logrotate.conf
new file mode 100644
index 0000000..895ebe3
--- /dev/null
+++ b/iptraf-ng-logrotate.conf
@@ -0,0 +1,9 @@
+# Logrotate file for iptraf
+/var/log/iptraf/*.log {
+ compress
+ delaycompress
+ missingok
+ notifempty
+ rotate 4
+ create 0600 root root
+}
diff --git a/iptraf-ng.spec.in b/iptraf-ng.spec.in
new file mode 100644
index 0000000..0c704f0
--- /dev/null
+++ b/iptraf-ng.spec.in
@@ -0,0 +1,70 @@
+Summary: A console-based network monitoring utility
+Name: iptraf-ng
+Version: @@IPTRAF_VERSION@@
+Release: 1%{?dist}
+Source0: https://fedorahosted.org/releases/i/p/iptraf-ng/%{name}-%{version}.tar.gz
+Source1: iptraf-ng-logrotate.conf
+URL: https://fedorahosted.org/iptraf-ng/
+License: GPLv2+
+Group: Applications/System
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: ncurses-devel
+Obsoletes: iptraf < 3.1
+Provides: iptraf = 3.1
+
+%description
+IPTraf-ng is a console-based network monitoring utility. IPTraf gathers
+data like TCP connection packet and byte counts, interface statistics
+and activity indicators, TCP/UDP traffic breakdowns, and LAN station
+packet and byte counts. IPTraf-ng features include an IP traffic monitor
+which shows TCP flag information, packet and byte counts, ICMP
+details, OSPF packet types, and oversized IP packet warnings;
+interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP
+packet counts, IP checksum errors, interface activity and packet size
+counts; a TCP and UDP service monitor showing counts of incoming and
+outgoing packets for common TCP and UDP application ports, a LAN
+statistics module that discovers active hosts and displays statistics
+about their activity; TCP, UDP and other protocol display filters so
+you can view just the traffic you want; logging; support for Ethernet,
+FDDI, ISDN, SLIP, PPP, and loopback interfaces; and utilization of the
+built-in raw socket interface of the Linux kernel, so it can be used
+on a wide variety of supported network cards.
+
+%prep
+%setup -q
+
+%build
+%configure
+make %{?_smp_mflags}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+
+# remove everything besides the html and pictures in Documentation
+find Documentation -type f | grep -v '\.html$\|\.png$\|/stylesheet' | \
+ xargs rm -f
+
+install -D -m 0644 -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/iptraf-ng
+
+install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/{lock,log,lib}/iptraf-ng
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root,-)
+%doc CHANGES FAQ LICENSE README* RELEASE-NOTES
+%doc Documentation
+%{_sbindir}/iptraf-ng
+%{_sbindir}/rvnamed-ng
+%{_mandir}/man8/iptraf-ng.8*
+%{_mandir}/man8/rvnamed-ng.8*
+%{_localstatedir}/lock/iptraf-ng
+%{_localstatedir}/log/iptraf-ng
+%{_localstatedir}/lib/iptraf-ng
+%config(noreplace) %{_sysconfdir}/logrotate.d/iptraf-ng
+
+%changelog
+* Wed Jan 11 2011 Nikola Pajkovsky <npajkovs@redhat.com> - 1.1.0-1
+- Initialization build
diff --git a/src/addproto.h b/src/addproto.h
new file mode 100644
index 0000000..9f2cb22
--- /dev/null
+++ b/src/addproto.h
@@ -0,0 +1,28 @@
+#ifndef IPTRAF_NG_ADDPROTO_H
+#define IPTRAF_NG_ADDPROTO_H
+
+#ifndef IPPROTO_IGP
+#define IPPROTO_IGP 9
+#endif
+
+#ifndef IPPROTO_IGRP
+#define IPPROTO_IGRP 88
+#endif
+
+#ifndef IPPROTO_OSPFIGP
+#define IPPROTO_OSPFIGP 89
+#endif
+
+#ifndef IPPROTO_GRE
+#define IPPROTO_GRE 47
+#endif
+
+#ifndef IPPROTO_IPSEC_AH
+#define IPPROTO_IPSEC_AH 51
+#endif
+
+#ifndef IPPROTO_IPSEC_ESP
+#define IPPROTO_IPSEC_ESP 50
+#endif
+
+#endif /* IPTRAF_NG_ADDPROTO_H */
diff --git a/src/arphdr.h b/src/arphdr.h
new file mode 100644
index 0000000..762a5be
--- /dev/null
+++ b/src/arphdr.h
@@ -0,0 +1,24 @@
+#ifndef IPTRAF_NG_ARPHDR_H
+#define IPTRAF_NG_ARPHDR_H
+
+/*
+ * arp header format, stolen from the Linux include files.
+ */
+
+struct arp_hdr {
+ unsigned short ar_hrd; /* format of hardware address */
+ unsigned short ar_pro; /* format of protocol address */
+ unsigned char ar_hln; /* length of hardware address */
+ unsigned char ar_pln; /* length of protocol address */
+ unsigned short ar_op; /* ARP opcode (command) */
+
+ /*
+ * Ethernet looks like this : This bit is variable sized however...
+ */
+ unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
+ unsigned char ar_sip[4]; /* sender IP address */
+ unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
+ unsigned char ar_tip[4]; /* target IP address */
+};
+
+#endif /* IPTRAF_NG_ARPHDR_H */
diff --git a/src/attrs.h b/src/attrs.h
new file mode 100644
index 0000000..d963550
--- /dev/null
+++ b/src/attrs.h
@@ -0,0 +1,38 @@
+#ifndef IPTRAF_NG_ATTRS_H
+#define IPTRAF_NG_ATTRS_H
+
+/* Attribute variables */
+
+extern int STDATTR;
+extern int HIGHATTR;
+extern int BOXATTR;
+extern int ACTIVEATTR;
+extern int BARSTDATTR;
+extern int BARHIGHATTR;
+extern int BARPTRATTR;
+extern int DLGTEXTATTR;
+extern int DLGHIGHATTR;
+extern int DLGBOXATTR;
+extern int DESCATTR;
+extern int STATUSBARATTR;
+extern int IPSTATATTR;
+extern int IPSTATLABELATTR;
+extern int DESKTEXTATTR;
+extern int PTRATTR;
+extern int FIELDATTR;
+extern int ERRBOXATTR;
+extern int ERRTXTATTR;
+extern int ERRRESPATTR;
+extern int OSPFATTR;
+extern int UDPATTR;
+extern int IGPATTR;
+extern int IGMPATTR;
+extern int IGRPATTR;
+extern int ARPATTR;
+extern int GREATTR;
+extern int UNKNIPATTR;
+extern int UNKNATTR;
+extern int IPV6ATTR;
+extern int ICMPV6ATTR;
+
+#endif /* IPTRAF_NG_ATTRS_H */
diff --git a/src/built-in.h b/src/built-in.h
new file mode 100644
index 0000000..659311d
--- /dev/null
+++ b/src/built-in.h
@@ -0,0 +1,9 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#ifndef IPTRAF_NG_BUILT_IN_H
+#define IPTRAF_NG_BUILT_IN_H
+
+int cmd_capture(int argc, char **argv);
+
+#endif
diff --git a/src/capture-pkt.c b/src/capture-pkt.c
new file mode 100644
index 0000000..6df4611
--- /dev/null
+++ b/src/capture-pkt.c
@@ -0,0 +1,76 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+
+#include "built-in.h"
+#include "parse-options.h"
+#include "ifaces.h"
+#include "packet.h"
+
+static const char *const capture_usage[] = {
+ IPTRAF_NAME " capture [-c] <device>",
+ NULL
+};
+
+static int cap_nr_pkt = 1, help_opt;
+static char *ofilename;
+
+static struct options capture_options[] = {
+ OPT__HELP(&help_opt),
+ OPT_GROUP(""),
+ OPT_INTEGER('c', "capture", &cap_nr_pkt, "capture <n> packets"),
+ OPT_STRING('o', "output", &ofilename, "file", "save captured packet into <file>"),
+ OPT_END()
+};
+
+int cmd_capture(int argc, char **argv)
+{
+ parse_opts(argc, argv, capture_options, capture_usage);
+ argv += optind;
+ if (help_opt || !*argv || argv[1])
+ parse_usage_and_die(capture_usage, capture_options);
+
+ char *dev = argv[0];
+
+ int fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if (fd < 0)
+ die_errno("Unable to obtain monitoring socket");
+
+ if (dev_bind_ifname(fd, dev) < 0)
+ perror("Unable to bind device on the socket");
+
+ FILE *fp = NULL;
+ if (ofilename) {
+ fp = fopen(ofilename, "wb");
+ if (!fp)
+ die_errno("fopen");
+ }
+
+ PACKET_INIT(p);
+ int captured = 0;
+ for (;;) {
+ if (packet_get(fd, &p, NULL, NULL) == -1)
+ die_errno("fail to get packet");
+
+ if (!p.pkt_len)
+ continue;
+
+ printf(".");
+ fflush(stdout);
+
+ if (fp)
+ fwrite(&p, sizeof(p), 1, fp);
+
+ if (++captured == cap_nr_pkt)
+ break;
+ }
+ printf("\n");
+
+ close(fd);
+
+ if (fp)
+ fclose(fp);
+
+ return 0;
+}
diff --git a/src/cidr.c b/src/cidr.c
new file mode 100644
index 0000000..05a10eb
--- /dev/null
+++ b/src/cidr.c
@@ -0,0 +1,104 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+
+// TODO: full rewrite
+
+/*
+ * Returns a binary subnet mask based on the number of mask bits. The
+ * dotted-decimal notation may be obtained with inet_ntoa.
+ */
+unsigned long cidr_get_mask(unsigned int maskbits)
+{
+ struct in_addr mask;
+
+ if (maskbits == 0)
+ return 0;
+
+ inet_aton("255.255.255.255", &mask);
+ mask.s_addr = htonl(mask.s_addr << (32 - maskbits));
+
+ return mask.s_addr;
+}
+
+/*
+ * Returns a subnet mask in dotted-decimal notation given the number of
+ * 1-bits in the mask.
+ */
+char *cidr_get_quad_mask(unsigned int maskbits)
+{
+ struct in_addr addr;
+
+ addr.s_addr = cidr_get_mask(maskbits);
+ return inet_ntoa(addr);
+}
+
+/*
+ * Returns the number of 1-bits in the given binary subnet mask in
+ * network byte order.
+ */
+unsigned int cidr_get_maskbits(unsigned long mask)
+{
+ unsigned int i = 32;
+
+ if (mask == 0)
+ return 0;
+
+ mask = ntohl(mask);
+ while (mask % 2 == 0) {
+ mask >>= 1;
+ i--;
+ }
+
+ return i;
+}
+
+/*
+ * Splits a CIDR-style address/mask string into its constituent address and
+ * mask parts. In case of absent or invalid input in the mask part, 255 is
+ * returned in *maskbits (255 is invalid for an IPv4 address).
+ */
+void cidr_split_address(char *cidr_addr, char *addresspart,
+ unsigned int *maskbits)
+{
+ char maskpart[4];
+ char *endptr;
+ char *slashptr;
+
+ char address_buffer[80];
+
+ if (strchr(cidr_addr, '/') == NULL) {
+ strncpy(addresspart, cidr_addr, 80);
+ *maskbits = 255;
+ return;
+ }
+
+ memset(address_buffer, 0, 80);
+ memset(addresspart, 0, 80);
+ memset(maskpart, 0, 4);
+
+ strncpy(address_buffer, cidr_addr, 80);
+ slashptr = strchr(address_buffer, '/');
+
+ /*
+ * Cut out the mask part and move past the slash
+ */
+ *slashptr = '\0';
+ slashptr++;
+
+ /*
+ * Copy out the address and mask parts into their buffers.
+ */
+ strncpy(addresspart, address_buffer, 80);
+ strncpy(maskpart, slashptr, 4);
+
+ if (maskpart[0] != '\0') {
+ *maskbits = strtoul(maskpart, &endptr, 10);
+ if (*endptr != '\0')
+ *maskbits = 255;
+ } else
+ *maskbits = 255;
+
+ return;
+}
diff --git a/src/cidr.h b/src/cidr.h
new file mode 100644
index 0000000..73504bd
--- /dev/null
+++ b/src/cidr.h
@@ -0,0 +1,10 @@
+#ifndef IPTRAF_NG_CIDR_H
+#define IPTRAF_NG_CIDR_H
+
+unsigned long cidr_get_mask(unsigned int maskbits);
+char *cidr_get_quad_mask(unsigned int maskbits);
+unsigned int cidr_get_maskbits(unsigned long mask);
+void cidr_split_address(char *cidr_addr, char *addresspart,
+ unsigned int *maskbits);
+
+#endif /* IPTRAF_NG_CIDR_H */
diff --git a/src/counters.c b/src/counters.c
new file mode 100644
index 0000000..f3281ec
--- /dev/null
+++ b/src/counters.c
@@ -0,0 +1,23 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "counters.h"
+
+void update_pkt_counter(struct pkt_counter *count, int bytes)
+{
+ if (count) {
+ count->pc_packets++;
+ count->pc_bytes += bytes;
+ }
+}
+
+void update_proto_counter(struct proto_counter *proto_counter, int outgoing, int bytes)
+{
+ if (proto_counter) {
+ update_pkt_counter(&proto_counter->proto_total, bytes);
+ if (outgoing)
+ update_pkt_counter(&proto_counter->proto_out, bytes);
+ else
+ update_pkt_counter(&proto_counter->proto_in, bytes);
+ }
+}
diff --git a/src/counters.h b/src/counters.h
new file mode 100644
index 0000000..e1dfbab
--- /dev/null
+++ b/src/counters.h
@@ -0,0 +1,19 @@
+#ifndef IPTRAF_NG_COUNTERS_H
+#define IPTRAF_NG_COUNTERS_H
+
+struct pkt_counter {
+ unsigned long long pc_packets;
+ unsigned long long pc_bytes;
+};
+
+struct proto_counter {
+ struct pkt_counter proto_total;
+ struct pkt_counter proto_in;
+ struct pkt_counter proto_out;
+};
+
+void update_pkt_counter(struct pkt_counter *count, int bytes);
+void update_proto_counter(struct proto_counter *proto_counter, int outgoing,
+ int bytes);
+
+#endif /* IPTRAF_NG_COUNTERS_H */
diff --git a/src/deskman.c b/src/deskman.c
new file mode 100644
index 0000000..e180ea4
--- /dev/null
+++ b/src/deskman.c
@@ -0,0 +1,299 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+deskman.c - desktop management routines
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/labels.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "deskman.h"
+#include "options.h"
+
+/* Attribute variables */
+
+int STDATTR;
+int HIGHATTR;
+int BOXATTR;
+int ACTIVEATTR;
+int BARSTDATTR;
+int BARHIGHATTR;
+int BARPTRATTR;
+int DLGTEXTATTR;
+int DLGBOXATTR;
+int DLGHIGHATTR;
+int DESCATTR;
+int STATUSBARATTR;
+int IPSTATLABELATTR;
+int IPSTATATTR;
+int DESKTEXTATTR;
+int PTRATTR;
+int FIELDATTR;
+int ERRBOXATTR;
+int ERRTXTATTR;
+int OSPFATTR;
+int UDPATTR;
+int IGPATTR;
+int IGMPATTR;
+int IGRPATTR;
+int GREATTR;
+int ARPATTR;
+int UNKNIPATTR;
+int UNKNATTR;
+int IPV6ATTR;
+int ICMPV6ATTR;
+
+/* draw the basic desktop common to my screen-oriented programs */
+
+void draw_desktop(void)
+{
+ int row; /* counter for desktop construction */
+ char sp_buf[10];
+
+ sprintf(sp_buf, "%%%dc", COLS);
+ scrollok(stdscr, 0);
+ attrset(STATUSBARATTR);
+ move(0, 0);
+ printw(sp_buf, ' '); /* these two print the top n' bottom */
+ move(LINES - 1, 0);
+ printw(sp_buf, ' '); /* lines */
+
+ attrset(FIELDATTR);
+
+ for (row = 1; row <= LINES - 2; row++) { /* draw the background */
+ move(row, 0);
+ printw(sp_buf, ' ');
+ }
+
+ refresh();
+}
+
+void about(void)
+{
+ WINDOW *win;
+ PANEL *panel;
+ int ch;
+
+ win = newwin(18, 62, (LINES - 17) / 2, (COLS - 62) / 2);
+
+ panel = new_panel(win);
+
+ tx_stdwinset(win);
+ wtimeout(win, -1);
+ wattrset(win, BOXATTR);
+ tx_colorwin(win);
+ tx_box(win, ACS_VLINE, ACS_HLINE);
+ wattrset(win, STDATTR);
+ mvwprintw(win, 1, 2, IPTRAF_NAME);
+ mvwprintw(win, 2, 2, "An IP Network Statistics Utility");
+ mvwprintw(win, 3, 2, "Version %s", IPTRAF_VERSION);
+ mvwprintw(win, 5, 2, "Written by Gerard Paul Java");
+ mvwprintw(win, 6, 2, "Copyright (c) Gerard Paul Java 1997-2004");
+ mvwprintw(win, 8, 2, "This program is open-source software released");
+ mvwprintw(win, 9, 2, "under the terms of the GNU General Public");
+ mvwprintw(win, 10, 2, "Public License Version 2 or any later version.");
+ mvwprintw(win, 11, 2, "See the included LICENSE file for details.");
+ mvwprintw(win, 13, 2,
+ "IPv6 support by Markus Ullmann <mail@markus-ullmann.de>");
+ mvwprintw(win, 14, 2,
+ "inspired by 2.7.0 diff by Guy Martin <gmsoft@tuxicoman.be>");
+
+ wattrset(win, HIGHATTR);
+
+ mvwprintw(win, 16, 2, ANYKEY_MSG);
+
+ update_panels();
+ doupdate();
+
+ do {
+ ch = wgetch(win);
+ if (ch == 12)
+ tx_refresh_screen();
+ } while (ch == 12);
+
+ del_panel(panel);
+ delwin(win);
+ update_panels();
+ doupdate();
+}
+
+void show_sort_statwin(WINDOW ** statwin, PANEL ** panel)
+{
+ *statwin = newwin(5, 30, (LINES - 5) / 2, (COLS - 30) / 2);
+ *panel = new_panel(*statwin);
+
+ wattrset(*statwin, BOXATTR);
+ tx_colorwin(*statwin);
+ tx_box(*statwin, ACS_VLINE, ACS_HLINE);
+
+ wattrset(*statwin, STDATTR);
+ mvwprintw(*statwin, 2, 2, "Sorting, please wait...");
+}
+
+void printipcerr(void)
+{
+ attrset(ERRTXTATTR);
+ mvprintw(0, 68, " IPC Error ");
+}
+
+void stdkeyhelp(WINDOW * win)
+{
+ tx_printkeyhelp("Enter", "-accept ", win, DLGHIGHATTR, DLGTEXTATTR);
+ tx_printkeyhelp("Ctrl+X", "-cancel", win, DLGHIGHATTR, DLGTEXTATTR);
+}
+
+void sortkeyhelp(void)
+{
+ tx_printkeyhelp("S", "-sort ", stdscr, HIGHATTR, STATUSBARATTR);
+}
+
+void stdexitkeyhelp(void)
+{
+ tx_printkeyhelp("X", "-exit", stdscr, HIGHATTR, STATUSBARATTR);
+ tx_coloreol();
+}
+
+void scrollkeyhelp(void)
+{
+ tx_printkeyhelp("Up/Down/PgUp/PgDn", "-scroll window ", stdscr,
+ HIGHATTR, STDATTR);
+}
+
+void tabkeyhelp(WINDOW * win)
+{
+ tx_printkeyhelp("Tab", "-next field ", win, DLGHIGHATTR, DLGTEXTATTR);
+}
+
+void indicate(char *message)
+{
+ char sp_buf[10];
+
+ attrset(STATUSBARATTR);
+ sprintf(sp_buf, "%%%dc", COLS);
+ mvprintw(LINES - 1, 0, sp_buf, ' ');
+ mvprintw(LINES - 1, 1, message);
+ refresh();
+}
+
+void printlargenum(unsigned long long i, WINDOW * win)
+{
+ if (i < 100000000) /* less than 100 million */
+ wprintw(win, "%9llu", i);
+ else if (i < 1000000000) /* less than 1 billion */
+ wprintw(win, "%8lluk", i / 1000);
+ else if (i < 1000000000000ULL) /* less than 1 trillion */
+ wprintw(win, "%8lluM", i / 1000000);
+ else if (i < 1000000000000000ULL) /* less than 1000 trillion */
+ wprintw(win, "%8lluG", i / 1000000000ULL);
+ else
+ wprintw(win, "%8lluT", i / 1000000000000ULL);
+}
+
+int screen_update_needed(const struct timeval *now, const struct timeval *last)
+{
+ unsigned long msecs = timeval_diff_msec(now, last);
+ if (options.updrate == 0) {
+ if (msecs >= DEFAULT_UPDATE_DELAY)
+ return 1;
+ else
+ return 0;
+ } else {
+ if (msecs >= (options.updrate * 1000UL))
+ return 1;
+ else
+ return 0;
+ }
+}
+
+void standardcolors(int color)
+{
+ if ((color) && (has_colors())) {
+ init_pair(1, COLOR_BLUE, COLOR_WHITE);
+ init_pair(2, COLOR_BLACK, COLOR_CYAN);
+ init_pair(3, COLOR_CYAN, COLOR_BLUE);
+ init_pair(4, COLOR_YELLOW, COLOR_RED);
+ init_pair(5, COLOR_WHITE, COLOR_RED);
+ init_pair(6, COLOR_BLUE, COLOR_CYAN);
+ init_pair(7, COLOR_BLUE, COLOR_WHITE);
+ init_pair(9, COLOR_RED, COLOR_WHITE);
+ init_pair(10, COLOR_GREEN, COLOR_BLUE);
+ init_pair(11, COLOR_CYAN, COLOR_BLACK);
+ init_pair(12, COLOR_RED, COLOR_CYAN);
+ init_pair(14, COLOR_YELLOW, COLOR_BLUE);
+ init_pair(15, COLOR_YELLOW, COLOR_BLACK);
+ init_pair(16, COLOR_WHITE, COLOR_CYAN);
+ init_pair(17, COLOR_YELLOW, COLOR_CYAN);
+ init_pair(18, COLOR_GREEN, COLOR_BLACK);
+ init_pair(19, COLOR_WHITE, COLOR_BLUE);
+
+ STDATTR = COLOR_PAIR(14) | A_BOLD;
+ HIGHATTR = COLOR_PAIR(3) | A_BOLD;
+ BOXATTR = COLOR_PAIR(3);
+ ACTIVEATTR = COLOR_PAIR(10) | A_BOLD;
+ BARSTDATTR = COLOR_PAIR(15) | A_BOLD;
+ BARHIGHATTR = COLOR_PAIR(11) | A_BOLD;
+ BARPTRATTR = COLOR_PAIR(18) | A_BOLD;
+ DESCATTR = COLOR_PAIR(2);
+ DLGTEXTATTR = COLOR_PAIR(2);
+ DLGBOXATTR = COLOR_PAIR(6);
+ DLGHIGHATTR = COLOR_PAIR(12);
+ STATUSBARATTR = STDATTR;
+ IPSTATLABELATTR = COLOR_PAIR(2);
+ IPSTATATTR = COLOR_PAIR(12);
+ DESKTEXTATTR = COLOR_PAIR(7);
+ PTRATTR = COLOR_PAIR(10) | A_BOLD;
+ FIELDATTR = COLOR_PAIR(1);
+ ERRBOXATTR = COLOR_PAIR(5) | A_BOLD;
+ ERRTXTATTR = COLOR_PAIR(4) | A_BOLD;
+ OSPFATTR = COLOR_PAIR(2);
+ UDPATTR = COLOR_PAIR(9);
+ IGPATTR = COLOR_PAIR(12);
+ IGMPATTR = COLOR_PAIR(10) | A_BOLD;
+ IGRPATTR = COLOR_PAIR(16) | A_BOLD;
+ ARPATTR = COLOR_PAIR(5) | A_BOLD;
+ GREATTR = COLOR_PAIR(1);
+ UNKNIPATTR = COLOR_PAIR(19) | A_BOLD;
+ ICMPV6ATTR = COLOR_PAIR(19) | A_BOLD;
+ IPV6ATTR = COLOR_PAIR(19);
+ UNKNATTR = COLOR_PAIR(4) | A_BOLD;
+ } else {
+ STDATTR = A_REVERSE;
+ HIGHATTR = A_REVERSE;
+ BOXATTR = A_REVERSE;
+ ACTIVEATTR = A_BOLD;
+ BARSTDATTR = A_NORMAL;
+ BARHIGHATTR = A_BOLD;
+ BARPTRATTR = A_NORMAL;
+ DESCATTR = A_BOLD;
+ DLGBOXATTR = A_REVERSE;
+ DLGTEXTATTR = A_REVERSE;
+ DLGHIGHATTR = A_BOLD;
+ STATUSBARATTR = A_REVERSE;
+ IPSTATLABELATTR = A_REVERSE;
+ IPSTATATTR = A_STANDOUT;
+ DESKTEXTATTR = A_NORMAL;
+ PTRATTR = A_REVERSE;
+ FIELDATTR = A_BOLD;
+ ERRBOXATTR = A_BOLD;
+ ERRTXTATTR = A_NORMAL;
+ OSPFATTR = A_REVERSE;
+ UDPATTR = A_BOLD;
+ IGPATTR = A_REVERSE;
+ IGMPATTR = A_REVERSE;
+ IGRPATTR = A_REVERSE;
+ ARPATTR = A_BOLD;
+ GREATTR = A_BOLD;
+ UNKNIPATTR = A_BOLD;
+ ICMPV6ATTR = A_REVERSE;
+ UNKNATTR = A_BOLD;
+ }
+
+ tx_init_error_attrs(ERRBOXATTR, ERRTXTATTR, ERRBOXATTR);
+ tx_init_info_attrs(BOXATTR, STDATTR, HIGHATTR);
+}
diff --git a/src/deskman.h b/src/deskman.h
new file mode 100644
index 0000000..7536459
--- /dev/null
+++ b/src/deskman.h
@@ -0,0 +1,25 @@
+#ifndef IPTRAF_NG_DESKMAN_H
+#define IPTRAF_NG_DESKMAN_H
+
+/*
+ deskman.h - header file for deskman.c
+ */
+
+void draw_desktop(void);
+void about(void);
+void printipcerr(void);
+void printkeyhelp(char *keytext, char *desc, WINDOW * win, int highattr,
+ int textattr);
+void stdkeyhelp(WINDOW * win);
+void sortkeyhelp(void);
+void tabkeyhelp(WINDOW * win);
+void scrollkeyhelp(void);
+void stdexitkeyhelp(void);
+void indicate(char *message);
+void printlargenum(unsigned long long i, WINDOW * win);
+int screen_update_needed(const struct timeval *now, const struct timeval *last);
+void infobox(char *text, char *prompt);
+void standardcolors(int color);
+void show_sort_statwin(WINDOW **, PANEL **);
+
+#endif /* IPTRAF_NG_DESKMAN_H */
diff --git a/src/detstats.c b/src/detstats.c
new file mode 100644
index 0000000..37c43bb
--- /dev/null
+++ b/src/detstats.c
@@ -0,0 +1,601 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+detstats.c - the interface statistics module
+
+ ***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/winops.h"
+
+#include "counters.h"
+#include "ifaces.h"
+#include "fltdefs.h"
+#include "packet.h"
+#include "options.h"
+#include "log.h"
+#include "dirs.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "serv.h"
+#include "timer.h"
+#include "logvars.h"
+#include "promisc.h"
+#include "error.h"
+#include "detstats.h"
+#include "rate.h"
+
+struct ifcounts {
+ struct proto_counter total;
+ struct pkt_counter bcast;
+ struct pkt_counter bad;
+ struct proto_counter ipv4;
+ struct proto_counter ipv6;
+ struct proto_counter nonip;
+
+ struct proto_counter tcp;
+ struct proto_counter udp;
+ struct proto_counter icmp;
+ struct proto_counter other;
+};
+
+/* USR1 log-rotation signal handlers */
+static void rotate_dstat_log(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, current_logfile);
+ signal(SIGUSR1, rotate_dstat_log);
+}
+
+static void writedstatlog(char *ifname,
+ unsigned long peakactivity, unsigned long peakpps,
+ unsigned long peakactivity_in, unsigned long peakpps_in,
+ unsigned long peakactivity_out, unsigned long peakpps_out,
+ struct ifcounts *ts, unsigned long nsecs, FILE *fd)
+{
+ char atime[TIME_TARGET_MAX];
+
+ genatime(time(NULL), atime);
+
+ fprintf(fd,
+ "\n*** Detailed statistics for interface %s, generated %s\n\n",
+ ifname, atime);
+
+ fprintf(fd, "Total: \t%llu packets, %llu bytes\n",
+ ts->total.proto_total.pc_packets,
+ ts->total.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->total.proto_in.pc_packets,
+ ts->total.proto_in.pc_bytes,
+ ts->total.proto_out.pc_packets,
+ ts->total.proto_out.pc_bytes);
+ fprintf(fd, "IP: \t%llu packets, %llu bytes\n",
+ ts->ipv4.proto_total.pc_packets,
+ ts->ipv4.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->ipv4.proto_in.pc_packets,
+ ts->ipv4.proto_in.pc_bytes,
+ ts->ipv4.proto_out.pc_packets,
+ ts->ipv4.proto_out.pc_bytes);
+ fprintf(fd, "TCP: %llu packets, %llu bytes\n",
+ ts->tcp.proto_total.pc_packets,
+ ts->tcp.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->tcp.proto_in.pc_packets,
+ ts->tcp.proto_in.pc_bytes,
+ ts->tcp.proto_out.pc_packets,
+ ts->tcp.proto_out.pc_bytes);
+ fprintf(fd, "UDP: %llu packets, %llu bytes\n",
+ ts->udp.proto_total.pc_packets,
+ ts->udp.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->udp.proto_in.pc_packets,
+ ts->udp.proto_in.pc_bytes,
+ ts->udp.proto_out.pc_packets,
+ ts->udp.proto_out.pc_bytes);
+ fprintf(fd, "ICMP: %llu packets, %llu bytes\n",
+ ts->icmp.proto_total.pc_packets,
+ ts->icmp.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->icmp.proto_in.pc_packets,
+ ts->icmp.proto_in.pc_bytes,
+ ts->icmp.proto_out.pc_packets,
+ ts->icmp.proto_out.pc_bytes);
+ fprintf(fd, "Other IP: %llu packets, %llu bytes\n",
+ ts->other.proto_total.pc_packets,
+ ts->other.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->other.proto_in.pc_packets,
+ ts->other.proto_in.pc_bytes,
+ ts->other.proto_out.pc_packets,
+ ts->other.proto_out.pc_bytes);
+ fprintf(fd, "Non-IP: %llu packets, %llu bytes\n",
+ ts->nonip.proto_total.pc_packets,
+ ts->nonip.proto_total.pc_bytes);
+ fprintf(fd,
+ "\t(incoming: %llu packets, %llu bytes; outgoing: %llu packets, %llu bytes)\n",
+ ts->nonip.proto_in.pc_packets,
+ ts->nonip.proto_in.pc_bytes,
+ ts->nonip.proto_out.pc_packets,
+ ts->nonip.proto_out.pc_bytes);
+ fprintf(fd, "Broadcast: %llu packets, %llu bytes\n",
+ ts->bcast.pc_packets,
+ ts->bcast.pc_bytes);
+
+ if (nsecs > 5) {
+ char bps_string[64];
+ char pps_string[64];
+
+ fprintf(fd, "\nAverage rates:\n");
+
+ rate_print(ts->total.proto_total.pc_bytes / nsecs, bps_string, sizeof(bps_string));
+ rate_print_pps(ts->total.proto_total.pc_packets / nsecs, pps_string, sizeof(pps_string));
+ fprintf(fd, " Total:\t%s, %s\n", bps_string, pps_string);
+ rate_print(ts->total.proto_in.pc_bytes / nsecs, bps_string, sizeof(bps_string));
+ rate_print_pps(ts->total.proto_in.pc_packets / nsecs, pps_string, sizeof(pps_string));
+ fprintf(fd, " Incoming:\t%s, %s\n", bps_string, pps_string);
+ rate_print(ts->total.proto_out.pc_bytes / nsecs, bps_string, sizeof(bps_string));
+ rate_print_pps(ts->total.proto_out.pc_packets / nsecs, pps_string, sizeof(pps_string));
+ fprintf(fd, " Outgoing:\t%s, %s\n", bps_string, pps_string);
+ rate_print(peakactivity, bps_string, sizeof(bps_string));
+ rate_print_pps(peakpps, pps_string, sizeof(pps_string));
+ fprintf(fd, "\nPeak total activity: %s, %s\n", bps_string, pps_string);
+ rate_print(peakactivity_in, bps_string, sizeof(bps_string));
+ rate_print_pps(peakpps_in, pps_string, sizeof(pps_string));
+ fprintf(fd, "Peak incoming rate: %s, %s\n", bps_string, pps_string);
+ rate_print(peakactivity_out, bps_string, sizeof(bps_string));
+ rate_print_pps(peakpps_out, pps_string, sizeof(pps_string));
+ fprintf(fd, "Peak outgoing rate: %s, %s\n\n", bps_string, pps_string);
+ }
+ fprintf(fd, "IP checksum errors: %llu\n\n", ts->bad.pc_packets);
+ fprintf(fd, "Running time: %lu seconds\n", nsecs);
+ fflush(fd);
+}
+
+static void printdetlabels(WINDOW * win)
+{
+ wattrset(win, BOXATTR);
+ mvwprintw(win, 2, 14,
+ " Total Total Incoming Incoming Outgoing Outgoing");
+ mvwprintw(win, 3, 14,
+ "Packets Bytes Packets Bytes Packets Bytes");
+ wattrset(win, STDATTR);
+ mvwprintw(win, 4, 2, "Total:");
+ mvwprintw(win, 5, 2, "IPv4:");
+ mvwprintw(win, 6, 2, "IPv6:");
+ mvwprintw(win, 7, 2, "TCP:");
+ mvwprintw(win, 8, 2, "UDP:");
+ mvwprintw(win, 9, 2, "ICMP:");
+ mvwprintw(win, 10, 2, "Other IP:");
+ mvwprintw(win, 11, 2, "Non-IP:");
+ mvwprintw(win, 14, 2, "Total rates:");
+ mvwprintw(win, 17, 2, "Incoming rates:");
+ mvwprintw(win, 20, 2, "Outgoing rates:");
+
+ mvwprintw(win, 14, 45, "Broadcast packets:");
+ mvwprintw(win, 15, 45, "Broadcast bytes:");
+ mvwprintw(win, 19, 45, "IP checksum errors:");
+
+ update_panels();
+ doupdate();
+}
+
+static void printstatrow(WINDOW * win, int row, unsigned long long total,
+ unsigned long long btotal, unsigned long long total_in,
+ unsigned long long btotal_in, unsigned long long total_out,
+ unsigned long long btotal_out)
+{
+ wmove(win, row, 12);
+ printlargenum(total, win);
+ wmove(win, row, 23);
+ printlargenum(btotal, win);
+ wmove(win, row, 35);
+ printlargenum(total_in, win);
+ wmove(win, row, 46);
+ printlargenum(btotal_in, win);
+ wmove(win, row, 58);
+ printlargenum(total_out, win);
+ wmove(win, row, 69);
+ printlargenum(btotal_out, win);
+}
+
+static void printstatrow_proto(WINDOW *win, int row, struct proto_counter *proto_counter)
+{
+ printstatrow(win, row,
+ proto_counter->proto_total.pc_packets,
+ proto_counter->proto_total.pc_bytes,
+ proto_counter->proto_in.pc_packets,
+ proto_counter->proto_in.pc_bytes,
+ proto_counter->proto_out.pc_packets,
+ proto_counter->proto_out.pc_bytes);
+}
+
+static void printdetails(struct ifcounts *ifcounts, WINDOW * win)
+{
+ wattrset(win, HIGHATTR);
+ /* Print totals on the IP protocols */
+ printstatrow_proto(win, 4, &ifcounts->total);
+ printstatrow_proto(win, 5, &ifcounts->ipv4);
+ printstatrow_proto(win, 6, &ifcounts->ipv6);
+ printstatrow_proto(win, 7, &ifcounts->tcp);
+ printstatrow_proto(win, 8, &ifcounts->udp);
+ printstatrow_proto(win, 9, &ifcounts->icmp);
+ printstatrow_proto(win, 10, &ifcounts->other);
+
+ /* Print non-IP totals */
+
+ printstatrow_proto(win, 11, &ifcounts->nonip);
+
+ /* Broadcast totals */
+ wmove(win, 14, 67);
+ printlargenum(ifcounts->bcast.pc_packets, win);
+ wmove(win, 15, 67);
+ printlargenum(ifcounts->bcast.pc_bytes, win);
+
+ /* Bad packet count */
+
+ mvwprintw(win, 19, 68, "%8lu", ifcounts->bad.pc_packets);
+}
+
+/*
+ * The detailed interface statistics function
+ */
+void detstats(char *iface, time_t facilitytime)
+{
+ int logging = options.logging;
+
+ WINDOW *statwin;
+ PANEL *statpanel;
+
+ int pkt_result = 0;
+
+ FILE *logfile = NULL;
+
+ unsigned int iplen = 0;
+
+ struct ifcounts ifcounts;
+
+ int ch;
+
+ struct timeval tv;
+ struct timeval start_tv;
+ struct timeval updtime;
+ time_t starttime;
+ time_t now;
+ time_t statbegin;
+ time_t startlog;
+
+ struct proto_counter span;
+
+ struct rate rate;
+ struct rate rate_in;
+ struct rate rate_out;
+ unsigned long peakactivity = 0;
+ unsigned long peakactivity_in = 0;
+ unsigned long peakactivity_out = 0;
+
+ struct rate pps_rate;
+ struct rate pps_rate_in;
+ struct rate pps_rate_out;
+ unsigned long peakpps = 0;
+ unsigned long peakpps_in = 0;
+ unsigned long peakpps_out = 0;
+
+ int fd;
+
+ if (!dev_up(iface)) {
+ err_iface_down();
+ return;
+ }
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, iface);
+ promisc_set_list(&promisc);
+ }
+
+ move(LINES - 1, 1);
+ stdexitkeyhelp();
+ statwin = newwin(LINES - 2, COLS, 1, 0);
+ statpanel = new_panel(statwin);
+ tx_stdwinset(statwin);
+ wtimeout(statwin, -1);
+ wattrset(statwin, BOXATTR);
+ tx_colorwin(statwin);
+ tx_box(statwin, ACS_VLINE, ACS_HLINE);
+ wmove(statwin, 0, 1);
+ wprintw(statwin, " Statistics for %s ", iface);
+ wattrset(statwin, STDATTR);
+ update_panels();
+ doupdate();
+
+ memset(&ifcounts, 0, sizeof(struct ifcounts));
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ snprintf(current_logfile, 64, "%s-%s.log", DSTATLOG,
+ iface);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, current_logfile);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_dstat_log);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** Detailed interface statistics started ********");
+ }
+
+ printdetlabels(statwin);
+ printdetails(&ifcounts, statwin);
+ update_panels();
+ doupdate();
+
+ memset(&span, 0, sizeof(span));
+ rate_alloc(&rate, 5);
+ rate_alloc(&rate_in, 5);
+ rate_alloc(&rate_out, 5);
+
+ rate_alloc(&pps_rate, 5);
+ rate_alloc(&pps_rate_in, 5);
+ rate_alloc(&pps_rate_out, 5);
+
+ gettimeofday(&tv, NULL);
+ start_tv = tv;
+ updtime = tv;
+ starttime = startlog = statbegin = tv.tv_sec;
+
+ leaveok(statwin, TRUE);
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+ if(dev_bind_ifname(fd, iface) == -1) {
+ write_error("Unable to bind interface on the socket");
+ goto err_close;
+ }
+
+ exitloop = 0;
+
+ PACKET_INIT(pkt);
+
+ /*
+ * Data-gathering loop
+ */
+
+ while (!exitloop) {
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ if ((now - starttime) >= 1) {
+ char buf[64];
+ unsigned long activity, activity_in, activity_out;
+ unsigned long pps, pps_in, pps_out;
+ unsigned long msecs;
+
+ wattrset(statwin, BOXATTR);
+ printelapsedtime(statbegin, now, LINES - 3, 1, statwin);
+
+ msecs = timeval_diff_msec(&tv, &start_tv);
+
+ rate_add_rate(&rate, span.proto_total.pc_bytes, msecs);
+ activity = rate_get_average(&rate);
+ rate_add_rate(&rate_in, span.proto_in.pc_bytes, msecs);
+ activity_in = rate_get_average(&rate_in);
+ rate_add_rate(&rate_out, span.proto_out.pc_bytes, msecs);
+ activity_out = rate_get_average(&rate_out);
+
+ rate_add_rate(&pps_rate, span.proto_total.pc_packets, msecs);
+ pps = rate_get_average(&pps_rate);
+ rate_add_rate(&pps_rate_in, span.proto_in.pc_packets, msecs);
+ pps_in = rate_get_average(&pps_rate_in);
+ rate_add_rate(&pps_rate_out, span.proto_out.pc_packets, msecs);
+ pps_out = rate_get_average(&pps_rate_out);
+
+ memset(&span, 0, sizeof(span));
+ starttime = now;
+ start_tv = tv;
+
+ wattrset(statwin, HIGHATTR);
+ rate_print(activity, buf, sizeof(buf));
+ mvwprintw(statwin, 14, 19, "%s", buf);
+ rate_print_pps(pps, buf, sizeof(buf));
+ mvwprintw(statwin, 15, 19, "%s", buf);
+ rate_print(activity_in, buf, sizeof(buf));
+ mvwprintw(statwin, 17, 19, "%s", buf);
+ rate_print_pps(pps_in, buf, sizeof(buf));
+ mvwprintw(statwin, 18, 19, "%s", buf);
+ rate_print(activity_out, buf, sizeof(buf));
+ mvwprintw(statwin, 20, 19, "%s", buf);
+ rate_print_pps(pps_out, buf, sizeof(buf));
+ mvwprintw(statwin, 21, 19, "%s", buf);
+
+ if (activity > peakactivity)
+ peakactivity = activity;
+
+ if (activity_in > peakactivity_in)
+ peakactivity_in = activity_in;
+
+ if (activity_out > peakactivity_out)
+ peakactivity_out = activity_out;
+
+ if (pps > peakpps)
+ peakpps = pps;
+
+ if (pps_in > peakpps_in)
+ peakpps_in = pps_in;
+
+ if (pps_out > peakpps_out)
+ peakpps_out = pps_out;
+ }
+ if (logging) {
+ check_rotate_flag(&logfile);
+ if ((now - startlog) >= options.logspan) {
+ writedstatlog(iface,
+ peakactivity, peakpps,
+ peakactivity_in, peakpps_in,
+ peakactivity_out, peakpps_out,
+ &ifcounts, time(NULL) - statbegin,
+ logfile);
+
+ startlog = now;
+ }
+ }
+
+ if (screen_update_needed(&tv, &updtime)) {
+ printdetails(&ifcounts, statwin);
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+
+ if ((facilitytime != 0)
+ && (((now - statbegin) / 60) >= facilitytime))
+ exitloop = 1;
+
+ if (packet_get(fd, &pkt, &ch, statwin) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ switch (ch) {
+ case ERR:
+ /* no key ready, do nothing */
+ break;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+
+ case 'Q':
+ case 'q':
+ case 'X':
+ case 'x':
+ case 24:
+ case 27:
+ exitloop = 1;
+ break;
+ }
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ int outgoing;
+
+ pkt_result =
+ packet_process(&pkt, NULL, NULL, NULL,
+ MATCH_OPPOSITE_USECONFIG,
+ options.v6inv4asv6);
+
+ if (pkt_result != PACKET_OK
+ && pkt_result != MORE_FRAGMENTS)
+ continue;
+
+ outgoing = (pkt.pkt_pkttype == PACKET_OUTGOING);
+ update_proto_counter(&ifcounts.total, outgoing, pkt.pkt_len);
+ if (pkt.pkt_pkttype == PACKET_BROADCAST) {
+ update_pkt_counter(&ifcounts.bcast, pkt.pkt_len);
+ }
+
+ update_proto_counter(&span, outgoing, pkt.pkt_len);
+
+ /* account network layer protocol */
+ switch(pkt.pkt_protocol) {
+ case ETH_P_IP:
+ if (pkt_result == CHECKSUM_ERROR) {
+ update_pkt_counter(&ifcounts.bad, pkt.pkt_len);
+ continue;
+ }
+
+ iplen = ntohs(pkt.iphdr->tot_len);
+
+ update_proto_counter(&ifcounts.ipv4, outgoing, iplen);
+ break;
+ case ETH_P_IPV6:
+ iplen = ntohs(pkt.ip6_hdr->ip6_plen) + 40;
+
+ update_proto_counter(&ifcounts.ipv6, outgoing, iplen);
+ break;
+ default:
+ update_proto_counter(&ifcounts.nonip, outgoing, iplen);
+ continue;
+ }
+
+ __u8 ip_protocol = pkt_ip_protocol(&pkt);
+
+ /* account transport layer protocol */
+ switch (ip_protocol) {
+ case IPPROTO_TCP:
+ update_proto_counter(&ifcounts.tcp, outgoing, iplen);
+ break;
+ case IPPROTO_UDP:
+ update_proto_counter(&ifcounts.udp, outgoing, iplen);
+ break;
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ update_proto_counter(&ifcounts.icmp, outgoing, iplen);
+ break;
+ default:
+ update_proto_counter(&ifcounts.other, outgoing, iplen);
+ break;
+ }
+ }
+
+err_close:
+ close(fd);
+
+err:
+ rate_destroy(&pps_rate_out);
+ rate_destroy(&pps_rate_in);
+ rate_destroy(&pps_rate);
+
+ rate_destroy(&rate_out);
+ rate_destroy(&rate_in);
+ rate_destroy(&rate);
+
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ writedstatlog(iface,
+ peakactivity, peakpps, peakactivity_in,
+ peakpps_in, peakactivity_out, peakpps_out,
+ &ifcounts, time(NULL) - statbegin,
+ logfile);
+ writelog(logging, logfile,
+ "******** Detailed interface statistics stopped ********");
+ fclose(logfile);
+ }
+
+ del_panel(statpanel);
+ delwin(statwin);
+ strcpy(current_logfile, "");
+ pkt_cleanup();
+ update_panels();
+ doupdate();
+}
diff --git a/src/detstats.h b/src/detstats.h
new file mode 100644
index 0000000..95cbea8
--- /dev/null
+++ b/src/detstats.h
@@ -0,0 +1,6 @@
+#ifndef IPTRAF_NG_DETSTATS_H
+#define IPTRAF_NG_DETSTATS_H
+
+void detstats(char *iface, time_t facilitytime);
+
+#endif /* IPTRAF_NG_DETSTATS_H */
diff --git a/src/dirs.h b/src/dirs.h
new file mode 100644
index 0000000..6bb09af
--- /dev/null
+++ b/src/dirs.h
@@ -0,0 +1,139 @@
+#ifndef IPTRAF_NG_DIRS_H
+#define IPTRAF_NG_DIRS_H
+
+// TODO: full rewrite
+
+#include "getpath.h"
+
+/*
+ * IPTraf working file and directory definitions
+ */
+
+
+/***
+ *** Directory definitions. The definitions in the Makefile now override
+ *** these directives.
+ ***/
+
+/*
+ * The IPTraf working directory
+ */
+
+#ifndef WORKDIR
+#define WORKDIR "/var/lib/iptraf-ng"
+#endif
+
+#ifndef LOGDIR
+#define LOGDIR "/var/log/iptraf-ng"
+#endif
+
+/*
+ * Lock directory.
+ *
+ * !!!!!!! WARNING !!!!!!!!
+ * DO NOT LET THIS REFER TO AN EXISTING/SYSTEM DIRECTORY!!!! THE LOCK
+ * OVERRIDE (iptraf -f) WILL ERASE ALL FILES HERE!
+ */
+
+#ifndef LOCKDIR
+#define LOCKDIR "/var/lock/iptraf-ng"
+#endif
+
+/***
+ *** Directory environment variables. Overrides built in definitions.
+ *** You may suit this to your preferences.
+ ***/
+
+/*
+ * Environment variable for IPTraf working directory. Overrides builtin.
+ */
+
+#define WORKDIR_ENV "IPTRAF_WORK_PATH"
+
+/*
+ * Environment variable for LOGDIR
+ */
+
+#define LOGDIR_ENV "IPTRAF_LOG_PATH"
+
+/***
+ *** Filename definitions. They depend on the directory definitions
+ *** above.
+ ***/
+
+/*
+ * The IPTraf instance identification file. IPTraf is running if this
+ * file is present, and is deleted afterwards. As of this version, this
+ * file is used to restrict configuration to only the first instance.
+ */
+
+#define IPTIDFILE get_path(T_LOCKDIR, "iptraf.tag")
+
+/*
+ * The IPTraf facility identification files. These are used to identify which
+ * facilities are running, allowing only one instance any of them to run
+ * on a network interface.
+ */
+
+#define IPMONIDFILE get_path(T_LOCKDIR, "iptraf-ipmon.tag")
+#define GSTATIDFILE get_path(T_LOCKDIR, "iptraf-genstat.tag")
+#define DSTATIDFILE get_path(T_LOCKDIR, "iptraf-detstat.tag")
+#define TCPUDPIDFILE get_path(T_LOCKDIR, "iptraf-tcpudp.tag")
+#define LANMONIDFILE get_path(T_LOCKDIR, "iptraf-lanmon.tag")
+#define FLTIDFILE get_path(T_LOCKDIR, "iptraf-filters.tag")
+#define OTHIPFLTIDFILE get_path(T_LOCKDIR, "iptraf-othipfltchg.tag")
+#define PKTSIZEIDFILE get_path(T_LOCKDIR, "iptraf-packetsize.tag")
+#define PROCCOUNTFILE get_path(T_LOCKDIR, "iptraf-processcount.dat")
+#define ITRAFMONCOUNTFILE get_path(T_LOCKDIR, "iptraf-itrafmoncount.dat")
+#define LANMONCOUNTFILE get_path(T_LOCKDIR, "iptraf-lanmoncount.dat")
+#define PROMISCLISTFILE get_path(T_WORKDIR, "iptraf-promisclist.tmp")
+
+#define OTHIPFLNAME get_path(T_WORKDIR, "othipfilters.dat")
+
+/*
+ * The filter data file for other protocols
+ */
+
+#define FLTSTATEFILE get_path(T_WORKDIR, "savedfilters.dat")
+
+/*
+ * The IPTraf configuration data file
+ */
+
+#define CONFIGFILE get_path(T_WORKDIR, "iptraf.cfg")
+
+/*
+ * The IPTraf log files
+ */
+
+#define IPMONLOG get_path(T_LOGDIR, "ip_traffic")
+#define GSTATLOG get_path(T_LOGDIR, "iface_stats_general.log")
+#define DSTATLOG get_path(T_LOGDIR, "iface_stats_detailed")
+#define TCPUDPLOG get_path(T_LOGDIR, "tcp_udp_services")
+#define LANLOG get_path(T_LOGDIR, "lan_statistics")
+#define PKTSIZELOG get_path(T_LOGDIR, "packet_size")
+#define DAEMONLOG get_path(T_LOGDIR, "daemon.log")
+
+
+/*
+ * The additional TCP/UDP ports file
+ */
+#define PORTFILE get_path(T_WORKDIR, "ports.dat")
+
+/*
+ * The Ethernet and FDDI host description files
+ */
+
+#define ETHFILE get_path(T_WORKDIR, "ethernet.desc")
+#define FDDIFILE get_path(T_WORKDIR, "fddi.desc")
+
+/*
+ * The rvnamed log file
+ */
+#define RVNDLOGFILE get_path(T_LOGDIR, "rvnamed-ng.log")
+
+#ifndef PATH_MAX
+#define PATH_MAX 4095
+#endif
+
+#endif /* IPTRAF_NG_DIRS_H */
diff --git a/src/error.c b/src/error.c
new file mode 100644
index 0000000..91fbd17
--- /dev/null
+++ b/src/error.c
@@ -0,0 +1,25 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+error.c - Error-handling subroutines
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "log.h"
+#include "tui/msgboxes.h"
+
+void write_error(char *msg, ...)
+{
+ va_list vararg;
+
+ va_start(vararg, msg);
+ if (daemonized)
+ write_daemon_err(msg, vararg);
+ else
+ tui_error_va(ANYKEY_MSG, msg, vararg);
+ va_end(vararg);
+}
diff --git a/src/error.h b/src/error.h
new file mode 100644
index 0000000..73dbb29
--- /dev/null
+++ b/src/error.h
@@ -0,0 +1,6 @@
+#ifndef IPTRAF_NG_ERROR_H
+#define IPTRAF_NG_ERROR_H
+
+void write_error(char *msg, ...) __printf(1,2);
+
+#endif /* IPTRAF_NG_ERROR_H */
diff --git a/src/fltdefs.h b/src/fltdefs.h
new file mode 100644
index 0000000..cc0512f
--- /dev/null
+++ b/src/fltdefs.h
@@ -0,0 +1,70 @@
+#ifndef IPTRAF_NG_FLTDEFS_H
+#define IPTRAF_NG_FLTDEFS_H
+
+/***
+
+fltdefs.h - declarations for the TCP, UDP, and misc IP filters
+
+***/
+
+
+#define FLT_FILENAME_MAX 40
+
+#define FLT_RESOLVE 1
+#define FLT_DONTRESOLVE 0
+
+#define F_ALL_IP 0
+#define F_TCP 6
+#define F_UDP 17
+#define F_OTHERIP 59
+#define F_ICMP 1
+#define F_IGMP 2
+#define F_OSPF 89
+#define F_IGP 9
+#define F_IGRP 88
+#define F_GRE 47
+#define F_L2TP 115
+#define F_IPSEC_AH 51
+#define F_IPSEC_ESP 50
+
+#define MATCH_OPPOSITE_ALWAYS 1
+#define MATCH_OPPOSITE_USECONFIG 2
+
+/*
+ * IP filter parameter entry
+ */
+struct hostparams {
+ char s_fqdn[45];
+ char d_fqdn[45];
+ char s_mask[20];
+ char d_mask[20];
+ in_port_t sport1;
+ in_port_t sport2;
+ in_port_t dport1;
+ in_port_t dport2;
+ int filters[256];
+ char protolist[70];
+ char reverse;
+ char match_opposite;
+};
+
+
+struct filterent {
+ struct hostparams hp;
+
+ unsigned long saddr;
+ unsigned long daddr;
+ unsigned long smask;
+ unsigned long dmask;
+ unsigned int index;
+ struct filterent *next_entry;
+ struct filterent *prev_entry;
+};
+
+struct filterlist {
+ struct filterent *head;
+ struct filterent *tail;
+ unsigned int lastpos;
+};
+
+#endif /* IPTRAF_NG_FLTDEFS_H */
diff --git a/src/fltedit.c b/src/fltedit.c
new file mode 100644
index 0000000..50801ec
--- /dev/null
+++ b/src/fltedit.c
@@ -0,0 +1,625 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+fltedit.c - the filter editing Facility
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/labels.h"
+#include "tui/menurt.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "fltdefs.h"
+#include "fltmgr.h"
+#include "ipfilter.h"
+#include "dirs.h"
+#include "getpath.h"
+#include "attrs.h"
+#include "deskman.h"
+#include "error.h"
+#include "cidr.h"
+
+void init_filter_table(struct filterlist *fl)
+{
+ fl->head = fl->tail = NULL;
+}
+
+/*
+ * Loads the filter from the filter file
+ */
+
+int loadfilter(char *filename, struct filterlist *fl, int resolve)
+{
+ struct filterent *fe;
+ int pfd;
+ unsigned int idx = 0;
+ int br;
+ int resolv_err = 0;
+
+ init_filter_table(fl);
+
+ pfd = open(filename, O_RDONLY);
+
+ if (pfd < 0) {
+ write_error("Error opening IP filter data file");
+ fl->head = NULL;
+ return 1;
+ }
+ do {
+ fe = xmalloc(sizeof(struct filterent));
+ br = read(pfd, &(fe->hp), sizeof(struct hostparams));
+
+ if (br > 0) {
+ fe->index = idx;
+ if (resolve) {
+ fe->saddr =
+ nametoaddr(fe->hp.s_fqdn, &resolv_err);
+ fe->daddr =
+ nametoaddr(fe->hp.d_fqdn, &resolv_err);
+
+ if (resolv_err) {
+ free(fe);
+ continue;
+ }
+
+ fe->smask = inet_addr(fe->hp.s_mask);
+ fe->dmask = inet_addr(fe->hp.d_mask);
+ }
+ if (fl->head == NULL) {
+ fl->head = fe;
+ fe->prev_entry = NULL;
+ } else {
+ fl->tail->next_entry = fe;
+ fe->prev_entry = fl->tail;
+ }
+ fe->next_entry = NULL;
+ fl->tail = fe;
+ idx++;
+ } else {
+ free(fe);
+ }
+ } while (br > 0);
+
+ if (br == 0)
+ close(pfd);
+
+ return 0;
+}
+
+void savefilter(char *filename, struct filterlist *fl)
+{
+ struct filterent *fe = fl->head;
+ int pfd;
+ int bw;
+
+ pfd = open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR);
+
+ while (fe != NULL) {
+ bw = write(pfd, &(fe->hp), sizeof(struct hostparams));
+
+ if (bw < 0) {
+ tui_error(ANYKEY_MSG, "Unable to save filter changes");
+ return;
+ }
+ fe = fe->next_entry;
+ }
+
+ close(pfd);
+}
+
+void print_hostparam_line(struct filterent *fe, int idx, WINDOW * win, int attr)
+{
+ struct in_addr binmask;
+
+ wattrset(win, attr);
+
+ scrollok(win, 0);
+ mvwprintw(win, idx, 0, "%78c", ' ');
+
+ mvwaddnstr(win, idx, 1, fe->hp.s_fqdn, 20);
+ if (inet_aton(fe->hp.s_mask, &binmask) == 0)
+ inet_aton("255.255.255.255", &binmask);
+
+ wprintw(win, "/%u", cidr_get_maskbits(binmask.s_addr));
+ if (fe->hp.sport2 == 0)
+ wprintw(win, ":%u", fe->hp.sport1);
+ else
+ wprintw(win, ":%u-%u", fe->hp.sport1, fe->hp.sport2);
+
+ wmove(win, idx, 34);
+ if (fe->hp.match_opposite != 'Y')
+ wprintw(win, "-->");
+ else
+ wprintw(win, "<->");
+
+ mvwaddnstr(win, idx, 38, fe->hp.d_fqdn, 15);
+
+ if (inet_aton(fe->hp.d_mask, &binmask) == 0)
+ inet_aton("255.255.255.255", &binmask);
+
+ wprintw(win, "/%u", cidr_get_maskbits(binmask.s_addr));
+
+ if (fe->hp.dport2 == 0)
+ wprintw(win, ":%u", fe->hp.dport1);
+ else
+ wprintw(win, ":%u-%u", fe->hp.dport1, fe->hp.dport2);
+
+ mvwprintw(win, idx, 76, "%c", toupper(fe->hp.reverse));
+ wmove(win, idx, 0);
+}
+
+void update_hp_screen(struct filterent *firstvisible, WINDOW * win)
+{
+ struct filterent *ftmp = firstvisible;
+ int i;
+
+ wattrset(win, STDATTR);
+ if (firstvisible == NULL) {
+ mvwprintw(win, 0, 0, "%78c", ' ');
+ wmove(win, 0, 0);
+ return;
+ }
+
+ scrollok(win, 0);
+ for (i = 0; i <= 12; i++) {
+ if (ftmp != NULL) {
+ print_hostparam_line(ftmp, i, win, STDATTR);
+ ftmp = ftmp->next_entry;
+ } else {
+ mvwprintw(win, i, 0, "%78c", ' ');
+ wmove(win, i, 0);
+ }
+ }
+ scrollok(win, 1);
+}
+
+void modify_host_parameters(struct filterlist *fl)
+{
+ WINDOW *bwin;
+ PANEL *bpanel;
+ WINDOW *win;
+ PANEL *panel;
+ struct filterent *fe;
+ struct filterent *ftemp;
+
+ struct filterent *firstvisible = NULL;
+
+ unsigned int idx = 0;
+ int endloop_local = 0;
+ int ch;
+ int gh_aborted = 0;
+
+ char s_portstr1[8];
+ char d_portstr1[8];
+ char s_portstr2[8];
+ char d_portstr2[8];
+
+ char inexstr[2];
+ char matchop[2];
+
+ bwin = newwin(15, 80, (LINES - 15) / 2, (COLS - 80) / 2);
+
+ bpanel = new_panel(bwin);
+ win = newwin(13, 78, (LINES - 13) / 2, (COLS - 78) / 2);
+ panel = new_panel(win);
+
+ wattrset(bwin, BOXATTR);
+ tx_box(bwin, ACS_VLINE, ACS_HLINE);
+
+ mvwprintw(bwin, 0, 2, " Source ");
+ mvwprintw(bwin, 0, 38, " Destination ");
+ mvwprintw(bwin, 0, 74, " I/E ");
+
+ mvwprintw(bwin, 14, 1, " Filter Data ");
+ tx_stdwinset(win);
+ scrollok(win, 0);
+ wattrset(win, STDATTR);
+ tx_colorwin(win);
+
+ move(LINES - 1, 1);
+ tx_printkeyhelp("Up/Down", "-move ptr ", stdscr, HIGHATTR,
+ STATUSBARATTR);
+ tx_printkeyhelp("I", "-insert ", stdscr, HIGHATTR, STATUSBARATTR);
+ tx_printkeyhelp("A", "-add to list ", stdscr, HIGHATTR, STATUSBARATTR);
+ tx_printkeyhelp("D", "-delete ", stdscr, HIGHATTR, STATUSBARATTR);
+ tx_printkeyhelp("Enter", "-edit ", stdscr, HIGHATTR, STATUSBARATTR);
+ tx_printkeyhelp("X/Ctrl+X", "-exit", stdscr, HIGHATTR, STATUSBARATTR);
+
+ update_panels();
+ doupdate();
+
+ firstvisible = fl->head;
+
+ update_hp_screen(firstvisible, win);
+
+ idx = 0;
+ fe = firstvisible;
+
+ update_panels();
+ doupdate();
+
+ do {
+ if (fe != NULL) {
+ print_hostparam_line(fe, idx, win, BARSTDATTR);
+ }
+
+ ch = wgetch(win);
+
+ if (fe != NULL)
+ print_hostparam_line(fe, idx, win, STDATTR);
+
+ switch (ch) {
+ case KEY_UP:
+ if (fl->head != NULL) {
+ if (fe->prev_entry != NULL) {
+ if (idx > 0)
+ idx--;
+ else {
+ scrollok(win, 1);
+ wscrl(win, -1);
+ firstvisible =
+ firstvisible->prev_entry;
+ }
+ fe = fe->prev_entry;
+ }
+ }
+ break;
+ case KEY_DOWN:
+ if (fl->head != NULL) {
+ if (fe->next_entry != NULL) {
+ if (idx < 12)
+ idx++;
+ else {
+ scrollok(win, 1);
+ wscrl(win, 1);
+ firstvisible =
+ firstvisible->next_entry;
+ }
+ fe = fe->next_entry;
+ }
+ }
+ break;
+ case 'i':
+ case 'I':
+ case KEY_IC:
+ ftemp = xmallocz(sizeof(struct filterent));
+
+ gethostparams(&(ftemp->hp), "", "", "", "", "", "", "",
+ "", "I", "N", &gh_aborted);
+
+ if (gh_aborted) {
+ free(ftemp);
+ continue;
+ }
+
+ if (fl->head == NULL) {
+ ftemp->next_entry = ftemp->prev_entry = NULL;
+ fl->head = fl->tail = ftemp;
+ firstvisible = fl->head;
+ idx = 0;
+ } else {
+ ftemp->next_entry = fe;
+ ftemp->prev_entry = fe->prev_entry;
+
+ /*
+ * Point firstvisible at new entry if we inserted at the
+ * top of the list.
+ */
+
+ if (ftemp->prev_entry == NULL) {
+ fl->head = ftemp;
+ firstvisible = ftemp;
+ } else
+ fe->prev_entry->next_entry = ftemp;
+
+ fe->prev_entry = ftemp;
+ }
+
+ if (ftemp->next_entry == NULL)
+ fl->tail = ftemp;
+
+ fe = ftemp;
+ update_hp_screen(firstvisible, win);
+ break;
+ case 'a':
+ case 'A':
+ case 1:
+ ftemp = xmallocz(sizeof(struct filterent));
+
+ gethostparams(&(ftemp->hp), "", "", "", "", "", "", "",
+ "", "I", "N", &gh_aborted);
+
+ if (gh_aborted) {
+ free(ftemp);
+ continue;
+ }
+
+ /*
+ * Add new node to the end of the list (or to the head if the
+ * list is empty.
+ */
+ if (fl->tail != NULL) {
+ fl->tail->next_entry = ftemp;
+ ftemp->prev_entry = fl->tail;
+ } else {
+ fl->head = ftemp;
+ fl->tail = ftemp;
+ ftemp->prev_entry = ftemp->next_entry = NULL;
+ firstvisible = fl->head;
+ fe = ftemp;
+ idx = 0;
+ }
+
+ ftemp->next_entry = NULL;
+ fl->tail = ftemp;
+ update_hp_screen(firstvisible, win);
+ break;
+ case 'd':
+ case 'D':
+ case KEY_DC:
+ if (fl->head != NULL) {
+ /*
+ * Move firstvisible down if it's pointing to the target
+ * entry.
+ */
+
+ if (firstvisible == fe)
+ firstvisible = fe->next_entry;
+
+ /*
+ * Detach target node from list.
+ */
+ if (fe->next_entry != NULL)
+ fe->next_entry->prev_entry =
+ fe->prev_entry;
+ else
+ fl->tail = fe->prev_entry;
+
+ if (fe->prev_entry != NULL)
+ fe->prev_entry->next_entry =
+ fe->next_entry;
+ else
+ fl->head = fe->next_entry;
+
+ /*
+ * Move pointer up if we're deleting the last entry.
+ * The list tail pointer has since been moved to the
+ * previous entry.
+ */
+ if (fe->prev_entry == fl->tail) {
+ ftemp = fe->prev_entry;
+
+ /*
+ * Move screen pointer up. Really adjust the index if
+ * the pointer is anywhere below the top of the screen.
+ */
+ if (idx > 0)
+ idx--;
+ else {
+ /*
+ * Otherwise scroll the list down, and adjust the
+ * firstvisible pointer to point to the entry
+ * previous to the target.
+ */
+ if (ftemp != NULL) {
+ firstvisible = ftemp;
+ }
+ }
+ } else
+ /*
+ * If we reach this point, we're deleting from before
+ * the tail of the list. In that case, we point the
+ * screen pointer at the entry following the target.
+ */
+ ftemp = fe->next_entry;
+
+ free(fe);
+ fe = ftemp;
+ update_hp_screen(firstvisible, win);
+ }
+ break;
+ case 13:
+ if (fe != NULL) {
+ sprintf(s_portstr1, "%u", fe->hp.sport1);
+ sprintf(s_portstr2, "%u", fe->hp.sport2);
+ sprintf(d_portstr1, "%u", fe->hp.dport1);
+ sprintf(d_portstr2, "%u", fe->hp.dport2);
+ inexstr[0] = toupper(fe->hp.reverse);
+ inexstr[1] = '\0';
+ matchop[0] = toupper(fe->hp.match_opposite);
+ matchop[1] = '\0';
+
+ gethostparams(&(fe->hp), fe->hp.s_fqdn,
+ fe->hp.s_mask, s_portstr1,
+ s_portstr2, fe->hp.d_fqdn,
+ fe->hp.d_mask, d_portstr1,
+ d_portstr2, inexstr, matchop,
+ &gh_aborted);
+
+ update_hp_screen(firstvisible, win);
+ }
+
+ break;
+ case 'x':
+ case 'X':
+ case 'q':
+ case 'Q':
+ case 27:
+ case 24:
+ endloop_local = 1;
+ break;
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ }
+ update_panels();
+ doupdate();
+ } while (!endloop_local);
+
+ del_panel(panel);
+ delwin(win);
+ del_panel(bpanel);
+ delwin(bwin);
+ update_panels();
+ doupdate();
+}
+
+/*
+ * Remove a currently applied filter from memory
+ */
+
+void destroyfilter(struct filterlist *fl)
+{
+ struct filterent *fe;
+ struct filterent *cfe;
+
+ if (fl->head != NULL) {
+ fe = fl->head;
+ cfe = fl->head->next_entry;
+
+ do {
+ free(fe);
+ fe = cfe;
+ if (cfe != NULL)
+ cfe = cfe->next_entry;
+ } while (fe != NULL);
+
+ fl->head = fl->tail = NULL;
+ }
+}
+
+
+void definefilter(int *aborted)
+{
+ struct filterfileent ffile;
+ char fntemp[14];
+ struct filterlist fl;
+
+ int pfd;
+ int bw;
+
+ get_filter_description(ffile.desc, aborted, "");
+
+ if (*aborted)
+ return;
+
+ genname(time(NULL), fntemp);
+
+ pfd =
+ open(get_path(T_WORKDIR, fntemp), O_CREAT | O_WRONLY | O_TRUNC,
+ S_IRUSR | S_IWUSR);
+ if (pfd < 0) {
+ tui_error(ANYKEY_MSG, "Cannot create filter data file");
+ *aborted = 1;
+ return;
+ }
+
+ close(pfd);
+
+ pfd =
+ open(OTHIPFLNAME, O_CREAT | O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR);
+
+ if (pfd < 0) {
+ listfileerr(1);
+ return;
+ }
+ strcpy(ffile.filename, fntemp);
+ bw = write(pfd, &ffile, sizeof(struct filterfileent));
+ if (bw < 0)
+ listfileerr(2);
+
+ close(pfd);
+
+ init_filter_table(&fl);
+ modify_host_parameters(&fl);
+ savefilter(get_path(T_WORKDIR, fntemp), &fl);
+ destroyfilter(&fl);
+}
+
+/*
+ * Edit an existing filter
+ */
+void editfilter(int *aborted)
+{
+ char filename[FLT_FILENAME_MAX];
+ struct filterlist fl;
+ struct ffnode *flist;
+ struct ffnode *ffile;
+ struct filterfileent *ffe;
+
+ if (loadfilterlist(&flist) == 1) {
+ listfileerr(1);
+ destroyfilterlist(flist);
+ return;
+ }
+ pickafilter(flist, &ffile, aborted);
+
+ if ((*aborted)) {
+ destroyfilterlist(flist);
+ return;
+ }
+ ffe = &(ffile->ffe);
+
+ get_filter_description(ffe->desc, aborted, ffe->desc);
+
+ if (*aborted) {
+ destroyfilterlist(flist);
+ return;
+ }
+ strncpy(filename, get_path(T_WORKDIR, ffe->filename),
+ FLT_FILENAME_MAX - 1);
+
+ if (loadfilter(filename, &fl, FLT_DONTRESOLVE))
+ return;
+
+ modify_host_parameters(&fl);
+
+ save_filterlist(flist); /* This also destroys it */
+ savefilter(filename, &fl);
+ destroyfilter(&fl);
+}
+
+/*
+ * Delete a filter record from the disk
+ */
+
+void delfilter(int *aborted)
+{
+ struct ffnode *fltfile;
+ struct ffnode *fltlist;
+
+ if (loadfilterlist(&fltlist) == 1) {
+ *aborted = 1;
+ listfileerr(1);
+ destroyfilterlist(fltlist);
+ return;
+ }
+ pickafilter(fltlist, &fltfile, aborted);
+
+ if (*aborted)
+ return;
+
+ unlink(get_path(T_WORKDIR, fltfile->ffe.filename));
+
+ if (fltfile->prev_entry == NULL) {
+ fltlist = fltlist->next_entry;
+ if (fltlist != NULL)
+ fltlist->prev_entry = NULL;
+ } else {
+ fltfile->prev_entry->next_entry = fltfile->next_entry;
+
+ if (fltfile->next_entry != NULL)
+ fltfile->next_entry->prev_entry = fltfile->prev_entry;
+ }
+
+ free(fltfile);
+
+ save_filterlist(fltlist);
+ *aborted = 0;
+}
diff --git a/src/fltedit.h b/src/fltedit.h
new file mode 100644
index 0000000..009fcaa
--- /dev/null
+++ b/src/fltedit.h
@@ -0,0 +1,11 @@
+#ifndef IPTRAF_NG_FLTEDIT_H
+#define IPTRAF_NG_FLTEDIT_H
+
+void definefilter(int *aborted);
+int loadfilter(char *filename, struct filterlist *fl, int resolve);
+void savefilter(char *filename, struct filterlist *fl);
+void destroyfilter(struct filterlist *fl);
+void editfilter(int *aborted);
+void delfilter(int *aborted);
+
+#endif /* IPTRAF_NG_FLTEDIT_H */
diff --git a/src/fltmgr.c b/src/fltmgr.c
new file mode 100644
index 0000000..ad194ee
--- /dev/null
+++ b/src/fltmgr.c
@@ -0,0 +1,348 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+fltmgr.c - filter list management routines
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/input.h"
+#include "tui/labels.h"
+#include "tui/listbox.h"
+#include "tui/menurt.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "attrs.h"
+#include "deskman.h"
+#include "dirs.h"
+#include "fltdefs.h"
+#include "fltmgr.h"
+#include "error.h"
+
+void makestdfiltermenu(struct MENU *menu)
+{
+ tx_initmenu(menu, 9, 31, (LINES - 8) / 2, (COLS - 31) / 2 + 15, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+ tx_additem(menu, " ^D^efine new filter...",
+ "Defines a new set of IP filter parameters");
+ tx_additem(menu, " ^A^pply filter...", "Applies a defined filter");
+ tx_additem(menu, " Detac^h^ filter",
+ "Removes the currently applied filter");
+ tx_additem(menu, " ^E^dit filter...", "Modifies existing filter data");
+ tx_additem(menu, " Dele^t^e filter...",
+ "Removes an IP filter from the filter list");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " E^x^it menu", "Returns to the main menu");
+}
+
+
+/*
+ * Generate a string representation of a number to be used as a name.
+ */
+
+void genname(unsigned long n, char *m)
+{
+ sprintf(m, "%lu", n);
+}
+
+void listfileerr(int code)
+{
+ if (code == 1)
+ write_error("Error loading filter list file");
+ else
+ write_error("Error writing filter list file");
+}
+
+unsigned long int nametoaddr(char *ascname, int *err)
+{
+ unsigned long int result;
+ struct hostent *he;
+ char imsg[45];
+ struct in_addr inp;
+ int resolv_err = 0;
+
+ resolv_err = inet_aton(ascname, &inp);
+ if (resolv_err == 0) {
+ snprintf(imsg, 44, "Resolving %s", ascname);
+ indicate(imsg);
+
+ he = gethostbyname(ascname);
+ if (he != NULL)
+ bcopy((he->h_addr_list)[0], &result, he->h_length);
+ else {
+ write_error("Unable to resolve %s", ascname);
+ *err = 1;
+ return (-1);
+ }
+ } else
+ result = inp.s_addr;
+
+ return (result);
+ *err = 0;
+}
+
+int loadfilterlist(struct ffnode **fltfile)
+{
+ int pfd = 0;
+ int result = 0;
+
+ struct ffnode *ffiles = NULL;
+ struct ffnode *ptemp;
+ struct ffnode *tail = NULL;
+ struct ffnode *insert_point = NULL; /* new node is inserted *above* this */
+
+ int br;
+
+ pfd = open(OTHIPFLNAME, O_RDONLY);
+
+ if (pfd < 0) {
+ *fltfile = NULL;
+ return 1;
+ }
+
+ do {
+ ptemp = xmalloc(sizeof(struct ffnode));
+ br = read(pfd, &(ptemp->ffe), sizeof(struct filterfileent));
+
+ if (br > 0) {
+ if (ffiles == NULL) {
+ /*
+ * Create single-node list should initial list pointer be empty
+ */
+ ffiles = ptemp;
+ ffiles->prev_entry = ffiles->next_entry = NULL;
+ tail = ffiles;
+ } else {
+ /*
+ * Find appropriate point for insertion into sorted list.
+ */
+
+ insert_point = ffiles;
+ while (insert_point != NULL) {
+ if (strcasecmp
+ (insert_point->ffe.desc,
+ ptemp->ffe.desc)
+ < 0)
+ insert_point =
+ insert_point->next_entry;
+ else
+ break;
+ }
+
+ /*
+ * Insert new node depending on whether insert_point = top of list;
+ * middle of list; end of list.
+ */
+
+ if (insert_point == NULL) {
+ /* Case 1: end of list; if insert_point is NULL, we get it
+ out of the way first */
+ tail->next_entry = ptemp;
+ ptemp->prev_entry = tail;
+ tail = ptemp;
+ ptemp->next_entry = NULL;
+ } else if (insert_point->prev_entry == NULL) {
+ /* Case 2: top of list */
+ insert_point->prev_entry = ptemp;
+ ffiles = ptemp;
+ ffiles->prev_entry = NULL;
+ ffiles->next_entry = insert_point;
+ insert_point->prev_entry = ffiles;
+ } else {
+ /* Case 3: middle of list */
+ ptemp->prev_entry =
+ insert_point->prev_entry;
+ ptemp->next_entry = insert_point;
+ insert_point->prev_entry->next_entry =
+ ptemp;
+ insert_point->prev_entry = ptemp;
+ }
+ }
+ } else {
+ free(ptemp);
+
+ if (br < 0)
+ result = 1;
+ }
+ } while (br > 0);
+
+ close(pfd);
+ *fltfile = ffiles;
+
+ if (ffiles == NULL)
+ result = 1;
+
+ return result;
+}
+
+void destroyfilterlist(struct ffnode *fltlist)
+{
+ struct ffnode *fftemp;
+
+ if (fltlist != NULL) {
+ fftemp = fltlist->next_entry;
+
+ do {
+ free(fltlist);
+ fltlist = fftemp;
+ if (fftemp != NULL)
+ fftemp = fftemp->next_entry;
+ } while (fltlist != NULL);
+ }
+}
+
+void save_filterlist(struct ffnode *fltlist)
+{
+ struct ffnode *fltfile;
+ struct ffnode *ffntemp;
+ int fd;
+ int bw;
+
+ fd = open(OTHIPFLNAME, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+
+ if (fd < 0) {
+ listfileerr(2);
+ return;
+ }
+
+ fltfile = fltlist;
+ while (fltfile != NULL) {
+ bw = write(fd, &(fltfile->ffe), sizeof(struct filterfileent));
+
+ if (bw < 0) {
+ listfileerr(2);
+ return;
+ }
+ ffntemp = fltfile;
+ fltfile = fltfile->next_entry;
+ free(ffntemp);
+ }
+
+ close(fd);
+}
+
+void operate_select(struct ffnode *ffiles, struct ffnode **item, int *aborted)
+{
+ struct ffnode *pptr;
+ int ch;
+ struct scroll_list list;
+
+ tx_listkeyhelp(STDATTR, HIGHATTR);
+ update_panels();
+ doupdate();
+
+ pptr = ffiles;
+
+ tx_init_listbox(&list, 60, 10, (COLS - 60) / 2 - 2,
+ (LINES - 10) / 2 - 2, STDATTR, BOXATTR, BARSTDATTR,
+ HIGHATTR);
+
+ tx_set_listbox_title(&list, "Select Filter", 1);
+
+ while (pptr != NULL) {
+ tx_add_list_entry(&list, (char *) pptr, pptr->ffe.desc);
+ pptr = pptr->next_entry;
+ }
+
+ tx_show_listbox(&list);
+ tx_operate_listbox(&list, &ch, aborted);
+
+ if (!(*aborted))
+ *item = (struct ffnode *) list.textptr->nodeptr;
+
+ tx_close_listbox(&list);
+ tx_destroy_list(&list);
+}
+
+void pickafilter(struct ffnode *ffiles, struct ffnode **fltfile, int *aborted)
+{
+ operate_select(ffiles, fltfile, aborted);
+
+ update_panels();
+ doupdate();
+}
+
+char *pickfilterbyname(struct ffnode *ffiles, char *filtername)
+{
+ struct ffnode *ftmp = ffiles;
+ static char filterfile[160];
+
+ while (ftmp != NULL) {
+ if (strcmp(ftmp->ffe.desc, filtername) == 0) {
+ strncpy(filterfile, ftmp->ffe.filename, 40);
+ return filterfile;
+ }
+
+ ftmp = ftmp->next_entry;
+ }
+
+ return NULL;
+}
+
+void selectfilter(struct filterfileent *ffe, int *aborted)
+{
+ struct ffnode *fltfile;
+ struct ffnode *ffiles;
+
+ if (loadfilterlist(&ffiles)) {
+ listfileerr(1);
+ *aborted = 1;
+ destroyfilterlist(ffiles);
+ return;
+ }
+ pickafilter(ffiles, &fltfile, aborted);
+
+ if (!(*aborted))
+ *ffe = fltfile->ffe;
+
+ destroyfilterlist(ffiles);
+}
+
+
+void get_filter_description(char *description, int *aborted, char *pre_edit)
+{
+ struct FIELDLIST descfield;
+ int dlgwintop;
+ WINDOW *dlgwin;
+ PANEL *dlgpanel;
+
+ dlgwintop = (LINES - 9) / 2;
+ dlgwin = newwin(7, 42, dlgwintop, (COLS - 42) / 2 - 10);
+ dlgpanel = new_panel(dlgwin);
+ wattrset(dlgwin, DLGBOXATTR);
+ tx_colorwin(dlgwin);
+ tx_box(dlgwin, ACS_VLINE, ACS_HLINE);
+ wattrset(dlgwin, DLGTEXTATTR);
+ wmove(dlgwin, 2, 2);
+ wprintw(dlgwin, "Enter a description for this filter");
+ wmove(dlgwin, 5, 2);
+ stdkeyhelp(dlgwin);
+ update_panels();
+ doupdate();
+
+ tx_initfields(&descfield, 1, 35, dlgwintop + 3, (COLS - 42) / 2 - 8,
+ DLGTEXTATTR, FIELDATTR);
+ tx_addfield(&descfield, 33, 0, 0, pre_edit);
+
+ do {
+ tx_fillfields(&descfield, aborted);
+
+ if ((descfield.list->buf[0] == '\0') && (!(*aborted)))
+ tui_error(ANYKEY_MSG,
+ "Enter an appropriate description for this filter");
+
+ } while ((descfield.list->buf[0] == '\0') && (!(*aborted)));
+
+ if (!(*aborted))
+ strcpy(description, descfield.list->buf);
+
+ tx_destroyfields(&descfield);
+ del_panel(dlgpanel);
+ delwin(dlgwin);
+ update_panels();
+ doupdate();
+}
diff --git a/src/fltmgr.h b/src/fltmgr.h
new file mode 100644
index 0000000..0477631
--- /dev/null
+++ b/src/fltmgr.h
@@ -0,0 +1,34 @@
+#ifndef IPTRAF_NG_FLTMGR_H
+#define IPTRAF_NG_FLTMGR_H
+
+/***
+
+fltmgr.h - filter list management routine prototypes
+
+***/
+
+struct filterfileent {
+ char desc[35];
+ char filename[40];
+};
+
+struct ffnode {
+ struct filterfileent ffe;
+ struct ffnode *next_entry;
+ struct ffnode *prev_entry;
+};
+
+void makestdfiltermenu(struct MENU *menu);
+void makemainfiltermenu(struct MENU *menu);
+int loadfilterlist(struct ffnode **fltfile);
+void save_filterlist(struct ffnode *fltlist);
+void pickafilter(struct ffnode *files, struct ffnode **fltfile, int *aborted);
+char *pickfilterbyname(struct ffnode *fltlist, char *filename);
+void selectfilter(struct filterfileent *ffe, int *aborted);
+void destroyfilterlist(struct ffnode *fltlist);
+void get_filter_description(char *description, int *aborted, char *pre_edit);
+void genname(unsigned long n, char *m);
+unsigned long int nametoaddr(char *ascname, int *err);
+void listfileerr(int code);
+
+#endif /* IPTRAF_NG_FLTMGR_H */
diff --git a/src/fltselect.c b/src/fltselect.c
new file mode 100644
index 0000000..4be6243
--- /dev/null
+++ b/src/fltselect.c
@@ -0,0 +1,203 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+fltselect.c - a menu-based module that allows selection of
+ other protocols to display
+
+ ***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/menurt.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "addproto.h"
+#include "dirs.h"
+#include "fltdefs.h"
+#include "fltselect.h"
+#include "fltedit.h"
+#include "fltmgr.h"
+#include "ipfilter.h"
+#include "deskman.h"
+#include "attrs.h"
+
+struct filterstate ofilter;
+
+void makemainfiltermenu(struct MENU *menu)
+{
+ tx_initmenu(menu, 8, 18, (LINES - 8) / 2, (COLS - 31) / 2, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+ tx_additem(menu, " ^I^P...", "Manages IP packet filters");
+ tx_additem(menu, " ^A^RP",
+ "Toggles Address Resolution Protocol filter");
+ tx_additem(menu, " ^R^ARP", "Toggles Reverse ARP filter");
+ tx_additem(menu, " ^N^on-IP",
+ "Toggles filter for all other non-IP packets");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " E^x^it menu",
+ "Returns to the filter management menu");
+}
+
+void setfilters(unsigned int row)
+{
+ int aborted;
+
+ switch (row) {
+ case 1:
+ ipfilterselect(&aborted);
+ break;
+ case 2:
+ ofilter.arp = ~ofilter.arp;
+ break;
+ case 3:
+ ofilter.rarp = ~ofilter.rarp;
+ break;
+ case 4:
+ ofilter.nonip = ~ofilter.nonip;
+ break;
+ }
+}
+
+void toggleprotodisplay(WINDOW *win, unsigned int row)
+{
+ wmove(win, row, 2);
+ switch (row) {
+ case 1:
+ if (ofilter.filtercode == 0)
+ wprintw(win, "No IP filter active");
+ else
+ wprintw(win, "IP filter active ");
+ break;
+ case 2:
+ if (ofilter.arp)
+ wprintw(win, "ARP visible ");
+ else
+ wprintw(win, "ARP not visible");
+
+ break;
+ case 3:
+ if (ofilter.rarp)
+ wprintw(win, "RARP visible ");
+ else
+ wprintw(win, "RARP not visible");
+
+ break;
+ case 4:
+ if (ofilter.nonip)
+ wprintw(win, "Non-IP visible ");
+ else
+ wprintw(win, "Non-IP not visible");
+
+ break;
+ }
+}
+
+/*
+ * Filter for non-IP packets
+ */
+int nonipfilter(unsigned int protocol)
+{
+ int result = 0;
+
+ switch (protocol) {
+ case ETH_P_ARP:
+ result = ofilter.arp;
+ break;
+ case ETH_P_RARP:
+ result = ofilter.rarp;
+ break;
+ default:
+ result = ofilter.nonip;
+ break;
+ }
+
+ return result;
+}
+
+void config_filters(void)
+{
+ struct MENU menu;
+ WINDOW *statwin;
+ PANEL *statpanel;
+ int row;
+ int aborted;
+
+ statwin = newwin(6, 30, (LINES - 8) / 2, (COLS - 15) / 2 + 10);
+ statpanel = new_panel(statwin);
+ wattrset(statwin, BOXATTR);
+ tx_colorwin(statwin);
+ tx_box(statwin, ACS_VLINE, ACS_HLINE);
+ tx_stdwinset(statwin);
+ wmove(statwin, 0, 1);
+ wprintw(statwin, " Filter Status ");
+ wattrset(statwin, STDATTR);
+
+ for (row = 1; row <= 4; row++)
+ toggleprotodisplay(statwin, row);
+
+ makemainfiltermenu(&menu);
+
+ row = 1;
+ do {
+ tx_showmenu(&menu);
+ tx_operatemenu(&menu, &row, &aborted);
+ setfilters(row);
+ toggleprotodisplay(statwin, row);
+ } while (row != 6);
+
+ tx_destroymenu(&menu);
+ del_panel(statpanel);
+ delwin(statwin);
+ update_panels();
+ doupdate();
+}
+
+void setodefaults(void)
+{
+ memset(&ofilter, 0, sizeof(struct filterstate));
+ ofilter.filtercode = 0;
+}
+
+void loadfilters(void)
+{
+ int pfd;
+ int br;
+
+ pfd = open(FLTSTATEFILE, O_RDONLY); /* open filter state file */
+
+ if (pfd < 0) {
+ setodefaults();
+ return;
+ }
+ br = read(pfd, &ofilter, sizeof(struct filterstate));
+ if (br < 0)
+ setodefaults();
+
+ close(pfd);
+
+ /*
+ * Reload IP filter if one was previously applied
+ */
+
+ if (ofilter.filtercode != 0)
+ loadfilter(ofilter.filename, &ofilter.fl, FLT_RESOLVE);
+}
+
+void savefilters(void)
+{
+ int pfd;
+ int bw;
+
+ pfd =
+ open(FLTSTATEFILE, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR);
+ bw = write(pfd, &ofilter, sizeof(struct filterstate));
+ if (bw < 1)
+ tui_error(ANYKEY_MSG,
+ "Unable to write filter state information");
+
+ close(pfd);
+
+}
diff --git a/src/fltselect.h b/src/fltselect.h
new file mode 100644
index 0000000..a33ee68
--- /dev/null
+++ b/src/fltselect.h
@@ -0,0 +1,27 @@
+#ifndef IPTRAF_NG_FLTSELECT_H
+#define IPTRAF_NG_FLTSELECT_H
+
+/***
+
+othfilter.h - declarations for the non-TCP filter module
+
+ ***/
+
+#include "fltdefs.h"
+
+struct filterstate {
+ char filename[FLT_FILENAME_MAX];
+ int filtercode;
+ struct filterlist fl;
+
+ unsigned int arp:1, rarp:1, nonip:1, padding:13;
+};
+
+extern struct filterstate ofilter;
+
+void config_filters(void);
+void loadfilters(void);
+void savefilters(void);
+int nonipfilter(unsigned int protocol);
+
+#endif /* IPTRAF_NG_FLTSELECT_H */
diff --git a/src/getpath.c b/src/getpath.c
new file mode 100644
index 0000000..0a44b76
--- /dev/null
+++ b/src/getpath.c
@@ -0,0 +1,41 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+// TODO: full rewrite
+
+#include "iptraf-ng-compat.h"
+
+#include "dirs.h"
+
+char *get_path(int dirtype, char *file)
+{
+ static char path[PATH_MAX];
+ char *ptr = NULL;
+ char *dir, *env = NULL;
+
+ switch (dirtype) {
+ case T_WORKDIR:
+ dir = WORKDIR;
+ env = WORKDIR_ENV;
+ break;
+ case T_LOGDIR:
+ dir = LOGDIR;
+ env = LOGDIR_ENV;
+ break;
+ case T_LOCKDIR:
+ dir = LOCKDIR;
+ break;
+ default:
+ return file;
+ }
+
+ if ((dirtype != T_LOCKDIR) && (ptr = getenv(env)) != NULL)
+ dir = ptr;
+
+ if (dir == NULL || *dir == '\0')
+ return file;
+
+ snprintf(path, PATH_MAX - 1, "%s/%s", dir, file);
+
+ return path;
+}
diff --git a/src/getpath.h b/src/getpath.h
new file mode 100644
index 0000000..e9f7819
--- /dev/null
+++ b/src/getpath.h
@@ -0,0 +1,11 @@
+#ifndef IPTRAF_NG_GETPATH_H
+#define IPTRAF_NG_GETPATH_H
+
+#define T_WORKDIR 1
+#define T_LOGDIR 2
+#define T_EXECDIR 3
+#define T_LOCKDIR 4
+
+char *get_path(int dirtype, char *file);
+
+#endif /* IPTRAF_NG_GETPATH_H */
diff --git a/src/hostmon.c b/src/hostmon.c
new file mode 100644
index 0000000..de72163
--- /dev/null
+++ b/src/hostmon.c
@@ -0,0 +1,1039 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+hostmon.c - Host traffic monitor
+Discovers LAN hosts and displays packet statistics for them
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/labels.h"
+#include "tui/winops.h"
+
+#include "dirs.h"
+#include "deskman.h"
+#include "fltdefs.h"
+#include "packet.h"
+#include "ifaces.h"
+#include "hostmon.h"
+#include "attrs.h"
+#include "log.h"
+#include "timer.h"
+#include "landesc.h"
+#include "options.h"
+#include "logvars.h"
+#include "promisc.h"
+#include "error.h"
+#include "rate.h"
+
+#define SCROLLUP 0
+#define SCROLLDOWN 1
+
+struct ethtabent {
+ int type;
+ union {
+ struct {
+ unsigned long long inpcount;
+ unsigned long long inbcount;
+ unsigned long long inippcount;
+ unsigned long inspanbr;
+ unsigned long long outpcount;
+ unsigned long long outbcount;
+ unsigned long long outippcount;
+ unsigned long outspanbr;
+ struct rate inrate;
+ struct rate outrate;
+ } figs;
+
+ struct {
+ char eth_addr[ETH_ALEN];
+ char ascaddr[18];
+ char desc[65];
+ char ifname[IFNAMSIZ];
+ int withdesc;
+ int printed;
+ unsigned int linktype;
+ } desc;
+ } un;
+
+ unsigned int index;
+ struct ethtabent *prev_entry;
+ struct ethtabent *next_entry;
+};
+
+struct ethtab {
+ struct ethtabent *head;
+ struct ethtabent *tail;
+ struct ethtabent *firstvisible;
+ struct ethtabent *lastvisible;
+ unsigned long count;
+ unsigned long entcount;
+ int units;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+ WINDOW *tabwin;
+ PANEL *tabpanel;
+};
+
+/*
+ * SIGUSR1 logfile rotation handler
+ */
+
+static void rotate_lanlog(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, current_logfile);
+ signal(SIGUSR1, rotate_lanlog);
+}
+
+static void writeethlog(struct ethtabent *list, unsigned long nsecs, FILE *fd)
+{
+ char atime[TIME_TARGET_MAX];
+ struct ethtabent *ptmp = list;
+
+ genatime(time(NULL), atime);
+
+ fprintf(fd, "\n*** LAN traffic log, generated %s\n\n", atime);
+
+ while (ptmp != NULL) {
+ if (ptmp->type == 0) {
+ if (ptmp->un.desc.linktype == ARPHRD_ETHER)
+ fprintf(fd, "\nEthernet address: %s",
+ ptmp->un.desc.ascaddr);
+ else if (ptmp->un.desc.linktype == ARPHRD_FDDI)
+ fprintf(fd, "\nFDDI address: %s",
+ ptmp->un.desc.ascaddr);
+
+ if (ptmp->un.desc.withdesc)
+ fprintf(fd, " (%s)", ptmp->un.desc.desc);
+
+ fprintf(fd, "\n");
+ } else {
+ fprintf(fd,
+ "\tIncoming total %llu packets, %llu bytes; %llu IP packets\n",
+ ptmp->un.figs.inpcount, ptmp->un.figs.inbcount,
+ ptmp->un.figs.inippcount);
+ fprintf(fd,
+ "\tOutgoing total %llu packets, %llu bytes; %llu IP packets\n",
+ ptmp->un.figs.outpcount,
+ ptmp->un.figs.outbcount,
+ ptmp->un.figs.outippcount);
+
+ fprintf(fd, "\tAverage rates: ");
+ char buf_in[32];
+ char buf_out[32];
+ rate_print(ptmp->un.figs.inbcount / nsecs, buf_in, sizeof(buf_in));
+ rate_print(ptmp->un.figs.outbcount / nsecs, buf_out, sizeof(buf_out));
+ fprintf(fd, "%s incoming, %s outgoing\n",
+ buf_in, buf_out);
+
+ if (nsecs > 5) {
+ rate_print(rate_get_average(&ptmp->un.figs.inrate),
+ buf_in, sizeof(buf_in));
+ rate_print(rate_get_average(&ptmp->un.figs.outrate),
+ buf_out, sizeof(buf_out));
+ fprintf(fd,
+ "\tLast 5-second rates: %s incoming, %s outgoing\n",
+ buf_in, buf_out);
+ }
+ }
+
+ ptmp = ptmp->next_entry;
+ }
+
+ fprintf(fd, "\nRunning time: %lu seconds\n", nsecs);
+ fflush(fd);
+}
+
+static void initethtab(struct ethtab *table)
+{
+ table->head = table->tail = NULL;
+ table->firstvisible = table->lastvisible = NULL;
+ table->count = table->entcount = 0;
+
+ table->borderwin = newwin(LINES - 2, COLS, 1, 0);
+ table->borderpanel = new_panel(table->borderwin);
+
+ table->tabwin = newwin(LINES - 4, COLS - 2, 2, 1);
+ table->tabpanel = new_panel(table->tabwin);
+
+ wattrset(table->borderwin, BOXATTR);
+ tx_box(table->borderwin, ACS_VLINE, ACS_HLINE);
+ wmove(table->borderwin, 0, 5 * COLS / 80);
+ wprintw(table->borderwin, " PktsIn ");
+ wmove(table->borderwin, 0, 16 * COLS / 80);
+ wprintw(table->borderwin, " IP In ");
+ wmove(table->borderwin, 0, 24 * COLS / 80);
+ wprintw(table->borderwin, " BytesIn ");
+ wmove(table->borderwin, 0, 34 * COLS / 80);
+ wprintw(table->borderwin, " InRate ");
+
+ wmove(table->borderwin, 0, 42 * COLS / 80);
+ wprintw(table->borderwin, " PktsOut ");
+ wmove(table->borderwin, 0, 53 * COLS / 80);
+ wprintw(table->borderwin, " IP Out ");
+ wmove(table->borderwin, 0, 61 * COLS / 80);
+ wprintw(table->borderwin, " BytesOut ");
+ wmove(table->borderwin, 0, 70 * COLS / 80);
+ wprintw(table->borderwin, " OutRate ");
+
+ wmove(table->borderwin, LINES - 3, 40);
+
+ wprintw(table->borderwin, " InRate and OutRate are in %s ",
+ dispmode(options.actmode));
+
+ wattrset(table->tabwin, STDATTR);
+ tx_colorwin(table->tabwin);
+ tx_stdwinset(table->tabwin);
+ wtimeout(table->tabwin, -1);
+
+ update_panels();
+ doupdate();
+}
+
+static struct ethtabent *addethnode(struct ethtab *table)
+{
+ struct ethtabent *ptemp;
+
+ ptemp = xmalloc(sizeof(struct ethtabent));
+
+ if (table->head == NULL) {
+ ptemp->prev_entry = NULL;
+ table->head = ptemp;
+ table->firstvisible = ptemp;
+ } else {
+ ptemp->prev_entry = table->tail;
+ table->tail->next_entry = ptemp;
+ }
+
+ table->tail = ptemp;
+ ptemp->next_entry = NULL;
+
+ table->count++;
+ ptemp->index = table->count;
+
+ if (table->count <= (unsigned) LINES - 4)
+ table->lastvisible = ptemp;
+
+ return ptemp;
+}
+
+void convmacaddr(char *addr, char *result)
+{
+ u_int8_t *ptmp = (u_int8_t *) addr;
+
+ sprintf(result, "%02x:%02x:%02x:%02x:%02x:%02x",
+ *ptmp,
+ *(ptmp + 1),
+ *(ptmp + 2),
+ *(ptmp + 3),
+ *(ptmp + 4),
+ *(ptmp + 5));
+}
+
+static struct ethtabent *addethentry(struct ethtab *table,
+ unsigned int linktype, char *ifname,
+ char *addr, struct eth_desc *list)
+{
+ struct ethtabent *ptemp;
+
+ ptemp = addethnode(table);
+
+ if (ptemp == NULL)
+ return NULL;
+
+ ptemp->type = 0;
+ memcpy(&(ptemp->un.desc.eth_addr), addr, ETH_ALEN);
+ strcpy(ptemp->un.desc.desc, "");
+
+ convmacaddr(addr, ptemp->un.desc.ascaddr);
+
+ ptemp->un.desc.linktype = linktype;
+ struct eth_desc *desc = NULL;
+
+ list_for_each_entry(desc, &list->hd_list, hd_list)
+ if (!strcasecmp(desc->hd_mac, ptemp->un.desc.ascaddr))
+ strcpy(ptemp->un.desc.desc, desc->hd_desc);
+
+ strcpy(ptemp->un.desc.ifname, ifname);
+
+ if (strcmp(ptemp->un.desc.desc, "") == 0)
+ ptemp->un.desc.withdesc = 0;
+ else
+ ptemp->un.desc.withdesc = 1;
+
+ ptemp->un.desc.printed = 0;
+
+ ptemp = addethnode(table);
+
+ if (ptemp == NULL)
+ return NULL;
+
+ ptemp->type = 1;
+ ptemp->un.figs.inpcount = 0;
+ ptemp->un.figs.outpcount = 0;
+ ptemp->un.figs.inspanbr = ptemp->un.figs.outspanbr = 0;
+ ptemp->un.figs.inippcount = ptemp->un.figs.outippcount = 0;
+ ptemp->un.figs.inbcount = ptemp->un.figs.outbcount = 0;
+ rate_alloc(&ptemp->un.figs.inrate, 5);
+ rate_alloc(&ptemp->un.figs.outrate, 5);
+
+ table->entcount++;
+
+ wmove(table->borderwin, LINES - 3, 1);
+ wprintw(table->borderwin, " %u entries ", table->entcount);
+
+ return ptemp;
+}
+
+static struct ethtabent *in_ethtable(struct ethtab *table,
+ unsigned int linktype, char *addr)
+{
+ struct ethtabent *ptemp = table->head;
+
+ while (ptemp != NULL) {
+ if ((ptemp->type == 0)
+ && (memcmp(addr, ptemp->un.desc.eth_addr, ETH_ALEN) == 0)
+ && (ptemp->un.desc.linktype == linktype))
+ return ptemp->next_entry;
+
+ ptemp = ptemp->next_entry;
+ }
+
+ return NULL;
+}
+
+static void updateethent(struct ethtabent *entry, int pktsize, int is_ip,
+ int inout)
+{
+ if (inout == 0) {
+ entry->un.figs.inpcount++;
+ entry->un.figs.inbcount += pktsize;
+ entry->un.figs.inspanbr += pktsize;
+ if (is_ip)
+ entry->un.figs.inippcount++;
+ } else {
+ entry->un.figs.outpcount++;
+ entry->un.figs.outbcount += pktsize;
+ entry->un.figs.outspanbr += pktsize;
+ if (is_ip)
+ entry->un.figs.outippcount++;
+ }
+}
+
+static void printethent(struct ethtab *table, struct ethtabent *entry,
+ unsigned int idx)
+{
+ unsigned int target_row;
+
+ if ((entry->index < idx) || (entry->index > idx + LINES - 5))
+ return;
+
+ target_row = entry->index - idx;
+
+ if (entry->type == 0) {
+ wmove(table->tabwin, target_row, 1);
+ wattrset(table->tabwin, STDATTR);
+
+ if (entry->un.desc.linktype == ARPHRD_ETHER)
+ wprintw(table->tabwin, "Ethernet");
+ else if (entry->un.desc.linktype == ARPHRD_FDDI)
+ wprintw(table->tabwin, "FDDI");
+
+ wprintw(table->tabwin, " HW addr: %s", entry->un.desc.ascaddr);
+
+ if (entry->un.desc.withdesc)
+ wprintw(table->tabwin, " (%s)", entry->un.desc.desc);
+
+ wprintw(table->tabwin, " on %s ", entry->un.desc.ifname);
+
+ entry->un.desc.printed = 1;
+ } else {
+ wattrset(table->tabwin, PTRATTR);
+ wmove(table->tabwin, target_row, 1);
+ waddch(table->tabwin, ACS_LLCORNER);
+
+ wattrset(table->tabwin, HIGHATTR);
+
+ /* Inbound traffic counts */
+
+ wmove(table->tabwin, target_row, 2 * COLS / 80);
+ printlargenum(entry->un.figs.inpcount, table->tabwin);
+ wmove(table->tabwin, target_row, 12 * COLS / 80);
+ printlargenum(entry->un.figs.inippcount, table->tabwin);
+ wmove(table->tabwin, target_row, 22 * COLS / 80);
+ printlargenum(entry->un.figs.inbcount, table->tabwin);
+
+ /* Outbound traffic counts */
+
+ wmove(table->tabwin, target_row, 40 * COLS / 80);
+ printlargenum(entry->un.figs.outpcount, table->tabwin);
+ wmove(table->tabwin, target_row, 50 * COLS / 80);
+ printlargenum(entry->un.figs.outippcount, table->tabwin);
+ wmove(table->tabwin, target_row, 60 * COLS / 80);
+ printlargenum(entry->un.figs.outbcount, table->tabwin);
+ }
+}
+
+static void destroyethtab(struct ethtab *table)
+{
+ struct ethtabent *ptemp = table->head;
+ struct ethtabent *cnext = NULL;
+
+ if (table->head != NULL)
+ cnext = table->head->next_entry;
+
+ while (ptemp != NULL) {
+ if (ptemp->type == 1) {
+ rate_destroy(&ptemp->un.figs.outrate);
+ rate_destroy(&ptemp->un.figs.inrate);
+ }
+ free(ptemp);
+ ptemp = cnext;
+
+ if (cnext != NULL)
+ cnext = cnext->next_entry;
+ }
+}
+
+static void hostmonhelp(void)
+{
+ move(LINES - 1, 1);
+ scrollkeyhelp();
+ sortkeyhelp();
+ stdexitkeyhelp();
+}
+
+static void printrates(struct ethtab *table, unsigned int target_row,
+ struct ethtabent *ptmp)
+{
+ char buf[32];
+
+ rate_print_no_units(rate_get_average(&ptmp->un.figs.inrate),
+ buf, sizeof(buf));
+ wmove(table->tabwin, target_row, 32 * COLS / 80);
+ wprintw(table->tabwin, "%s", buf);
+
+ rate_print_no_units(rate_get_average(&ptmp->un.figs.outrate),
+ buf, sizeof(buf));
+ wmove(table->tabwin, target_row, 69 * COLS / 80);
+ wprintw(table->tabwin, "%s", buf);
+}
+
+static void updateethrates(struct ethtab *table, unsigned long msecs,
+ unsigned int idx)
+{
+ struct ethtabent *ptmp = table->head;
+ unsigned int target_row = 0;
+
+ if (table->lastvisible == NULL)
+ return;
+
+ while (ptmp != NULL) {
+ if (ptmp->type == 1) {
+ rate_add_rate(&ptmp->un.figs.inrate, ptmp->un.figs.inspanbr, msecs);
+ ptmp->un.figs.inspanbr = 0;
+
+ rate_add_rate(&ptmp->un.figs.outrate, ptmp->un.figs.outspanbr, msecs);
+ ptmp->un.figs.outspanbr = 0;
+
+ if ((ptmp->index >= idx)
+ && (ptmp->index <= idx + LINES - 5)) {
+ wattrset(table->tabwin, HIGHATTR);
+ target_row = ptmp->index - idx;
+ printrates(table, target_row, ptmp);
+ }
+ }
+ ptmp = ptmp->next_entry;
+ }
+}
+
+static void refresh_hostmon_screen(struct ethtab *table, unsigned int idx)
+{
+ struct ethtabent *ptmp = table->firstvisible;
+
+ wattrset(table->tabwin, STDATTR);
+ tx_colorwin(table->tabwin);
+
+ while ((ptmp != NULL) && (ptmp->prev_entry != table->lastvisible)) {
+ printethent(table, ptmp, idx);
+ ptmp = ptmp->next_entry;
+ }
+
+ update_panels();
+ doupdate();
+}
+
+static void scrollethwin(struct ethtab *table, int direction, unsigned int *idx)
+{
+ char sp_buf[10];
+
+ sprintf(sp_buf, "%%%dc", COLS - 2);
+ wattrset(table->tabwin, STDATTR);
+ if (direction == SCROLLUP) {
+ if (table->lastvisible != table->tail) {
+ wscrl(table->tabwin, 1);
+ table->lastvisible = table->lastvisible->next_entry;
+ table->firstvisible = table->firstvisible->next_entry;
+ (*idx)++;
+ wmove(table->tabwin, LINES - 5, 0);
+ scrollok(table->tabwin, 0);
+ wprintw(table->tabwin, sp_buf, ' ');
+ scrollok(table->tabwin, 1);
+ printethent(table, table->lastvisible, *idx);
+ if (table->lastvisible->type == 1)
+ printrates(table, LINES - 5,
+ table->lastvisible);
+ }
+ } else {
+ if (table->firstvisible != table->head) {
+ wscrl(table->tabwin, -1);
+ table->lastvisible = table->lastvisible->prev_entry;
+ table->firstvisible = table->firstvisible->prev_entry;
+ (*idx)--;
+ wmove(table->tabwin, 0, 0);
+ wprintw(table->tabwin, sp_buf, ' ');
+ printethent(table, table->firstvisible, *idx);
+ if (table->firstvisible->type == 1)
+ printrates(table, 0, table->firstvisible);
+ }
+ }
+}
+
+static void pageethwin(struct ethtab *table, int direction, unsigned int *idx)
+{
+ int i = 1;
+
+ if (direction == SCROLLUP) {
+ while ((i <= LINES - 7) && (table->lastvisible != table->tail)) {
+ i++;
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->lastvisible->next_entry;
+ (*idx)++;
+ }
+ } else {
+ while ((i <= LINES - 7) && (table->firstvisible != table->head)) {
+ i++;
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+ (*idx)--;
+ }
+ }
+ refresh_hostmon_screen(table, *idx);
+}
+
+static void show_hostsort_keywin(WINDOW ** win, PANEL ** panel)
+{
+ *win = newwin(13, 35, (LINES - 10) / 2, COLS - 40);
+ *panel = new_panel(*win);
+
+ wattrset(*win, DLGBOXATTR);
+ tx_colorwin(*win);
+ tx_box(*win, ACS_VLINE, ACS_HLINE);
+
+ wattrset(*win, DLGTEXTATTR);
+ mvwprintw(*win, 2, 2, "Select sort criterion");
+ wmove(*win, 4, 2);
+ tx_printkeyhelp("P", " - total packets in", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 5, 2);
+ tx_printkeyhelp("I", " - IP packets in", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 6, 2);
+ tx_printkeyhelp("B", " - total bytes in", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 7, 2);
+ tx_printkeyhelp("K", " - total packets out", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 8, 2);
+ tx_printkeyhelp("O", " - IP packets out", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 9, 2);
+ tx_printkeyhelp("Y", " - total bytes out", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 10, 2);
+ tx_printkeyhelp("Any other key", " - cancel sort", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ update_panels();
+ doupdate();
+}
+
+/*
+ * Swap two host table entries.
+ */
+
+static void swaphostents(struct ethtab *list, struct ethtabent *p1,
+ struct ethtabent *p2)
+{
+ register unsigned int tmp;
+ struct ethtabent *p1prevsaved;
+ struct ethtabent *p2nextsaved;
+
+ if (p1 == p2)
+ return;
+
+ tmp = p1->index;
+ p1->index = p2->index;
+ p2->index = tmp;
+ p1->next_entry->index = p1->index + 1;
+ p2->next_entry->index = p2->index + 1;
+
+ if (p1->prev_entry != NULL)
+ p1->prev_entry->next_entry = p2;
+ else
+ list->head = p2;
+
+ if (p2->next_entry->next_entry != NULL)
+ p2->next_entry->next_entry->prev_entry = p1->next_entry;
+ else
+ list->tail = p1->next_entry;
+
+ p2nextsaved = p2->next_entry->next_entry;
+ p1prevsaved = p1->prev_entry;
+
+ if (p1->next_entry->next_entry == p2) {
+ p2->next_entry->next_entry = p1;
+ p1->prev_entry = p2->next_entry;
+ } else {
+ p2->next_entry->next_entry = p1->next_entry->next_entry;
+ p1->prev_entry = p2->prev_entry;
+ p2->prev_entry->next_entry = p1;
+ p1->next_entry->next_entry->prev_entry = p2->next_entry;
+ }
+
+ p2->prev_entry = p1prevsaved;
+ p1->next_entry->next_entry = p2nextsaved;
+}
+
+static unsigned long long ql_getkey(struct ethtabent *entry, int ch)
+{
+ unsigned long long result = 0;
+
+ switch (ch) {
+ case 'P':
+ result = entry->next_entry->un.figs.inpcount;
+ break;
+ case 'I':
+ result = entry->next_entry->un.figs.inippcount;
+ break;
+ case 'B':
+ result = entry->next_entry->un.figs.inbcount;
+ break;
+ case 'K':
+ result = entry->next_entry->un.figs.outpcount;
+ break;
+ case 'O':
+ result = entry->next_entry->un.figs.outippcount;
+ break;
+ case 'Y':
+ result = entry->next_entry->un.figs.outbcount;
+ break;
+ }
+ return result;
+}
+
+static struct ethtabent *ql_partition(struct ethtab *table,
+ struct ethtabent **low,
+ struct ethtabent **high, int ch)
+{
+ struct ethtabent *pivot = *low;
+
+ struct ethtabent *left = *low;
+ struct ethtabent *right = *high;
+ struct ethtabent *ptmp;
+
+ unsigned long long pivot_value;
+
+ pivot_value = ql_getkey(pivot, ch);
+
+ while (left->index < right->index) {
+ while ((ql_getkey(left, ch) >= pivot_value)
+ && (left->next_entry->next_entry != NULL))
+ left = left->next_entry->next_entry;
+
+ while (ql_getkey(right, ch) < pivot_value)
+ right = right->prev_entry->prev_entry;
+
+ if (left->index < right->index) {
+ swaphostents(table, left, right);
+
+ if (*low == left)
+ *low = right;
+
+ if (*high == right)
+ *high = left;
+
+ ptmp = left;
+ left = right;
+ right = ptmp;
+ }
+ }
+ swaphostents(table, pivot, right);
+
+ if (*low == pivot)
+ *low = right;
+
+ if (*high == right)
+ *high = pivot;
+
+ return pivot;
+}
+
+/*
+ * Quicksort routine for the LAN station monitor
+ */
+
+static void quicksort_lan_entries(struct ethtab *table, struct ethtabent *low,
+ struct ethtabent *high, int ch)
+{
+ struct ethtabent *pivot;
+
+ if ((high == NULL) || (low == NULL))
+ return;
+
+ if (high->index > low->index) {
+ pivot = ql_partition(table, &low, &high, ch);
+
+ if (pivot->prev_entry != NULL)
+ quicksort_lan_entries(table, low,
+ pivot->prev_entry->prev_entry,
+ ch);
+
+ quicksort_lan_entries(table, pivot->next_entry->next_entry,
+ high, ch);
+ }
+}
+
+static void sort_hosttab(struct ethtab *list, unsigned int *idx, int command)
+{
+ struct ethtabent *ptemp1;
+ int idxtmp;
+
+ if (!list->head)
+ return;
+
+ command = toupper(command);
+
+ if ((command != 'P') && (command != 'I') && (command != 'B')
+ && (command != 'K') && (command != 'O') && (command != 'Y'))
+ return;
+
+ quicksort_lan_entries(list, list->head, list->tail->prev_entry,
+ command);
+
+ ptemp1 = list->firstvisible = list->head;
+ *idx = 1;
+ idxtmp = 0;
+ tx_colorwin(list->tabwin);
+ while ((ptemp1) && (idxtmp <= LINES - 4)) {
+ printethent(list, ptemp1, *idx);
+ idxtmp++;
+ if (idxtmp <= LINES - 4)
+ list->lastvisible = ptemp1;
+ ptemp1 = ptemp1->next_entry;
+ }
+
+}
+
+/*
+ * The LAN station monitor
+ */
+
+void hostmon(time_t facilitytime, char *ifptr)
+{
+ int logging = options.logging;
+ struct ethtab table;
+ struct ethtabent *entry;
+
+ char scratch_saddr[ETH_ALEN];
+ char scratch_daddr[ETH_ALEN];
+ unsigned int idx = 1;
+ int is_ip;
+ int ch;
+
+ char *ifname = ifptr;
+
+ struct timeval tv;
+ struct timeval tv_rate;
+ time_t now = 0;
+ time_t statbegin = 0;
+ time_t startlog = 0;
+ struct timeval updtime;
+
+ struct eth_desc *list = NULL;
+
+ FILE *logfile = NULL;
+
+ int pkt_result;
+
+ WINDOW *sortwin;
+ PANEL *sortpanel;
+ int keymode = 0;
+
+ int fd;
+
+ if (ifptr && !dev_up(ifptr)) {
+ err_iface_down();
+ return;
+ }
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, ifptr);
+ promisc_set_list(&promisc);
+ }
+
+ hostmonhelp();
+
+ initethtab(&table);
+
+ /* Ethernet description list */
+ struct eth_desc *elist = load_eth_desc(ARPHRD_ETHER);
+
+ /* FDDI description list */
+ struct eth_desc *flist = load_eth_desc(ARPHRD_FDDI);
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ strncpy(current_logfile,
+ gen_instance_logname(LANLOG, getpid()), 80);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, current_logfile);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_lanlog);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** LAN traffic monitor started ********");
+ }
+
+ leaveok(table.tabwin, TRUE);
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+ if(ifptr && dev_bind_ifname(fd, ifptr) == -1) {
+ write_error("Unable to bind interface on the socket");
+ goto err_close;
+ }
+
+ exitloop = 0;
+ gettimeofday(&tv, NULL);
+ tv_rate = tv;
+ updtime = tv;
+ statbegin = startlog = tv.tv_sec;
+
+ PACKET_INIT(pkt);
+
+ do {
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ unsigned long msecs = timeval_diff_msec(&tv, &tv_rate);
+ if (msecs >= 1000) {
+ printelapsedtime(statbegin, now, LINES - 3, 15,
+ table.borderwin);
+ updateethrates(&table, msecs, idx);
+ tv_rate = tv;
+ }
+ if (logging) {
+ check_rotate_flag(&logfile);
+ if ((now - startlog) >= options.logspan) {
+ writeethlog(table.head, now - statbegin,
+ logfile);
+ startlog = now;
+ }
+ }
+ if (screen_update_needed(&tv, &updtime)) {
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+
+ if ((facilitytime != 0)
+ && (((now - statbegin) / 60) >= facilitytime))
+ exitloop = 1;
+
+ if (packet_get(fd, &pkt, &ch, table.tabwin) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ if (ch != ERR) {
+ if (keymode == 0) {
+ switch (ch) {
+ case KEY_UP:
+ scrollethwin(&table, SCROLLDOWN, &idx);
+ break;
+ case KEY_DOWN:
+ scrollethwin(&table, SCROLLUP, &idx);
+ break;
+ case KEY_PPAGE:
+ case '-':
+ pageethwin(&table, SCROLLDOWN, &idx);
+ break;
+ case KEY_NPAGE:
+ case ' ':
+ pageethwin(&table, SCROLLUP, &idx);
+ break;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ case 's':
+ case 'S':
+ show_hostsort_keywin(&sortwin,
+ &sortpanel);
+ keymode = 1;
+ break;
+ case 'q':
+ case 'Q':
+ case 'x':
+ case 'X':
+ case 27:
+ case 24:
+ exitloop = 1;
+ }
+ } else if (keymode == 1) {
+ del_panel(sortpanel);
+ delwin(sortwin);
+ sort_hosttab(&table, &idx, ch);
+ keymode = 0;
+ }
+ }
+
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ char ifnamebuf[IFNAMSIZ];
+
+ pkt_result =
+ packet_process(&pkt, NULL, NULL, NULL,
+ MATCH_OPPOSITE_USECONFIG,
+ 0);
+
+ if (pkt_result != PACKET_OK)
+ continue;
+
+ if (!ifptr) {
+ /* we're capturing on "All interfaces", */
+ /* so get the name of the interface */
+ /* of this packet */
+ int r = dev_get_ifname(pkt.pkt_ifindex, ifnamebuf);
+ if (r != 0) {
+ write_error("Unable to get interface name");
+ break; /* can't get interface name, get out! */
+ }
+ ifname = ifnamebuf;
+ }
+
+ /* get HW addresses */
+ switch (pkt.pkt_hatype) {
+ case ARPHRD_ETHER: {
+ memcpy(scratch_saddr, pkt.ethhdr->h_source, ETH_ALEN);
+ memcpy(scratch_daddr, pkt.ethhdr->h_dest, ETH_ALEN);
+ list = elist;
+ break; }
+ case ARPHRD_FDDI: {
+ memcpy(scratch_saddr, pkt.fddihdr->saddr, FDDI_K_ALEN);
+ memcpy(scratch_daddr, pkt.fddihdr->daddr, FDDI_K_ALEN);
+ list = flist;
+ break; }
+ default:
+ /* unknown link protocol */
+ continue;
+ }
+
+ switch(pkt.pkt_protocol) {
+ case ETH_P_IP:
+ case ETH_P_IPV6:
+ is_ip = 1;
+ break;
+ default:
+ is_ip = 0;
+ break;
+ }
+
+ /* Check source address entry */
+ entry = in_ethtable(&table, pkt.pkt_hatype,
+ scratch_saddr);
+
+ if (!entry)
+ entry = addethentry(&table, pkt.pkt_hatype,
+ ifname, scratch_saddr, list);
+
+ if (entry != NULL) {
+ updateethent(entry, pkt.pkt_len, is_ip, 1);
+ if (!entry->prev_entry->un.desc.printed)
+ printethent(&table, entry->prev_entry,
+ idx);
+
+ printethent(&table, entry, idx);
+ }
+
+ /* Check destination address entry */
+ entry = in_ethtable(&table, pkt.pkt_hatype,
+ scratch_daddr);
+ if (!entry)
+ entry = addethentry(&table, pkt.pkt_hatype,
+ ifname, scratch_daddr, list);
+
+ if (entry != NULL) {
+ updateethent(entry, pkt.pkt_len, is_ip, 0);
+ if (!entry->prev_entry->un.desc.printed)
+ printethent(&table, entry->prev_entry,
+ idx);
+
+ printethent(&table, entry, idx);
+ }
+ } while (!exitloop);
+
+err_close:
+ close(fd);
+
+err:
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ writeethlog(table.head, time(NULL) - statbegin, logfile);
+ writelog(logging, logfile,
+ "******** LAN traffic monitor stopped ********");
+ fclose(logfile);
+ }
+
+
+ del_panel(table.tabpanel);
+ delwin(table.tabwin);
+ del_panel(table.borderpanel);
+ delwin(table.borderwin);
+ update_panels();
+ doupdate();
+ destroyethtab(&table);
+
+ free_eth_desc(elist);
+ free_eth_desc(flist);
+
+ strcpy(current_logfile, "");
+}
diff --git a/src/hostmon.h b/src/hostmon.h
new file mode 100644
index 0000000..6b23b54
--- /dev/null
+++ b/src/hostmon.h
@@ -0,0 +1,7 @@
+#ifndef IPTRAF_NG_HOSTMON_H
+#define IPTRAF_NG_HOSTMON_H
+
+void convmacaddr(char *addr, char *result);
+void hostmon(time_t facilitytime, char *ifptr);
+
+#endif /* IPTRAF_NG_HOSTMON_H */
diff --git a/src/ifaces.c b/src/ifaces.c
new file mode 100644
index 0000000..a3a7b08
--- /dev/null
+++ b/src/ifaces.c
@@ -0,0 +1,290 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+ifaces.c - routine that determines whether a given interface is supported
+ by IPTraf
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "error.h"
+
+/*
+ * Open /proc/net/dev and move file pointer past the two table header lines
+ * at the top of the file.
+ */
+
+FILE *open_procnetdev(void)
+{
+ FILE *fd;
+ char buf[161];
+
+ fd = fopen("/proc/net/dev", "r");
+
+ /*
+ * Read and discard the table header lines in the file
+ */
+
+ if (fd != NULL) {
+ fgets(buf, 160, fd);
+ fgets(buf, 160, fd);
+ }
+
+ return fd;
+}
+
+/*
+ * Get the next interface from /proc/net/dev.
+ */
+int get_next_iface(FILE * fd, char *ifname, int n)
+{
+ char buf[161];
+
+ strcpy(ifname, "");
+
+ if (!feof(fd)) {
+ strcpy(buf, "");
+ fgets(buf, 160, fd);
+ if (strcmp(buf, "") != 0) {
+ memset(ifname, 0, n);
+ strncpy(ifname, skip_whitespace(strtok(buf, ":")), n);
+ if (ifname[n - 1] != '\0')
+ strcpy(ifname, "");
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int dev_up(char *iface)
+{
+ int fd;
+ int ir;
+ struct ifreq ifr;
+
+ fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+
+ strcpy(ifr.ifr_name, iface);
+ ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+
+ close(fd);
+
+ if ((ir != 0) || (!(ifr.ifr_flags & IFF_UP)))
+ return 0;
+
+ return 1;
+}
+
+void err_iface_down(void)
+{
+ write_error("Specified interface not active");
+}
+
+int dev_get_ifindex(const char *iface)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr;
+ strcpy(ifr.ifr_name, iface);
+ int ir = ioctl(fd, SIOCGIFINDEX, &ifr);
+
+ /* need to preserve errno across call to close() */
+ int saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0) {
+ errno = saved_errno;
+ return ir;
+ }
+
+ return ifr.ifr_ifindex;
+}
+
+int dev_get_mtu(const char *iface)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr;
+ strcpy(ifr.ifr_name, iface);
+ int ir = ioctl(fd, SIOCGIFMTU, &ifr);
+
+ /* need to preserve errno across call to close() */
+ int saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0) {
+ errno = saved_errno;
+ return ir;
+ }
+
+ return ifr.ifr_mtu;
+}
+
+int dev_get_flags(const char *iface)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr;
+ strcpy(ifr.ifr_name, iface);
+ int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+
+ /* need to preserve errno across call to close() */
+ int saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0) {
+ errno = saved_errno;
+ return ir;
+ }
+
+ return ifr.ifr_flags;
+}
+
+int dev_set_flags(const char *iface, int flags)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr;
+ strcpy(ifr.ifr_name, iface);
+ int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ if (ir == -1)
+ goto err;
+
+ ifr.ifr_flags |= flags;
+ ir = ioctl(fd, SIOCSIFFLAGS, &ifr);
+
+ int saved_errno;
+err: /* need to preserve errno across call to close() */
+ saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0)
+ errno = saved_errno;
+
+ return ir;
+}
+
+int dev_clear_flags(const char *iface, int flags)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr;
+ strcpy(ifr.ifr_name, iface);
+ int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
+ if (ir == -1)
+ goto err;
+
+ ifr.ifr_flags &= ~flags;
+ ir = ioctl(fd, SIOCSIFFLAGS, &ifr);
+
+ int saved_errno;
+err: /* need to preserve errno across call to close() */
+ saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0)
+ errno = saved_errno;
+
+ return ir;
+}
+
+int dev_get_ifname(int ifindex, char *ifname)
+{
+ int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (fd == -1)
+ return fd;
+
+ struct ifreq ifr = {
+ .ifr_ifindex = ifindex
+ };
+ int ir = ioctl(fd, SIOCGIFNAME, &ifr);
+
+ /* need to preserve errno across call to close() */
+ int saved_errno = errno;
+
+ close(fd);
+
+ /* bug out if ioctl() failed */
+ if (ir != 0) {
+ errno = saved_errno;
+ return ir;
+ }
+
+ strncpy(ifname, ifr.ifr_name, IFNAMSIZ);
+ return ir;
+}
+
+int dev_bind_ifindex(int fd, const int ifindex)
+{
+ struct sockaddr_ll fromaddr;
+ socklen_t addrlen = sizeof(fromaddr);
+
+ fromaddr.sll_family = AF_PACKET;
+ fromaddr.sll_protocol = htons(ETH_P_ALL);
+ fromaddr.sll_ifindex = ifindex;
+ return bind(fd, (struct sockaddr *) &fromaddr, addrlen);
+}
+
+int dev_bind_ifname(int fd, const char const *ifname)
+{
+ int ir;
+ struct ifreq ifr;
+
+ strcpy(ifr.ifr_name, ifname);
+ ir = ioctl(fd, SIOCGIFINDEX, &ifr);
+ if (ir)
+ return ir;
+
+ return dev_bind_ifindex(fd, ifr.ifr_ifindex);
+}
+
+char *gen_iface_msg(char *ifptr)
+{
+ static char if_msg[20];
+
+ if (ifptr == NULL)
+ strcpy(if_msg, "all interfaces");
+ else
+ strncpy(if_msg, ifptr, 20);
+
+ return if_msg;
+}
+
+
+int dev_promisc_flag(const char *dev_name)
+{
+ int flags = dev_get_flags(dev_name);
+ if (flags < 0) {
+ write_error("Unable to obtain interface parameters for %s",
+ dev_name);
+ return -1;
+ }
+
+ if (flags & IFF_PROMISC)
+ return -1;
+
+ return flags;
+}
diff --git a/src/ifaces.h b/src/ifaces.h
new file mode 100644
index 0000000..97d01ba
--- /dev/null
+++ b/src/ifaces.h
@@ -0,0 +1,22 @@
+#ifndef IPTRAF_NG_IFACES_H
+#define IPTRAF_NG_IFACES_H
+
+#define dev_set_promisc(dev) dev_set_flags((dev), IFF_PROMISC)
+#define dev_clr_promisc(dev) dev_clear_flags((dev), IFF_PROMISC)
+
+FILE *open_procnetdev(void);
+int get_next_iface(FILE * fd, char *ifname, int n);
+int dev_up(char *iface);
+void err_iface_down(void);
+int dev_get_ifindex(const char *iface);
+int dev_get_mtu(const char *iface);
+int dev_get_flags(const char *iface);
+int dev_set_flags(const char *iface, int flags);
+int dev_clear_flags(const char *iface, int flags);
+int dev_get_ifname(int ifindex, char *ifname);
+int dev_bind_ifindex(const int fd, const int ifindex);
+int dev_bind_ifname(const int fd, const char const *ifname);
+char *gen_iface_msg(char *ifptr);
+int dev_promisc_flag(const char *dev_name);
+
+#endif /* IPTRAF_NG_IFACES_H */
diff --git a/src/ifstats.c b/src/ifstats.c
new file mode 100644
index 0000000..f2ff72e
--- /dev/null
+++ b/src/ifstats.c
@@ -0,0 +1,710 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+ifstats.c - the interface statistics module
+
+ ***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/labels.h"
+#include "tui/listbox.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "ifaces.h"
+#include "fltdefs.h"
+#include "packet.h"
+#include "options.h"
+#include "log.h"
+#include "dirs.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "serv.h"
+#include "timer.h"
+#include "logvars.h"
+#include "promisc.h"
+#include "error.h"
+#include "ifstats.h"
+#include "rate.h"
+
+#define SCROLLUP 0
+#define SCROLLDOWN 1
+
+struct iflist {
+ char ifname[IFNAMSIZ];
+ int ifindex;
+ unsigned int encap;
+ unsigned long long iptotal;
+ unsigned long long ip6total;
+ unsigned long badtotal;
+ unsigned long long noniptotal;
+ unsigned long long total;
+ unsigned int spanbr;
+ unsigned long br;
+ struct rate rate;
+ unsigned long peakrate;
+ unsigned int index;
+ struct iflist *prev_entry;
+ struct iflist *next_entry;
+};
+
+struct iftab {
+ struct iflist *head;
+ struct iflist *tail;
+ struct iflist *firstvisible;
+ struct iflist *lastvisible;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+ WINDOW *statwin;
+ PANEL *statpanel;
+};
+
+/*
+ * USR1 log-rotation signal handlers
+ */
+
+static void rotate_gstat_log(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, GSTATLOG);
+ signal(SIGUSR1, rotate_gstat_log);
+}
+
+static void writegstatlog(struct iftab *table, unsigned long nsecs, FILE *fd)
+{
+ struct iflist *ptmp = table->head;
+ char atime[TIME_TARGET_MAX];
+
+ genatime(time(NULL), atime);
+ fprintf(fd, "\n*** General interface statistics log generated %s\n\n",
+ atime);
+
+ while (ptmp != NULL) {
+
+ fprintf(fd,
+ "%s: %llu total, %llu IP, %llu non-IP, %lu IP checksum errors",
+ ptmp->ifname, ptmp->total, ptmp->iptotal,
+ ptmp->noniptotal, ptmp->badtotal);
+
+ if (nsecs > 5) {
+ char buf[64];
+
+ rate_print(ptmp->br / nsecs, buf, sizeof(buf));
+ fprintf(fd, ", average activity %s", buf);
+ rate_print(ptmp->peakrate, buf, sizeof(buf));
+ fprintf(fd, ", peak activity %s", buf);
+ rate_print(rate_get_average(&ptmp->rate), buf, sizeof(buf));
+ fprintf(fd, ", last 5-second average activity %s", buf);
+ }
+ fprintf(fd, "\n");
+
+ ptmp = ptmp->next_entry;
+ }
+
+ fprintf(fd, "\n%lu seconds running time\n", nsecs);
+ fflush(fd);
+}
+
+/*
+ * Function to check if an interface is already in the interface list.
+ * This eliminates duplicate interface entries due to aliases
+ */
+
+static int ifinlist(struct iflist *list, char *ifname)
+{
+ struct iflist *ptmp = list;
+ int result = 0;
+
+ while ((ptmp != NULL) && (result == 0)) {
+ result = (strcmp(ifname, ptmp->ifname) == 0);
+ ptmp = ptmp->next_entry;
+ }
+
+ return result;
+}
+
+/*
+ * Initialize the list of interfaces. This linked list is used in the
+ * selection boxes as well as in the general interface statistics screen.
+ *
+ * This function parses the /proc/net/dev file and grabs the interface names
+ * from there. The SIOGIFFLAGS ioctl() call is used to determine whether the
+ * interfaces are active. Inactive interfaces are omitted from selection
+ * lists.
+ */
+
+static void initiflist(struct iflist **list)
+{
+ char ifname[IFNAMSIZ];
+
+ *list = NULL;
+
+ FILE *fd = open_procnetdev();
+ if (fd == NULL) {
+ tui_error(ANYKEY_MSG, "Unable to obtain interface list");
+ return;
+ }
+
+ while (get_next_iface(fd, ifname, sizeof(ifname))) {
+ if (!*ifname)
+ continue;
+
+ if (ifinlist(*list, ifname)) /* ignore entry if already in */
+ continue; /* interface list */
+
+ /*
+ * Check if the interface is actually up running. This prevents
+ * inactive devices in /proc/net/dev from actually appearing in
+ * interface lists used by IPTraf.
+ */
+
+ if (!dev_up(ifname))
+ continue;
+
+ int ifindex = dev_get_ifindex(ifname);
+ if (ifindex < 0)
+ continue;
+ /*
+ * At this point, the interface is now sure to be up and running.
+ */
+
+ struct iflist *itmp = xmallocz(sizeof(struct iflist));
+ strcpy(itmp->ifname, ifname);
+ itmp->ifindex = ifindex;
+ rate_alloc(&itmp->rate, 5);
+
+ /* make the linked list sorted by ifindex */
+ struct iflist *cur = *list, *last = NULL;
+ while (cur != NULL && cur->ifindex < ifindex) {
+ last = cur;
+ cur = cur->next_entry;
+ }
+ itmp->prev_entry = last;
+ itmp->next_entry = cur;
+ if (cur)
+ cur->prev_entry = itmp;
+ if (last)
+ last->next_entry = itmp;
+ else
+ *list = itmp;
+ }
+ fclose(fd);
+
+ /* let the index follow the sorted linked list */
+ unsigned int index = 1;
+ struct iflist *cur;
+ for (cur = *list; cur != NULL; cur = cur->next_entry)
+ cur->index = index++;
+}
+
+static struct iflist *positionptr(struct iflist *iflist, const int ifindex)
+{
+ struct iflist *ptmp = iflist;
+ struct iflist *last = ptmp;
+
+ while ((ptmp != NULL) && (ptmp->ifindex != ifindex)) {
+ last = ptmp;
+ ptmp = ptmp->next_entry;
+ }
+ /* no interface was found, try to create new one */
+ if (ptmp == NULL) {
+ struct iflist *itmp = xmallocz(sizeof(struct iflist));
+ itmp->ifindex = ifindex;
+ itmp->index = last->index + 1;
+ int r = dev_get_ifname(ifindex, itmp->ifname);
+ if (r != 0) {
+ write_error("Error getting interface name");
+ return(NULL);
+ }
+
+ /* last can't be NULL otherwise we will have empty iflist */
+ last->next_entry = itmp;
+ itmp->prev_entry = last;
+ itmp->next_entry = NULL;
+ ptmp = itmp;
+ }
+ return(ptmp);
+}
+
+static void destroyiflist(struct iflist *list)
+{
+ struct iflist *ctmp;
+ struct iflist *ptmp;
+
+ if (list != NULL) {
+ ptmp = list;
+ ctmp = ptmp->next_entry;
+
+ do {
+ rate_destroy(&ptmp->rate);
+ free(ptmp);
+ ptmp = ctmp;
+ if (ctmp != NULL)
+ ctmp = ctmp->next_entry;
+ } while (ptmp != NULL);
+ }
+}
+
+static void no_ifaces_error(void)
+{
+ write_error("No active interfaces. Check their status or the /proc filesystem");
+}
+
+static void updaterates(struct iftab *table, unsigned long msecs)
+{
+ struct iflist *ptmp = table->head;
+ unsigned long rate;
+
+ while (ptmp != NULL) {
+ rate_add_rate(&ptmp->rate, ptmp->spanbr, msecs);
+ rate = rate_get_average(&ptmp->rate);
+
+ if (rate > ptmp->peakrate)
+ ptmp->peakrate = rate;
+
+ ptmp->spanbr = 0;
+ ptmp = ptmp->next_entry;
+ }
+}
+
+static void showrates(struct iftab *table)
+{
+ struct iflist *ptmp = table->firstvisible;
+ unsigned int idx = table->firstvisible->index;
+ unsigned long rate;
+ char buf[64];
+
+ wattrset(table->statwin, HIGHATTR);
+ do {
+ rate = rate_get_average(&ptmp->rate);
+ rate_print(rate, buf, sizeof(buf));
+ wmove(table->statwin, ptmp->index - idx, 63 * COLS / 80);
+ wprintw(table->statwin, "%s", buf);
+
+ ptmp = ptmp->next_entry;
+ } while (ptmp != table->lastvisible->next_entry);
+}
+
+static void printifentry(struct iflist *ptmp, WINDOW * win, unsigned int idx)
+{
+ unsigned int target_row;
+
+ if ((ptmp->index < idx) || (ptmp->index > idx + (LINES - 5)))
+ return;
+
+ target_row = ptmp->index - idx;
+
+ wattrset(win, STDATTR);
+ wmove(win, target_row, 1);
+ wprintw(win, "%s", ptmp->ifname);
+ wattrset(win, HIGHATTR);
+ wmove(win, target_row, 14 * COLS / 80);
+ printlargenum(ptmp->total, win);
+ wmove(win, target_row, 24 * COLS / 80);
+ printlargenum(ptmp->iptotal, win);
+ wmove(win, target_row, 34 * COLS / 80);
+ printlargenum(ptmp->ip6total, win);
+ wmove(win, target_row, 44 * COLS / 80);
+ printlargenum(ptmp->noniptotal, win);
+ wmove(win, target_row, 53 * COLS / 80);
+ wprintw(win, "%7lu", ptmp->badtotal);
+}
+
+static void print_if_entries(struct iftab *table)
+{
+ struct iflist *ptmp = table->firstvisible;
+ unsigned int i = 1;
+
+ unsigned int winht = LINES - 4;
+
+ do {
+ printifentry(ptmp, table->statwin, table->firstvisible->index);
+
+ if (i <= winht)
+ table->lastvisible = ptmp;
+
+ ptmp = ptmp->next_entry;
+ i++;
+ } while ((ptmp != NULL) && (i <= winht));
+}
+
+static void labelstats(WINDOW *win)
+{
+ wmove(win, 0, 1);
+ wprintw(win, " Iface ");
+ /* 14, 24, 34, ... from printifentry() */
+ /* 10 = strlen(printed number); from printlargenum() */
+ /* 7 = strlen(" Total ") */
+ /* 1 = align the string on 'l' from " Total " */
+ wmove(win, 0, (14 * COLS / 80) + 10 - 7 + 1);
+ wprintw(win, " Total ");
+ wmove(win, 0, (24 * COLS / 80) + 10 - 6 + 1);
+ wprintw(win, " IPv4 ");
+ wmove(win, 0, (34 * COLS / 80) + 10 - 6 + 1);
+ wprintw(win, " IPv6 ");
+ wmove(win, 0, (44 * COLS / 80) + 10 - 7 + 1);
+ wprintw(win, " NonIP ");
+ wmove(win, 0, (53 * COLS / 80) + 8 - 7 + 1);
+ wprintw(win, " BadIP ");
+ wmove(win, 0, (63 * COLS / 80) + 14 - 10);
+ wprintw(win, " Activity ");
+}
+
+static void initiftab(struct iftab *table)
+{
+ table->borderwin = newwin(LINES - 2, COLS, 1, 0);
+ table->borderpanel = new_panel(table->borderwin);
+
+ move(LINES - 1, 1);
+ scrollkeyhelp();
+ stdexitkeyhelp();
+ wattrset(table->borderwin, BOXATTR);
+ tx_box(table->borderwin, ACS_VLINE, ACS_HLINE);
+ labelstats(table->borderwin);
+ table->statwin = newwin(LINES - 4, COLS - 2, 2, 1);
+ table->statpanel = new_panel(table->statwin);
+ tx_stdwinset(table->statwin);
+ wtimeout(table->statwin, -1);
+ wattrset(table->statwin, STDATTR);
+ tx_colorwin(table->statwin);
+ wattrset(table->statwin, BOXATTR);
+ wmove(table->borderwin, LINES - 3, 32 * COLS / 80);
+ wprintw(table->borderwin,
+ " Total, IP, NonIP, and BadIP are packet counts ");
+}
+
+/*
+ * Scrolling routines for the general interface statistics window
+ */
+
+static void scrollgstatwin(struct iftab *table, int direction)
+{
+ char buf[255];
+
+ sprintf(buf, "%%%dc", COLS - 2);
+ wattrset(table->statwin, STDATTR);
+ if (direction == SCROLLUP) {
+ if (table->lastvisible->next_entry != NULL) {
+ wscrl(table->statwin, 1);
+ table->lastvisible = table->lastvisible->next_entry;
+ table->firstvisible = table->firstvisible->next_entry;
+ wmove(table->statwin, LINES - 5, 0);
+ scrollok(table->statwin, 0);
+ wprintw(table->statwin, buf, ' ');
+ scrollok(table->statwin, 1);
+ printifentry(table->lastvisible, table->statwin,
+ table->firstvisible->index);
+ }
+ } else {
+ if (table->firstvisible != table->head) {
+ wscrl(table->statwin, -1);
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+ wmove(table->statwin, 0, 0);
+ wprintw(table->statwin, buf, ' ');
+ printifentry(table->firstvisible, table->statwin,
+ table->firstvisible->index);
+ }
+ }
+}
+
+static void pagegstatwin(struct iftab *table, int direction)
+{
+ int i = 1;
+
+ if (direction == SCROLLUP) {
+ while ((i <= LINES - 5)
+ && (table->lastvisible->next_entry != NULL)) {
+ i++;
+ scrollgstatwin(table, direction);
+ }
+ } else {
+ while ((i <= LINES - 5) && (table->firstvisible != table->head)) {
+ i++;
+ scrollgstatwin(table, direction);
+ }
+ }
+}
+
+
+/*
+ * The general interface statistics function
+ */
+
+void ifstats(time_t facilitytime)
+{
+ int logging = options.logging;
+ struct iftab table;
+
+ int pkt_result = 0;
+
+ struct iflist *ptmp = NULL;
+
+ FILE *logfile = NULL;
+
+ int ch;
+
+ int fd;
+
+ struct timeval tv;
+ time_t starttime = 0;
+ time_t statbegin = 0;
+ time_t now = 0;
+ struct timeval start_tv;
+ time_t startlog = 0;
+ struct timeval updtime;
+
+ initiflist(&(table.head));
+ if (!table.head) {
+ no_ifaces_error();
+ return;
+ }
+
+ initiftab(&table);
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, NULL);
+ promisc_set_list(&promisc);
+ }
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ strcpy(current_logfile, GSTATLOG);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, GSTATLOG);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_gstat_log);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** General interface statistics started ********");
+ }
+
+ table.firstvisible = table.head;
+ print_if_entries(&table);
+
+ update_panels();
+ doupdate();
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+
+ exitloop = 0;
+ gettimeofday(&tv, NULL);
+ start_tv = tv;
+ updtime = tv;
+ starttime = startlog = statbegin = tv.tv_sec;
+
+ PACKET_INIT(pkt);
+
+ while (!exitloop) {
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ if ((now - starttime) >= 1) {
+ unsigned long msecs;
+
+ msecs = timeval_diff_msec(&tv, &start_tv);
+ updaterates(&table, msecs);
+ showrates(&table);
+ printelapsedtime(statbegin, now, LINES - 3, 1,
+ table.borderwin);
+ starttime = now;
+ start_tv = tv;
+ }
+ if (logging) {
+ check_rotate_flag(&logfile);
+ if ((now - startlog) >= options.logspan) {
+ writegstatlog(&table,
+ time(NULL) - statbegin,
+ logfile);
+ startlog = now;
+ }
+ }
+ if (screen_update_needed(&tv, &updtime)) {
+ print_if_entries(&table);
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+
+ if ((facilitytime != 0)
+ && (((now - statbegin) / 60) >= facilitytime))
+ exitloop = 1;
+
+ if (packet_get(fd, &pkt, &ch, table.statwin) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ switch (ch) {
+ case ERR:
+ /* no key ready, do nothing */
+ break;
+ case KEY_UP:
+ scrollgstatwin(&table, SCROLLDOWN);
+ break;
+ case KEY_DOWN:
+ scrollgstatwin(&table, SCROLLUP);
+ break;
+ case KEY_PPAGE:
+ case '-':
+ pagegstatwin(&table, SCROLLDOWN);
+ break;
+ case KEY_NPAGE:
+ case ' ':
+ pagegstatwin(&table, SCROLLUP);
+ break;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ case 'Q':
+ case 'q':
+ case 'X':
+ case 'x':
+ case 27:
+ case 24:
+ exitloop = 1;
+ break;
+ }
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ pkt_result = packet_process(&pkt, NULL, NULL, NULL,
+ MATCH_OPPOSITE_USECONFIG,
+ options.v6inv4asv6);
+
+ if (pkt_result != PACKET_OK
+ && pkt_result != MORE_FRAGMENTS)
+ continue;
+
+ ptmp = positionptr(table.head, pkt.pkt_ifindex);
+ if (!ptmp)
+ continue;
+
+ ptmp->total++;
+
+ ptmp->spanbr += pkt.pkt_len;
+ ptmp->br += pkt.pkt_len;
+
+ if (pkt.pkt_protocol == ETH_P_IP) {
+ ptmp->iptotal++;
+
+ if (pkt_result == CHECKSUM_ERROR) {
+ (ptmp->badtotal)++;
+ continue;
+ }
+ } else if (pkt.pkt_protocol == ETH_P_IPV6) {
+ ptmp->ip6total++;
+ } else {
+ (ptmp->noniptotal)++;
+ }
+ }
+ close(fd);
+
+err:
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ del_panel(table.statpanel);
+ delwin(table.statwin);
+ del_panel(table.borderpanel);
+ delwin(table.borderwin);
+ update_panels();
+ doupdate();
+
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ writegstatlog(&table, time(NULL) - statbegin, logfile);
+ writelog(logging, logfile,
+ "******** General interface statistics stopped ********");
+ fclose(logfile);
+ }
+ destroyiflist(table.head);
+ pkt_cleanup();
+ strcpy(current_logfile, "");
+}
+
+void selectiface(char *ifname, int withall, int *aborted)
+{
+ int ch;
+
+ struct iflist *list;
+ struct iflist *ptmp;
+
+ struct scroll_list scrolllist;
+
+ initiflist(&list);
+
+ if (list == NULL) {
+ no_ifaces_error();
+ *aborted = 1;
+ return;
+ }
+
+ if ((withall) && (list != NULL)) {
+ ptmp = xmalloc(sizeof(struct iflist));
+ strncpy(ptmp->ifname, "All interfaces", sizeof(ptmp->ifname));
+ ptmp->ifindex = 0;
+ rate_alloc(&ptmp->rate, 5); /* FIXME: need iflist_entry_init() */
+
+ ptmp->prev_entry = NULL;
+ list->prev_entry = ptmp;
+ ptmp->next_entry = list;
+ list = ptmp;
+ }
+ tx_listkeyhelp(STDATTR, HIGHATTR);
+
+ ptmp = list;
+
+ tx_init_listbox(&scrolllist, 24, 14, (COLS - 24) / 2 - 9,
+ (LINES - 14) / 2, STDATTR, BOXATTR, BARSTDATTR,
+ HIGHATTR);
+
+ tx_set_listbox_title(&scrolllist, "Select Interface", 1);
+
+ while (ptmp != NULL) {
+ tx_add_list_entry(&scrolllist, (char *) ptmp, ptmp->ifname);
+ ptmp = ptmp->next_entry;
+ }
+
+ tx_show_listbox(&scrolllist);
+ tx_operate_listbox(&scrolllist, &ch, aborted);
+ tx_close_listbox(&scrolllist);
+
+ if (!(*aborted) && (list != NULL)) {
+ ptmp = (struct iflist *) scrolllist.textptr->nodeptr;
+ if ((withall) && (ptmp->prev_entry == NULL)) /* All Interfaces */
+ strcpy(ifname, "");
+ else
+ strcpy(ifname, ptmp->ifname);
+ }
+
+ tx_destroy_list(&scrolllist);
+ destroyiflist(list);
+ update_panels();
+ doupdate();
+}
diff --git a/src/ifstats.h b/src/ifstats.h
new file mode 100644
index 0000000..5cf8b15
--- /dev/null
+++ b/src/ifstats.h
@@ -0,0 +1,7 @@
+#ifndef IPTRAF_NG_IFSTATS_H
+#define IPTRAF_NG_IFSTATS_H
+
+void selectiface(char *ifname, int withall, int *aborted);
+void ifstats(time_t facilitytime);
+
+#endif /* IPTRAF_NG_IFSTATS_H */
diff --git a/src/ipfilter.c b/src/ipfilter.c
new file mode 100644
index 0000000..eb17ec7
--- /dev/null
+++ b/src/ipfilter.c
@@ -0,0 +1,433 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+ipfilter.c - user interface and filter function for all IP packets
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/input.h"
+#include "tui/menurt.h"
+#include "tui/msgboxes.h"
+
+#include "addproto.h"
+#include "dirs.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "fltdefs.h"
+#include "fltmgr.h"
+#include "fltselect.h"
+#include "ipfilter.h"
+#include "fltedit.h"
+#include "getpath.h"
+#include "parseproto.h"
+#include "cidr.h"
+
+static in_port_t parse_port(char *buf)
+{
+ unsigned int value;
+
+ if ((strtoul_ui(buf, 10, &value) == 0) && (value <= 65535))
+ return value;
+ else
+ return 0;
+}
+void gethostparams(struct hostparams *data, char *init_saddr, char *init_smask,
+ char *init_sport1, char *init_sport2, char *init_daddr,
+ char *init_dmask, char *init_dport1, char *init_dport2,
+ char *initinex, char *initmatchop, int *aborted)
+{
+ WINDOW *dlgwin;
+ PANEL *dlgpanel;
+
+ struct FIELDLIST fields;
+ struct FIELD *fieldptr;
+
+ unsigned int rangeproto1, rangeproto2;
+ int parse_result;
+ char *bptr, *cptr;
+ int doagain;
+ unsigned int i;
+ char msgstr[60];
+ char actual_address[30];
+ unsigned int maskbits;
+
+ const char *WILDCARD = "0.0.0.0";
+
+ dlgwin = newwin(22, 80, (LINES - 22) / 2, (COLS - 80) / 2);
+ dlgpanel = new_panel(dlgwin);
+
+ wattrset(dlgwin, DLGBOXATTR);
+ tx_colorwin(dlgwin);
+ tx_box(dlgwin, ACS_VLINE, ACS_HLINE);
+
+ mvwprintw(dlgwin, 0, 22, " Source ");
+ mvwprintw(dlgwin, 0, 52, " Destination ");
+
+ wmove(dlgwin, 20, 2);
+ tabkeyhelp(dlgwin);
+ stdkeyhelp(dlgwin);
+ wattrset(dlgwin, DLGTEXTATTR);
+ mvwprintw(dlgwin, 2, 2, "IP address");
+ mvwprintw(dlgwin, 4, 2, "Wildcard mask");
+ mvwprintw(dlgwin, 6, 2, "Port");
+ mvwprintw(dlgwin, 9, 2, "Protocols to match");
+ mvwprintw(dlgwin, 10, 2, "(Enter Y beside each");
+ mvwprintw(dlgwin, 11, 2, "protocol to match.)");
+ mvwprintw(dlgwin, 18, 2, "Include/Exclude (I/E)");
+
+ tx_initfields(&fields, 19, 55, (LINES - 22) / 2 + 1,
+ (COLS - 80) / 2 + 23, DLGTEXTATTR, FIELDATTR);
+
+ mvwprintw(fields.fieldwin, 5, 6, "to");
+ mvwprintw(fields.fieldwin, 5, 36, "to");
+ mvwprintw(fields.fieldwin, 6, 0,
+ "Port fields apply only to TCP and UDP packets");
+ mvwprintw(fields.fieldwin, 8, 3, "All IP");
+ mvwprintw(fields.fieldwin, 8, 16, "TCP");
+ mvwprintw(fields.fieldwin, 8, 26, "UDP");
+ mvwprintw(fields.fieldwin, 8, 35, "ICMP");
+ mvwprintw(fields.fieldwin, 8, 45, "IGMP");
+ mvwprintw(fields.fieldwin, 10, 5, "OSPF");
+ mvwprintw(fields.fieldwin, 10, 16, "IGP");
+ mvwprintw(fields.fieldwin, 10, 25, "IGRP");
+ mvwprintw(fields.fieldwin, 10, 36, "GRE");
+ mvwprintw(fields.fieldwin, 10, 45, "L2TP");
+ mvwprintw(fields.fieldwin, 12, 1, "IPSec AH");
+ mvwprintw(fields.fieldwin, 12, 13, "IPSec ESP");
+ mvwprintw(fields.fieldwin, 14, 1,
+ "Additional protocols or ranges (e.g. 8, 18-20, 69, 90)");
+ mvwprintw(fields.fieldwin, 17, 11, "Match opposite (Y/N)");
+
+ tx_addfield(&fields, 25, 1, 0, init_saddr);
+ tx_addfield(&fields, 25, 3, 0, init_smask);
+ tx_addfield(&fields, 5, 5, 0, init_sport1);
+ tx_addfield(&fields, 5, 5, 9, init_sport2);
+ tx_addfield(&fields, 25, 1, 30, init_daddr);
+ tx_addfield(&fields, 25, 3, 30, init_dmask);
+ tx_addfield(&fields, 5, 5, 30, init_dport1);
+ tx_addfield(&fields, 5, 5, 39, init_dport2);
+
+ tx_addfield(&fields, 1, 8, 10, (data->filters[F_ALL_IP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 8, 20, (data->filters[F_TCP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 8, 30, (data->filters[F_UDP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 8, 40, (data->filters[F_ICMP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 8, 50, (data->filters[F_IGMP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 10, 10, (data->filters[F_OSPF]) ? "Y" : "");
+ tx_addfield(&fields, 1, 10, 20, (data->filters[F_IGP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 10, 30, (data->filters[F_IGRP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 10, 40, (data->filters[F_GRE]) ? "Y" : "");
+ tx_addfield(&fields, 1, 10, 50, (data->filters[F_L2TP]) ? "Y" : "");
+ tx_addfield(&fields, 1, 12, 10, (data->filters[F_IPSEC_AH]) ? "Y" : "");
+ tx_addfield(&fields, 1, 12, 23, (data->filters[F_IPSEC_ESP]) ? "Y" : "");
+
+ cptr = skip_whitespace(data->protolist);
+ tx_addfield(&fields, 54, 15, 1, cptr);
+ tx_addfield(&fields, 1, 17, 1, initinex);
+ tx_addfield(&fields, 1, 17, 32, initmatchop);
+
+ do {
+ tx_fillfields(&fields, aborted); /*get input */
+ if (!(*aborted)) {
+ fieldptr = fields.list;
+
+ /*
+ * Adjust upper loop bound depending on the number of fields
+ * before the "Additional IP protocols" field.
+ */
+ for (i = 2; i <= 21; i++)
+ fieldptr = fieldptr->nextfield;
+
+ if (!validate_ranges
+ (fieldptr->buf, &parse_result, &bptr)) {
+ snprintf(msgstr, 60,
+ "Invalid protocol input at or near token \"%s\"",
+ bptr);
+ tui_error(ANYKEY_MSG, msgstr);
+ doagain = 1;
+ } else
+ doagain = 0;
+ } else {
+ doagain = 0;
+ }
+ } while (doagain);
+
+ /*
+ * Store entered filter data into data structures
+ */
+ if (!(*aborted)) {
+ fieldptr = fields.list;
+ maskbits = 0;
+
+ /*
+ * Process Source Address field
+ */
+ if (fieldptr->buf[0] == '\0')
+ strcpy(data->s_fqdn, WILDCARD);
+ else
+ strcpy(data->s_fqdn, fieldptr->buf);
+
+ if (strchr(data->s_fqdn, '/') != NULL) {
+ cidr_split_address(data->s_fqdn, actual_address,
+ &maskbits);
+ strcpy(data->s_fqdn, actual_address);
+ }
+
+ /*
+ * Process Source Mask field
+ */
+ fieldptr = fieldptr->nextfield;
+ if (fieldptr->buf[0] == '\0') {
+ if (maskbits > 32) {
+ strcpy(data->s_mask, WILDCARD);
+ } else {
+ strncpy(data->s_mask,
+ cidr_get_quad_mask(maskbits), 20);
+ }
+ } else
+ strcpy(data->s_mask, fieldptr->buf);
+
+ /*
+ * Process Source Port fields
+ */
+ fieldptr = fieldptr->nextfield;
+ data->sport1 = parse_port(fieldptr->buf);
+
+ fieldptr = fieldptr->nextfield;
+ data->sport2 = parse_port(fieldptr->buf);
+
+ /*
+ * Process Destination Address field
+ */
+ fieldptr = fieldptr->nextfield;
+ if (fieldptr->buf[0] == '\0')
+ strcpy(data->d_fqdn, WILDCARD);
+ else
+ strcpy(data->d_fqdn, fieldptr->buf);
+
+ maskbits = 0;
+ if (strchr(data->d_fqdn, '/') != NULL) {
+ cidr_split_address(data->d_fqdn, actual_address,
+ &maskbits);
+ strcpy(data->d_fqdn, actual_address);
+ }
+
+ /*
+ * Process Destination mask field
+ */
+ fieldptr = fieldptr->nextfield;
+ if (fieldptr->buf[0] == '\0') {
+ if (maskbits > 32) {
+ strcpy(data->d_mask, WILDCARD);
+ } else {
+ strncpy(data->d_mask,
+ cidr_get_quad_mask(maskbits), 20);
+ }
+ } else
+ strcpy(data->d_mask, fieldptr->buf);
+
+ /*
+ * Process Dedination Port fields
+ */
+ fieldptr = fieldptr->nextfield;
+ data->dport1 = parse_port(fieldptr->buf);
+
+ fieldptr = fieldptr->nextfield;
+ data->dport2 = parse_port(fieldptr->buf);
+
+ /*
+ * Process IP protocol filter fields
+ */
+ fieldptr = fieldptr->nextfield;
+ memset(&(data->filters), 0, sizeof(data->filters));
+
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_ALL_IP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_TCP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_UDP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_ICMP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_IGMP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_OSPF] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_IGP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_IGRP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_GRE] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_L2TP] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_IPSEC_AH] = 1;
+ fieldptr = fieldptr->nextfield;
+ if (toupper(fieldptr->buf[0]) == 'Y')
+ data->filters[F_IPSEC_ESP] = 1;
+ fieldptr = fieldptr->nextfield;
+
+ /*
+ * Parse protocol string
+ */
+ cptr = fieldptr->buf;
+ strncpy(data->protolist, cptr, 60);
+
+ do {
+ get_next_protorange(&cptr, &rangeproto1,
+ &rangeproto2, &parse_result, &bptr);
+ if (parse_result == RANGE_OK) {
+ if (rangeproto2 != 0) {
+ for (i = rangeproto1; i <= rangeproto2;
+ i++) {
+ data->filters[i] = 1;
+ }
+ } else {
+ data->filters[rangeproto1] = 1;
+ }
+ }
+ } while (parse_result == RANGE_OK);
+
+ data->reverse = toupper(fieldptr->nextfield->buf[0]);
+ if (data->reverse != 'E')
+ data->reverse = 'I';
+
+ data->match_opposite =
+ toupper(fieldptr->nextfield->nextfield->buf[0]);
+ if (data->match_opposite != 'Y')
+ data->match_opposite = 'N';
+ }
+
+ tx_destroyfields(&fields);
+ del_panel(dlgpanel);
+ delwin(dlgwin);
+ update_panels();
+ doupdate();
+}
+
+void ipfilterselect(int *aborted)
+{
+ struct MENU menu;
+ int row = 1;
+ struct filterfileent fflist;
+
+ makestdfiltermenu(&menu);
+ do {
+ tx_showmenu(&menu);
+ tx_operatemenu(&menu, &row, aborted);
+ switch (row) {
+ case 1:
+ definefilter(aborted);
+ break;
+ case 2:
+ selectfilter(&fflist, aborted);
+ if (!(*aborted)) {
+ memset(ofilter.filename, 0, FLT_FILENAME_MAX);
+ strncpy(ofilter.filename,
+ get_path(T_WORKDIR, fflist.filename),
+ FLT_FILENAME_MAX - 1);
+ if (!loadfilter(ofilter.filename, &ofilter.fl, FLT_RESOLVE))
+ ofilter.filtercode = 1;
+ else
+ ofilter.filtercode = 0;
+ }
+ break;
+ case 3:
+ destroyfilter(&ofilter.fl);
+ ofilter.filtercode = 0;
+ tx_infobox("IP filter deactivated", ANYKEY_MSG);
+ break;
+ case 4:
+ editfilter(aborted);
+ break;
+ case 5:
+ delfilter(aborted);
+ if (!(*aborted))
+ tx_infobox("IP filter deleted", ANYKEY_MSG);
+ }
+ } while (row != 7);
+ tx_destroymenu(&menu);
+ update_panels();
+ doupdate();
+}
+
+static int addr_in_net(unsigned long addr, unsigned long net,
+ unsigned long mask)
+{
+ return (addr & mask) == (net & mask);
+}
+
+static int port_in_range(in_port_t port, in_port_t port1, in_port_t port2)
+{
+ if (port2 == 0)
+ return port == port1 || port1 == 0;
+ else
+ return port >= port1 && port <= port2;
+}
+
+/* Display/logging filter for other (non-TCP, non-UDP) IP protocols. */
+int ipfilter(unsigned long saddr, unsigned long daddr, in_port_t sport,
+ in_port_t dport, unsigned int protocol, int match_opp_mode)
+{
+ struct filterent *fe;
+ int result = 0;
+ int fltexpr1;
+ int fltexpr2;
+
+ for (fe = ofilter.fl.head; fe != NULL; fe = fe->next_entry) {
+ if (protocol == IPPROTO_TCP || protocol == IPPROTO_UDP) {
+ fltexpr1 = addr_in_net(saddr, fe->saddr, fe->smask)
+ && addr_in_net(daddr, fe->daddr, fe->dmask)
+ && port_in_range(sport, fe->hp.sport1, fe->hp.sport2)
+ && port_in_range(dport, fe->hp.dport1, fe->hp.dport2);
+
+ if ((protocol == IPPROTO_TCP
+ && match_opp_mode == MATCH_OPPOSITE_ALWAYS)
+ || (fe->hp.match_opposite == 'Y'))
+ fltexpr2 = addr_in_net(saddr, fe->daddr, fe->dmask)
+ && addr_in_net(daddr, fe->saddr, fe->smask)
+ && port_in_range(sport, fe->hp.dport1, fe->hp.dport2)
+ && port_in_range(dport, fe->hp.sport1, fe->hp.sport2);
+ else
+ fltexpr2 = 0;
+ } else {
+ fltexpr1 = addr_in_net(saddr, fe->saddr, fe->smask)
+ && addr_in_net(daddr, fe->daddr, fe->dmask);
+
+ if (fe->hp.match_opposite == 'Y') {
+ fltexpr2 = addr_in_net(saddr, fe->daddr, fe->dmask)
+ && addr_in_net(daddr, fe->saddr, fe->smask);
+ } else
+ fltexpr2 = 0;
+ }
+
+ if (fltexpr1 || fltexpr2) {
+ result = fe->hp.filters[protocol]
+ || fe->hp.filters[F_ALL_IP];
+
+ if (result) {
+ if (toupper(fe->hp.reverse) == 'E') {
+ return 0;
+ }
+
+ return 1;
+ }
+ }
+ }
+
+ return 0;
+}
diff --git a/src/ipfilter.h b/src/ipfilter.h
new file mode 100644
index 0000000..ac82b93
--- /dev/null
+++ b/src/ipfilter.h
@@ -0,0 +1,12 @@
+#ifndef IPTRAF_NG_IPFILTER_H
+#define IPTRAF_NG_IPFILTER_H
+
+void gethostparams(struct hostparams *data, char *init_saddr, char *init_smask,
+ char *init_sport1, char *init_sport2, char *init_daddr,
+ char *init_dmask, char *init_dport1, char *init_dport2,
+ char *initinex, char *initmatchop, int *aborted);
+void ipfilterselect(int *faborted);
+int ipfilter(unsigned long saddr, unsigned long daddr, in_port_t sport,
+ in_port_t dport, unsigned int protocol, int match_opp_mode);
+
+#endif /* IPTRAF_NG_IPFILTER_H */
diff --git a/src/ipfrag.c b/src/ipfrag.c
new file mode 100644
index 0000000..76196e6
--- /dev/null
+++ b/src/ipfrag.c
@@ -0,0 +1,268 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+ipfrag.c - module that handles fragmented IP packets.
+
+This module is necessary to maintain accurate counts in case
+fragmented IP packets are received. TCP and UDP headers are not copied
+in fragments.
+
+This module is based on RFC 815, but does not really reassemble packets.
+The routines here merely accumulate packet sizes and pass them off to
+the IP traffic monitor routine.
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "ipfrag.h"
+
+static struct fragent *fraglist = NULL;
+static struct fragent *fragtail = NULL;
+
+static struct fragent *addnewdgram(struct iphdr *packet)
+{
+ struct fragent *ptmp;
+
+ ptmp = xmallocz(sizeof(struct fragent));
+ if (fraglist == NULL) {
+ fraglist = ptmp;
+ ptmp->prev_entry = NULL;
+ }
+ if (fragtail != NULL) {
+ fragtail->next_entry = ptmp;
+ ptmp->prev_entry = fragtail;
+ }
+ ptmp->fragdesclist = xmalloc(sizeof(struct fragdescent));
+ ptmp->fragdesclist->min = 0;
+ ptmp->fragdesclist->max = 65535;
+ ptmp->fragdesclist->next_entry = NULL;
+ ptmp->fragdesclist->prev_entry = NULL;
+ ptmp->fragdesctail = ptmp->fragdesclist;
+
+ fragtail = ptmp;
+ ptmp->next_entry = NULL;
+
+ ptmp->s_addr = packet->saddr;
+ ptmp->d_addr = packet->daddr;
+ ptmp->protocol = packet->protocol;
+ ptmp->id = packet->id;
+
+ return ptmp;
+}
+
+static struct fragdescent *addnewhole(struct fragent *frag)
+{
+ struct fragdescent *ptmp;
+
+ ptmp = xmalloc(sizeof(struct fragdescent));
+
+ if (frag->fragdesclist == NULL) {
+ frag->fragdesclist = ptmp;
+ ptmp->prev_entry = NULL;
+ }
+ if (frag->fragdesctail != NULL) {
+ frag->fragdesctail->next_entry = ptmp;
+ ptmp->prev_entry = frag->fragdesctail;
+ }
+ ptmp->next_entry = NULL;
+ frag->fragdesctail = ptmp;
+
+ return ptmp;
+}
+
+static struct fragent *searchfrags(unsigned long saddr, unsigned long daddr,
+ unsigned int protocol, unsigned int id)
+{
+ struct fragent *ftmp = fraglist;
+
+ while (ftmp != NULL) {
+ if ((saddr == ftmp->s_addr) && (daddr == ftmp->d_addr)
+ && (protocol == ftmp->protocol) && (id == ftmp->id))
+ return ftmp;
+
+ ftmp = ftmp->next_entry;
+ }
+
+ return NULL;
+}
+
+static void deldgram(struct fragent *ftmp)
+{
+ if (ftmp->prev_entry != NULL)
+ ftmp->prev_entry->next_entry = ftmp->next_entry;
+ else
+ fraglist = ftmp->next_entry;
+
+ if (ftmp->next_entry != NULL)
+ ftmp->next_entry->prev_entry = ftmp->prev_entry;
+ else
+ fragtail = ftmp->prev_entry;
+
+ free(ftmp);
+}
+
+
+/*
+ * Destroy hole descriptor list
+ */
+
+static void destroyholes(struct fragent *ftmp)
+{
+ struct fragdescent *dtmp = ftmp->fragdesclist;
+ struct fragdescent *ntmp = NULL;
+
+ if (ftmp->fragdesclist != NULL) {
+ ntmp = dtmp->next_entry;
+
+ while (dtmp != NULL) {
+ free(dtmp);
+ dtmp = ntmp;
+
+ if (ntmp != NULL)
+ ntmp = ntmp->next_entry;
+ }
+ }
+}
+
+void destroyfraglist(void)
+{
+ struct fragent *ptmp = fraglist;
+ struct fragent *ctmp = NULL;
+
+ if (fraglist != NULL) {
+ ctmp = ptmp->next_entry;
+
+ while (ptmp != NULL) {
+ destroyholes(ptmp);
+ free(ptmp);
+ ptmp = ctmp;
+
+ if (ctmp != NULL)
+ ctmp = ctmp->next_entry;
+ }
+ }
+ fraglist = NULL;
+ fragtail = NULL;
+}
+
+/*
+ * Process IP fragment. Returns number of bytes to report to the traffic
+ * monitor or 0 for an error condition.
+ */
+
+unsigned int processfragment(struct iphdr *packet, in_port_t *sport,
+ in_port_t *dport, int *firstin)
+{
+ struct fragent *ftmp;
+ struct fragdescent *dtmp;
+ struct fragdescent *ntmp;
+ char *tpacket;
+
+ unsigned int offset;
+ unsigned int lastbyte;
+ unsigned int retval;
+
+ /* Determine appropriate hole descriptor list */
+
+ ftmp =
+ searchfrags(packet->saddr, packet->daddr, packet->protocol,
+ packet->id);
+
+ if (ftmp == NULL) /* No such datagram for this frag yet */
+ ftmp = addnewdgram(packet);
+
+ if (ftmp == NULL)
+ return 0;
+
+ /*
+ * At this point, ftmp should contain the address of the appropriate
+ * descriptor list.
+ */
+
+ dtmp = ftmp->fragdesclist; /* Point to hole descriptors */
+ offset = (ntohs(packet->frag_off) & 0x1fff) * 8;
+ lastbyte = (offset + (ntohs(packet->tot_len) - (packet->ihl) * 4)) - 1;
+
+ if ((ntohs(packet->frag_off) & 0x1fff) == 0) { /* first fragment? */
+ ftmp->firstin = 1;
+ tpacket = ((char *) (packet)) + (packet->ihl * 4);
+ if (packet->protocol == IPPROTO_TCP) {
+ ftmp->s_port = ntohs(((struct tcphdr *) tpacket)->source);
+ ftmp->d_port = ntohs(((struct tcphdr *) tpacket)->dest);
+ } else if (packet->protocol == IPPROTO_UDP) {
+ ftmp->s_port = ntohs(((struct udphdr *) tpacket)->source);
+ ftmp->d_port = ntohs(((struct udphdr *) tpacket)->dest);
+ }
+ }
+ while (dtmp != NULL) {
+ if ((offset <= dtmp->max) && (lastbyte >= dtmp->min))
+ break;
+
+ dtmp = dtmp->next_entry;
+ }
+
+ if (dtmp != NULL) { /* Duplicate/overlap or something out of the
+ loopback interface */
+ /*
+ * Delete current entry from hole descriptor list
+ */
+
+ if (dtmp->prev_entry != NULL)
+ dtmp->prev_entry->next_entry = dtmp->next_entry;
+ else
+ ftmp->fragdesclist = dtmp->next_entry;
+
+ if (dtmp->next_entry != NULL)
+ dtmp->next_entry->prev_entry = dtmp->prev_entry;
+ else
+ ftmp->fragdesctail = dtmp->prev_entry;
+
+ /*
+ * Memory for the hole descriptor will not be released yet.
+ */
+
+ if (offset > dtmp->min) {
+ /*
+ * If offset in fragment is greater than offset in the descriptor,
+ * create a new hole descriptor.
+ */
+
+ ntmp = addnewhole(ftmp);
+ ntmp->min = dtmp->min;
+ ntmp->max = offset - 1;
+ }
+ if ((lastbyte < dtmp->max)
+ && (ntohs(packet->frag_off) & 0x2000)) {
+ /*
+ * If last byte in fragment is less than the last byte of the
+ * hole descriptor, and more fragments, create a new hole
+ * descriptor.
+ */
+
+ ntmp = addnewhole(ftmp);
+ ntmp->min = lastbyte + 1;
+ ntmp->max = dtmp->max;
+ }
+ free(dtmp);
+
+ }
+ *firstin = ftmp->firstin;
+
+ ftmp->bcount += ntohs(packet->tot_len);
+
+ if (ftmp->firstin) {
+ *sport = ftmp->s_port;
+ *dport = ftmp->d_port;
+ retval = ftmp->bcount;
+ ftmp->bcount = 0;
+
+ if (ftmp->fragdesclist == NULL)
+ deldgram(ftmp);
+
+ return retval;
+ } else
+ return 0;
+}
diff --git a/src/ipfrag.h b/src/ipfrag.h
new file mode 100644
index 0000000..f20e6dd
--- /dev/null
+++ b/src/ipfrag.h
@@ -0,0 +1,42 @@
+#ifndef IPTRAF_NG_IPFRAG_H
+#define IPTRAF_NG_IPFRAG_H
+
+/***
+
+ipfrag.h - IP fragmentation hander definitions
+
+***/
+
+struct fragdescent {
+ unsigned int min;
+ unsigned int max;
+ struct fragdescent *prev_entry;
+ struct fragdescent *next_entry;
+};
+
+struct fragent {
+ unsigned long s_addr;
+ in_port_t s_port;
+ unsigned long d_addr;
+ in_port_t d_port;
+ unsigned int id;
+ unsigned int protocol;
+ int firstin;
+ time_t starttime;
+ struct fragdescent *fragdesclist;
+ struct fragdescent *fragdesctail;
+ unsigned int bcount;
+ struct fragent *prev_entry;
+ struct fragent *next_entry;
+};
+
+struct fragfreelistent {
+ struct fragent *top;
+ struct fragfreelist *next_entry;
+};
+
+void destroyfraglist(void);
+unsigned int processfragment(struct iphdr *packet, in_port_t *sport,
+ in_port_t *dport, int *firstin);
+
+#endif /* IPTRAF_NG_IPFRAG_H */
diff --git a/src/iptraf-ng-compat.h b/src/iptraf-ng-compat.h
new file mode 100644
index 0000000..f17a686
--- /dev/null
+++ b/src/iptraf-ng-compat.h
@@ -0,0 +1,147 @@
+#ifndef IPTRAF_NG_COMPAT_H
+#define IPTRAF_NG_COMPAT_H
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <signal.h>
+#include <string.h>
+#include <time.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <errno.h>
+#include <ctype.h>
+#include <netdb.h>
+#include <curses.h>
+#include <panel.h>
+#include <assert.h>
+#include <stddef.h>
+#include <poll.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>
+#include <netinet/udp.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/ip_icmp.h>
+
+#include <arpa/inet.h>
+
+#include <linux/if_ether.h>
+#include <linux/if_packet.h>
+#include <linux/if_fddi.h>
+#include <linux/types.h>
+
+#include <linux/if.h>
+#include <linux/if_arp.h>
+
+#ifndef ETH_P_8021AD
+#define ETH_P_8021AD 0x88A8 /* 802.1ad Service VLAN */
+#endif
+
+#ifndef ETH_P_QINQ1
+#define ETH_P_QINQ1 0x9100 /* deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] */
+#endif
+
+#ifndef ETH_P_QINQ2
+#define ETH_P_QINQ2 0x9200 /* deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] */
+#endif
+
+#ifndef ETH_P_QINQ3
+#define ETH_P_QINQ3 0x9300 /* deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] */
+#endif
+
+#define debug(...) \
+ do { \
+ fprintf(stderr, "%s:%s():%d:", \
+ __FILE__, __func__, __LINE__); \
+ fprintf(stderr, __VA_ARGS__); \
+ fprintf(stderr, "\n"); \
+ } while(0)
+
+#define KBITS 0
+
+#define dispmode(mode) \
+ (((mode) == KBITS) ? "kbps": "kBps")
+
+#define __noreturn __attribute__((noreturn))
+#define __unused __attribute__((unused))
+#define __printf(x, y) __attribute__((format(printf, (x), (y))))
+
+/* screen delay (in msecs) if update rate == 0 */
+#define DEFAULT_UPDATE_DELAY 50
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define alloc_nr(x) (((x)+16)*3/2)
+
+/*
+ * Realloc the buffer pointed at by variable 'x' so that it can hold
+ * at least 'nr' entries; the number of entries currently allocated
+ * is 'alloc', using the standard growing factor alloc_nr() macro.
+ *
+ * DO NOT USE any expression with side-effect for 'x', 'nr', or 'alloc'.
+ */
+#define ALLOC_GROW(x, nr, alloc) \
+ do { \
+ if ((nr) > alloc) { \
+ if (alloc_nr(alloc) < (nr)) \
+ alloc = (nr); \
+ else \
+ alloc = alloc_nr(alloc); \
+ x = xrealloc((x), alloc * sizeof(*(x))); \
+ } \
+ } while (0)
+
+extern int daemonized;
+extern int exitloop;
+
+extern void *xmalloc(size_t size);
+extern void *xcalloc(size_t nmemb, size_t size);
+extern void *xrealloc(void *ptr, size_t size);
+extern void *xmallocz(size_t size);
+extern char *xstrdup(const char *s);
+extern int strtoul_ui(char const *s, int base, unsigned int *result);
+extern int strtol_i(char const *s, int base, int *result);
+
+extern void die(const char *err, ...) __noreturn __printf(1,2);
+extern void die_errno(const char *fmt, ...) __noreturn __printf(1,2);
+extern void error(const char *err, ...) __printf(1,2);
+
+static inline char *skip_whitespace(char *str)
+{
+ while (isspace(*str))
+ ++str;
+
+ return str;
+}
+
+static inline unsigned long timeval_diff_msec(const struct timeval *end,
+ const struct timeval *start)
+{
+ if (!start || !end)
+ return 0UL;
+
+ signed long secs = end->tv_sec - start->tv_sec;
+ signed long usecs = end->tv_usec - start->tv_usec;
+
+ if(usecs < 0) {
+ usecs = 1000000 - usecs;
+ secs -= 1;
+ }
+ if(secs >= 0)
+ return secs * 1000UL + usecs / 1000UL;
+ else
+ return 0UL;
+}
+
+#endif /* IPTRAF_NG_COMPAT_H */
diff --git a/src/iptraf-ng.8 b/src/iptraf-ng.8
new file mode 100644
index 0000000..33f9728
--- /dev/null
+++ b/src/iptraf-ng.8
@@ -0,0 +1,105 @@
+.TH IPTRAF 8 "IPTraf Help Page"
+.SH NAME
+iptraf \- Interactive Colorful IP LAN Monitor
+.SH SYNOPSIS
+.BR iptraf " { [ " \-f " ] [ " \-q " ] [ " \-u " ] [ { " \-i
+.IR iface " | "
+.BR \-g " | " \-d
+.IR iface " | "
+.BR \-s
+.IR iface " | "
+.BR \-z
+.IR iface " | "
+.BR \-l
+.IR iface " } [ "
+.BR \-t
+.IR timeout " ] [ "
+.BR \-B " [ "
+.BR \-L
+.IR logfile " ] ] ] | [ "
+.BR \-h " ] }"
+.br
+.SH DESCRIPTION
+.B iptraf
+is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.
+.PP
+If the
+.B iptraf
+command is issued without any command-line options, the program comes up in interactive mode, with the various facilities accessed through the main menu.
+
+.SH OPTIONS
+These options can also be supplied to the command:
+.TP
+.BI "\-i " iface
+immediately start the IP traffic monitor on the specified interface, or
+all interfaces if "\-i all" is specified
+.TP
+.B "\-g"
+immediately start the general interface statistics
+.TP
+.BI "\-d " iface
+allows you to immediately start the detailed on the indicated interface (iface)
+.TP
+.BI "\-s " iface
+allows you to immediately monitor TCP and UDP traffic on the specified interface (iface)
+.TP
+.BI "\-z " iface
+shows packet counts by size on the specified interface
+.TP
+.BI "\-l " iface
+start the LAN station monitor on the specified interface, or all LAN
+interfaces if "\-l all" is specified
+.TP
+.BI "\-t " timeout
+tells IPTraf to run the specified facility for only
+.I timeout
+minutes. This option is used only with one of the above parameters.
+.TP
+.B "\-B"
+redirect standard output to /dev/null, closes standard input, and forks
+the program into the background. Can be used only with one of the
+facility invocation parameters above. Send the backgrounded process a
+USR2 signal to terminate.
+.TP
+.B "\-L logfile"
+allows you to specify an alternate log file name. The default log file
+name is based on either the interface selected (detailed interface
+statistics, TCP/UDP service statistics, packet size breakdown), or the
+instance of the facility (IP traffic monitor, LAN station monitor). If a
+path is not specified, the log file is placed in
+.B /var/log/iptraf
+.TP
+.B "\-f"
+clears all locks and counters, causing this instance of IPTraf to think
+it's the first one running. This should only be used to recover from
+an abnormal termination or system crash.
+.TP
+.B "\-u"
+allow use of unsupported interfaces as ethernet devices. This is needed if
+you changed the name of an interface (ex: ip link set eth0 name foo0)
+.TP
+.BI "\-q"
+no longer needed, maintained only for compatibility.
+.TP
+.B "\-h"
+shows a command summary
+.SH SIGNALS
+
+ SIGUSR1 - rotates log files while program is running
+ SIGUSR2 - terminates an IPTraf process running in the background.
+
+.SH FILES
+ /var/log/iptraf/*.log - log file
+ /var/lib/iptraf/* - important IPTraf data files
+
+.SH SEE ALSO
+ Documentation/* - complete documentation written by the author
+.br
+
+.SH AUTHOR
+Gerard Paul Java (riker@mozcom.com)
+
+.SH MANUAL AUTHOR
+Frederic Peters (fpeters@debian.org), using iptraf \-h
+General manual page modifications by Gerard Paul Java (riker@mozcom.com)
+
diff --git a/src/iptraf.c b/src/iptraf.c
new file mode 100644
index 0000000..2dc1759
--- /dev/null
+++ b/src/iptraf.c
@@ -0,0 +1,544 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/*
+IPTraf
+An IP Network Statistics Utility
+*/
+
+#include "iptraf-ng-compat.h"
+#include "built-in.h"
+
+#include "tui/menurt.h"
+#include "tui/winops.h"
+
+#include "dirs.h"
+#include "deskman.h"
+#include "fltdefs.h"
+#include "fltselect.h"
+#include "fltmgr.h"
+#include "fltedit.h"
+#include "serv.h"
+#include "options.h"
+#include "attrs.h"
+#include "rvnamed.h"
+#include "logvars.h"
+#include "detstats.h"
+#include "ifstats.h"
+#include "itrafmon.h"
+#include "pktsize.h"
+#include "hostmon.h"
+
+#include "parse-options.h"
+
+#define WITHALL 1
+#define WITHOUTALL 0
+
+#ifndef IPTRAF_PIDFILE
+#define IPTRAF_PIDFILE "/var/run/iptraf-ng.pid"
+#endif
+
+const char *ALLSPEC = "all";
+
+#define CMD(name, h) { .cmd = #name, .fn = cmd_##name, .help = h }
+#define CMD_END() { NULL, NULL, NULL }
+
+struct cmd_struct {
+ const char *cmd;
+ int (*fn)(int, char **);
+ const char *help;
+};
+
+/*
+ * Important globals used throughout the
+ * program.
+ */
+int exitloop = 0;
+int daemonized = 0;
+int facility_running = 0;
+
+static void press_enter_to_continue(void)
+{
+ fprintf(stderr, "Press Enter to continue.\n");
+ getchar();
+}
+
+static void clearfiles(char *prefix, char *directory)
+{
+ DIR *dir;
+ struct dirent *dir_entry;
+ char target_name[80];
+
+ dir = opendir(directory);
+
+ if (dir == NULL) {
+ fprintf(stderr, "\nUnable to read directory %s\n%s\n",
+ directory, strerror(errno));
+ press_enter_to_continue();
+ return;
+ }
+
+ do {
+ dir_entry = readdir(dir);
+ if (dir_entry != NULL) {
+ if (strncmp(dir_entry->d_name, prefix, strlen(prefix))
+ == 0) {
+ snprintf(target_name, 80, "%s/%s", directory,
+ dir_entry->d_name);
+ unlink(target_name);
+ }
+ }
+ } while (dir_entry != NULL);
+
+ closedir(dir);
+}
+
+static void removetags(void)
+{
+ clearfiles("iptraf", LOCKDIR);
+}
+
+static void remove_sockets(void)
+{
+ clearfiles(SOCKET_PREFIX, WORKDIR);
+}
+
+/*
+ * USR2 handler. Used to normally exit a daemonized facility.
+ */
+
+static void term_usr2_handler(int s __unused)
+{
+ exitloop = 1;
+}
+
+static void init_break_menu(struct MENU *break_menu)
+{
+ tx_initmenu(break_menu, 6, 20, (LINES - 6) / 2, COLS / 2, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+ tx_additem(break_menu, " By packet ^s^ize",
+ "Displays packet counts by packet size range");
+ tx_additem(break_menu, " By TCP/UDP ^p^ort",
+ "Displays packet and byte counts by service port");
+ tx_additem(break_menu, NULL, NULL);
+ tx_additem(break_menu, " E^x^it menu", "Return to main menu");
+}
+
+/*
+ * Get the ball rolling: The program interface routine.
+ */
+
+static void program_interface(void)
+{
+ struct MENU menu;
+ struct MENU break_menu;
+
+ int endloop = 0;
+ int row = 1;
+ int break_row = 1;
+ int aborted;
+ int break_aborted;
+
+ char ifname[IFNAMSIZ];
+ char *ifptr = NULL;
+
+ /*
+ * Load saved filter
+ */
+ loadfilters();
+ indicate("");
+
+ tx_initmenu(&menu, 15, 35, (LINES - 16) / 2, (COLS - 35) / 2, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+
+ tx_additem(&menu, " IP traffic ^m^onitor",
+ "Displays current IP traffic information");
+ tx_additem(&menu, " General interface ^s^tatistics",
+ "Displays some statistics for attached interfaces");
+ tx_additem(&menu, " ^D^etailed interface statistics",
+ "Displays more statistics for a selected interface");
+ tx_additem(&menu, " Statistical ^b^reakdowns...",
+ "Facilities for traffic counts by packet size or TCP/UDP port");
+ tx_additem(&menu, " ^L^AN station monitor",
+ "Displays statistics on detected LAN stations");
+ tx_additem(&menu, NULL, NULL);
+ tx_additem(&menu, " ^F^ilters...",
+ "Allows you to select traffic display and logging criteria");
+ tx_additem(&menu, NULL, NULL);
+ tx_additem(&menu, " C^o^nfigure...", "Set various program options");
+ tx_additem(&menu, NULL, NULL);
+ tx_additem(&menu, " ^A^bout...", "Displays program info");
+ tx_additem(&menu, NULL, NULL);
+ tx_additem(&menu, " E^x^it", "Exits program");
+
+ endloop = 0;
+
+ do {
+ tx_showmenu(&menu);
+ tx_operatemenu(&menu, &row, &aborted);
+
+ switch (row) {
+ case 1:
+ selectiface(ifname, WITHALL, &aborted);
+ if (!aborted) {
+ if (strcmp(ifname, "") != 0)
+ ifptr = ifname;
+ else
+ ifptr = NULL;
+
+ ipmon(0, ifptr);
+ }
+ break;
+ case 2:
+ ifstats(0);
+ break;
+ case 3:
+ selectiface(ifname, WITHOUTALL, &aborted);
+ if (!aborted)
+ detstats(ifname, 0);
+ break;
+ case 4:
+ break_row = 1;
+ init_break_menu(&break_menu);
+ tx_showmenu(&break_menu);
+ tx_operatemenu(&break_menu, &break_row, &break_aborted);
+
+ switch (break_row) {
+ case 1:
+ selectiface(ifname, WITHOUTALL, &aborted);
+ if (!aborted)
+ packet_size_breakdown(ifname, 0);
+ break;
+ case 2:
+ selectiface(ifname, WITHOUTALL, &aborted);
+ if (!aborted)
+ servmon(ifname, 0);
+ break;
+ case 4:
+ break;
+ }
+ tx_destroymenu(&break_menu);
+ break;
+ case 5:
+ selectiface(ifname, WITHALL, &aborted);
+ if (!aborted) {
+ if (strcmp(ifname, "") != 0)
+ ifptr = ifname;
+ else
+ ifptr = NULL;
+ hostmon(0, ifptr);
+ }
+ break;
+ case 7:
+ config_filters();
+ savefilters();
+ break;
+ case 9:
+ setoptions();
+ saveoptions();
+ break;
+ case 11:
+ about();
+ break;
+ case 13:
+ endloop = 1;
+ break;
+ }
+ } while (!endloop);
+
+ tx_destroymenu(&menu);
+}
+
+static const char *const iptraf_ng_usage[] = {
+ IPTRAF_NAME " [options]",
+ IPTRAF_NAME " [options] -B [-i <iface> | -d <iface> | -s <iface> | -z <iface> | -l <iface> | -g]",
+ NULL
+};
+
+static int help_opt, f_opt, g_opt, facilitytime, B_opt;
+static char *i_opt, *d_opt, *s_opt, *z_opt, *l_opt, *L_opt;
+
+static struct options iptraf_ng_options[] = {
+ OPT__HELP(&help_opt),
+ OPT_GROUP(""),
+ OPT_STRING('i', NULL, &i_opt, "iface",
+ "start the IP traffic monitor (use '-i all' for all interfaces)"),
+ OPT_STRING('d', NULL, &d_opt, "iface",
+ "start the detailed statistics facility on an interface"),
+ OPT_STRING('s', NULL, &s_opt, "iface",
+ "start the TCP and UDP monitor on an interface"),
+ OPT_STRING('z', NULL, &z_opt, "iface",
+ "shows the packet size counts on an interface"),
+ OPT_STRING('l', NULL, &l_opt, "iface",
+ "start the LAN station monitor (use '-l all' for all LAN interfaces)"),
+ OPT_BOOL('g', NULL, &g_opt, "start the general interface statistics"),
+ OPT_GROUP(""),
+ OPT_BOOL('B', NULL, &B_opt,
+ "run in background (use only with one of the above parameters"),
+ OPT_BOOL('f', NULL, &f_opt,
+ "clear all locks and counters"
+ /*. Use with great caution. Normally used to recover from an abnormal termination */
+ ),
+ OPT_INTEGER('t', NULL, &facilitytime,
+ "run only for the specified <n> number of minutes"),
+ OPT_STRING('L', NULL, &L_opt, "logfile",
+ "specifies an alternate log file"),
+ // OPT_INTEGER('I', NULL, &I_opt, "the log interval for all facilities except the IP traffic monitor. Value is in minutes"),
+ OPT_END()
+};
+
+static int create_pidfile(void)
+{
+ int fd = open(IPTRAF_PIDFILE, O_WRONLY|O_CREAT, 0644);
+ if (fd < 0) {
+ perror("can not open "IPTRAF_PIDFILE);
+ return -1;
+ }
+
+ if (lockf(fd, F_TLOCK, 0) < 0) {
+ error("The PID file is locked "IPTRAF_PIDFILE". "
+ "Maybe other iptraf-ng instance is running?can not acquire ");
+ return -1;
+ }
+
+ fcntl(fd, F_SETFD, FD_CLOEXEC);
+
+ char buf[sizeof(long) * 3 + 2];
+ int len = sprintf(buf, "%lu\n", (long) getpid());
+ write(fd, buf, len);
+ ftruncate(fd, len);
+ /* we leak opened+locked fd intentionally */
+ return 0;
+}
+
+static void sanitize_dir(const char *dir)
+{
+ /* Check whether LOCKDIR exists (/var/run is on a tmpfs in Ubuntu) */
+ if (access(dir, F_OK) != 0) {
+ if (mkdir(dir, 0700) == -1)
+ die("Cannot create %s: %s", dir, strerror(errno));
+
+ if (chown(dir, 0, 0) == -1)
+ die("Cannot change owner of %s: %s", dir,
+ strerror(errno));
+ }
+}
+
+static void handle_internal_command(int argc, char **argv,
+ const struct cmd_struct *commands)
+{
+ const char *cmd = argv[0];
+
+ for (const struct cmd_struct *p = commands; p->cmd; ++p)
+ {
+ if (!strcmp(p->cmd, cmd))
+ exit(p->fn(argc, argv));
+ }
+}
+
+int main(int argc, char **argv)
+{
+ int current_log_interval = 0;
+
+ if (geteuid() != 0)
+ die("This program can be run only by the system administrator");
+
+ const struct cmd_struct commands[] = {
+ CMD(capture, "capture packet"),
+ CMD_END(),
+ };
+
+ /* stupid, but for now needed machinery with argc, args
+ *
+ */
+ char **internal_argv = argv;
+ argc--;
+ internal_argv++;
+
+ if (argc > 0)
+ handle_internal_command(argc, internal_argv, commands);
+
+ argc++;
+
+ /*
+ * Parse command line
+ */
+
+ parse_opts(argc, argv, iptraf_ng_options, iptraf_ng_usage);
+
+ if (help_opt)
+ parse_usage_and_die(iptraf_ng_usage, iptraf_ng_options);
+
+ int command = 0;
+
+ command |= (i_opt) ? (1 << 0) : 0;
+ command |= (d_opt) ? (1 << 1) : 0;
+ command |= (s_opt) ? (1 << 2) : 0;
+ command |= (z_opt) ? (1 << 3) : 0;
+ command |= (l_opt) ? (1 << 4) : 0;
+ command |= (g_opt) ? (1 << 5) : 0;
+
+ if (__builtin_popcount(command) > 1)
+ die("only one of -i|-d|-s|-z|-l|-g options must be used");
+
+ strcpy(current_logfile, "");
+
+ if (f_opt) {
+ removetags();
+ remove_sockets();
+ }
+
+ if (B_opt) {
+ if (!command)
+ die("one of -i|-d|-s|-z|-l|-g option is missing\n");
+ daemonized = 1;
+ setenv("TERM", "linux", 1);
+ }
+
+ if (L_opt) {
+ if (strchr(L_opt, '/') != NULL)
+ strncpy(current_logfile, L_opt, 80);
+ else
+ strncpy(current_logfile, get_path(T_LOGDIR, L_opt), 80);
+ }
+#if 0 /* this could never work */
+ /* origin
+ } else if (opt == 'I') {
+ //this could never work
+ current_log_interval = atoi(optarg);
+ if (current_log_interval == 0)
+ fprintf(stderr, "Invalid log interval value\n");
+
+ exit(1);
+ } else if (opt == 'G') {
+ */
+ if (I_opt == 0) {
+ fprintf(stderr, "fatal: Invalid log interval value\n");
+ exit(1);
+ } else
+ current_log_interval = I_opt;
+#endif
+
+ if ((getenv("TERM") == NULL) && (!daemonized))
+ die("Your TERM variable is not set.\n"
+ "Please set it to an appropriate value");
+
+ loadoptions();
+
+
+ if (create_pidfile() < 0)
+ goto cleanup;
+
+ int pidfile_created = 1;
+
+ /*
+ * If a facility is directly invoked from the command line, check for
+ * a daemonization request
+ */
+
+ if (daemonized && command) {
+ switch (fork()) {
+ case 0: /* child */
+ setsid();
+ freopen("/dev/null", "w", stdout); /* redirect std output */
+ freopen("/dev/null", "r", stdin); /* redirect std input */
+ freopen("/dev/null", "w", stderr); /* redirect std error */
+ signal(SIGUSR2, term_usr2_handler);
+
+ options.logging = 1;
+ break;
+ case -1: /* error */
+ error("Fork error, %s cannot run in background", IPTRAF_NAME);
+ goto cleanup;
+ default: /* parent */
+ goto cleanup;
+ }
+ }
+
+ sanitize_dir(LOCKDIR);
+ sanitize_dir(WORKDIR);
+
+ initscr();
+
+ if ((LINES < 24) || (COLS < 80)) {
+ endwin();
+ die("This program requires a screen size of at least 80 columns by 24 lines\n" "Please resize your window");
+ }
+
+ signal(SIGTSTP, SIG_IGN);
+ signal(SIGINT, SIG_IGN);
+ signal(SIGUSR1, SIG_IGN);
+
+ start_color();
+ standardcolors(options.color);
+ noecho();
+ nonl();
+ cbreak();
+ curs_set(0);
+
+ /*
+ * Set logfilename variable to NULL if -L was specified without an
+ * appropriate facility on the command line.
+ */
+
+ if (command == 0)
+ strcpy(current_logfile, "");
+
+ /*
+ * If by this time the logfile is still acceptable, obtain the
+ * logspan from the command line if so specified.
+ */
+
+ if (current_logfile[0] != '\0') {
+ options.logging = 1;
+ if (current_log_interval != 0) {
+ options.logspan = current_log_interval;
+ }
+ }
+
+ /*
+ * Load saved filter
+ */
+ loadfilters();
+ indicate("");
+
+ /* bad, bad, bad name draw_desktop()
+ * hide all into tui_top_panel(char *msg)
+ * */
+ draw_desktop();
+ attrset(STATUSBARATTR);
+ mvprintw(0, 1, "%s %s", IPTRAF_NAME, IPTRAF_VERSION);
+
+ /* simplify */
+ if (g_opt)
+ ifstats(facilitytime);
+ else if (i_opt)
+ if (strcmp(i_opt, "all") == 0)
+ ipmon(facilitytime, NULL);
+ else
+ ipmon(facilitytime, i_opt);
+ else if (l_opt)
+ if (strcmp(l_opt, "all") == 0)
+ hostmon(facilitytime, NULL);
+ else
+ hostmon(facilitytime, l_opt);
+ else if (d_opt)
+ detstats(d_opt, facilitytime);
+ else if (s_opt)
+ servmon(s_opt, facilitytime);
+ else if (z_opt)
+ packet_size_breakdown(z_opt, facilitytime);
+ else
+ program_interface();
+
+ erase();
+ update_panels();
+ doupdate();
+ endwin();
+
+cleanup:
+ if (pidfile_created)
+ unlink(IPTRAF_PIDFILE);
+
+ return 0;
+}
diff --git a/src/itrafmon.c b/src/itrafmon.c
new file mode 100644
index 0000000..670ab6d
--- /dev/null
+++ b/src/itrafmon.c
@@ -0,0 +1,1196 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+itrafmon.c - the IP traffic monitor module
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/labels.h"
+#include "tui/winops.h"
+
+#include "options.h"
+#include "tcptable.h"
+#include "othptab.h"
+#include "fltdefs.h"
+#include "packet.h"
+#include "ifaces.h"
+#include "promisc.h"
+#include "deskman.h"
+#include "error.h"
+#include "attrs.h"
+#include "log.h"
+#include "revname.h"
+#include "rvnamed.h"
+#include "dirs.h"
+#include "timer.h"
+#include "ipfrag.h"
+#include "logvars.h"
+#include "itrafmon.h"
+#include "sockaddr.h"
+
+#define SCROLLUP 0
+#define SCROLLDOWN 1
+
+static void rotate_ipmon_log(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, current_logfile);
+ signal(SIGUSR1, rotate_ipmon_log);
+}
+
+/* Hot key indicators for the bottom line */
+
+static void ipmonhelp(void)
+{
+ move(LINES - 1, 1);
+ tx_printkeyhelp("Up/Dn/PgUp/PgDn", "-scroll ", stdscr, HIGHATTR,
+ STATUSBARATTR);
+ move(LINES - 1, 43);
+ tx_printkeyhelp("W", "-chg actv win ", stdscr, HIGHATTR,
+ STATUSBARATTR);
+ tx_printkeyhelp("S", "-sort TCP ", stdscr, HIGHATTR, STATUSBARATTR);
+ stdexitkeyhelp();
+}
+
+static void uniq_help(int what)
+{
+ move(LINES - 1, 25);
+ if (!what)
+ tx_printkeyhelp("M", "-more TCP info ", stdscr, HIGHATTR,
+ STATUSBARATTR);
+ else
+ tx_printkeyhelp("Lft/Rt", "-vtcl scrl ", stdscr, HIGHATTR,
+ STATUSBARATTR);
+}
+
+/* Mark general packet count indicators */
+
+static void prepare_statwin(WINDOW * win)
+{
+ wattrset(win, IPSTATLABELATTR);
+ wmove(win, 0, 1);
+ wprintw(win, "Packets captured:");
+ mvwaddch(win, 0, 45 * COLS / 80, ACS_VLINE);
+}
+
+static void markactive(int curwin, WINDOW * tw, WINDOW * ow)
+{
+ WINDOW *win1;
+ WINDOW *win2;
+ int x1 __unused, y1, x2 __unused, y2;
+
+ if (!curwin) {
+ win1 = tw;
+ win2 = ow;
+ } else {
+ win1 = ow;
+ win2 = tw;
+ }
+
+ getmaxyx(win1, y1, x1);
+ getmaxyx(win2, y2, x2);
+
+ wmove(win1, --y1, COLS - 10);
+ wattrset(win1, ACTIVEATTR);
+ wprintw(win1, " Active ");
+ wattrset(win1, BOXATTR);
+ wmove(win2, --y2, COLS - 10);
+ whline(win2, ACS_HLINE, 8);
+}
+
+static void show_stats(WINDOW * win, unsigned long long total)
+{
+ wattrset(win, IPSTATATTR);
+ wmove(win, 0, 35 * COLS / 80);
+ printlargenum(total, win);
+}
+
+
+/*
+ * Scrolling and paging routines for the upper (TCP) window
+ */
+
+static void scrollupperwin(struct tcptable *table, int direction,
+ unsigned long *idx, int mode)
+{
+ char sp_buf[10];
+
+ sprintf(sp_buf, "%%%dc", COLS - 2);
+ wattrset(table->tcpscreen, STDATTR);
+ if (direction == SCROLLUP) {
+ if (table->lastvisible != table->tail) {
+ wscrl(table->tcpscreen, 1);
+ table->lastvisible = table->lastvisible->next_entry;
+ table->firstvisible = table->firstvisible->next_entry;
+ (*idx)++;
+ wmove(table->tcpscreen, table->imaxy - 1, 0);
+ scrollok(table->tcpscreen, 0);
+ wprintw(table->tcpscreen, sp_buf, ' ');
+ scrollok(table->tcpscreen, 1);
+ printentry(table, table->lastvisible, *idx, mode);
+ }
+ } else {
+ if (table->firstvisible != table->head) {
+ wscrl(table->tcpscreen, -1);
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+ (*idx)--;
+ wmove(table->tcpscreen, 0, 0);
+ wprintw(table->tcpscreen, sp_buf, ' ');
+ printentry(table, table->firstvisible, *idx, mode);
+ }
+ }
+}
+
+static void pageupperwin(struct tcptable *table, int direction,
+ unsigned long *idx)
+{
+ unsigned int i = 1;
+
+ wattrset(table->tcpscreen, STDATTR);
+ if (direction == SCROLLUP) {
+ while ((i <= table->imaxy - 3)
+ && (table->lastvisible != table->tail)) {
+ i++;
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->lastvisible->next_entry;
+ (*idx)++;
+ }
+ } else {
+ while ((i <= table->imaxy - 3)
+ && (table->firstvisible != table->head)) {
+ i++;
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+ (*idx)--;
+ }
+ }
+}
+
+/*
+ * Scrolling and paging routines for the lower (non-TCP) window.
+ */
+
+static void scrolllowerwin(struct othptable *table, int direction)
+{
+ if (direction == SCROLLUP) {
+ if (table->lastvisible != table->tail) {
+ wscrl(table->othpwin, 1);
+ table->lastvisible = table->lastvisible->next_entry;
+ table->firstvisible = table->firstvisible->next_entry;
+
+ if (table->htstat == HIND) { /* Head indicator on? */
+ wmove(table->borderwin, table->obmaxy - 1, 1);
+ whline(table->borderwin, ACS_HLINE, 8);
+ table->htstat = NOHTIND;
+ }
+ printothpentry(table, table->lastvisible,
+ table->oimaxy - 1, 0, NULL);
+ }
+ } else {
+ if (table->firstvisible != table->head) {
+ wscrl(table->othpwin, -1);
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+
+ if (table->htstat == TIND) { /* Tail indicator on? */
+ wmove(table->borderwin, table->obmaxy - 1, 1);
+ whline(table->borderwin, ACS_HLINE, 8);
+ table->htstat = NOHTIND;
+ }
+ printothpentry(table, table->firstvisible, 0, 0, NULL);
+ }
+ }
+}
+
+static void pagelowerwin(struct othptable *table, int direction)
+{
+ unsigned int i = 1;
+
+ if (direction == SCROLLUP) {
+ while ((i <= table->oimaxy - 2)
+ && (table->lastvisible != table->tail)) {
+ i++;
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->lastvisible->next_entry;
+
+ if (table->htstat == HIND) { /* Head indicator on? */
+ wmove(table->borderwin, table->obmaxy - 1, 1);
+ whline(table->borderwin, ACS_HLINE, 8);
+ table->htstat = NOHTIND;
+ }
+ }
+ } else {
+ while ((i <= table->oimaxy - 2)
+ && (table->firstvisible != table->head)) {
+ i++;
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+
+ if (table->htstat == TIND) { /* Tail indicator on? */
+ wmove(table->borderwin, table->obmaxy - 1, 1);
+ whline(table->borderwin, ACS_HLINE, 8);
+ table->htstat = NOHTIND;
+ }
+ }
+ }
+}
+
+/*
+ * Pop up sorting key window
+ */
+
+static void show_tcpsort_win(WINDOW ** win, PANEL ** panel)
+{
+ *win = newwin(9, 35, (LINES - 8) / 2, COLS - 40);
+ *panel = new_panel(*win);
+
+ wattrset(*win, DLGBOXATTR);
+ tx_colorwin(*win);
+ tx_box(*win, ACS_VLINE, ACS_HLINE);
+ wattrset(*win, DLGTEXTATTR);
+ mvwprintw(*win, 2, 2, "Select sort criterion");
+ wmove(*win, 4, 2);
+ tx_printkeyhelp("P", " - sort by packet count", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 5, 2);
+ tx_printkeyhelp("B", " - sort by byte count", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 6, 2);
+ tx_printkeyhelp("Any other key", " - cancel sort", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ update_panels();
+ doupdate();
+}
+
+/*
+ * Routine to swap two TCP entries. p1 and p2 are pointers to TCP entries,
+ * but p1 must be ahead of p2. It's a linked list thing.
+ */
+static void swap_tcp_entries(struct tcptable *table, struct tcptableent *p1,
+ struct tcptableent *p2)
+{
+ struct tcptableent *p2nextsaved;
+ struct tcptableent *p1prevsaved;
+ unsigned int tmp;
+
+ if (p1 == p2)
+ return;
+
+ tmp = p1->index;
+ p1->index = p2->index;
+ p2->index = tmp;
+
+ p1->next_entry->index = p1->index + 1;
+ p2->next_entry->index = p2->index + 1;
+
+ if (p1->prev_entry != NULL)
+ p1->prev_entry->next_entry = p2;
+ else
+ table->head = p2;
+
+ if (p2->next_entry->next_entry != NULL)
+ p2->next_entry->next_entry->prev_entry = p1->next_entry;
+ else
+ table->tail = p1->next_entry;
+
+ p2nextsaved = p2->next_entry->next_entry;
+ p1prevsaved = p1->prev_entry;
+
+ if (p1->next_entry->next_entry == p2) { /* swapping adjacent entries */
+ p2->next_entry->next_entry = p1;
+ p1->prev_entry = p2->next_entry;
+ } else {
+ p2->next_entry->next_entry = p1->next_entry->next_entry;
+ p1->prev_entry = p2->prev_entry;
+ p2->prev_entry->next_entry = p1;
+ p1->next_entry->next_entry->prev_entry = p2->next_entry;
+ }
+
+ p2->prev_entry = p1prevsaved;
+ p1->next_entry->next_entry = p2nextsaved;
+}
+
+static unsigned long long qt_getkey(struct tcptableent *entry, int ch)
+{
+ if (ch == 'B')
+ return (max(entry->bcount, entry->oth_connection->bcount));
+
+ return (max(entry->pcount, entry->oth_connection->pcount));
+}
+
+static struct tcptableent *qt_partition(struct tcptable *table,
+ struct tcptableent **low,
+ struct tcptableent **high, int ch,
+ int logging, FILE *logfile)
+{
+ struct tcptableent *pivot = *low;
+
+ struct tcptableent *left = *low;
+ struct tcptableent *right = *high;
+ struct tcptableent *ptmp;
+
+ unsigned long long pivot_value;
+
+ time_t now;
+
+ pivot_value = qt_getkey(pivot, ch);
+
+ now = time(NULL);
+
+ while (left->index < right->index) {
+ while ((qt_getkey(left, ch) >= pivot_value)
+ && (left->next_entry->next_entry != NULL)) {
+
+ /*
+ * Might as well check out timed out entries here too.
+ */
+ if ((options.timeout > 0)
+ && ((now - left->lastupdate) / 60 > options.timeout)
+ && (!(left->inclosed))) {
+ left->timedout =
+ left->oth_connection->timedout = 1;
+ addtoclosedlist(table, left);
+
+ if (logging)
+ write_timeout_log(logging, logfile,
+ left);
+ }
+
+ left = left->next_entry->next_entry;
+ }
+
+ while (qt_getkey(right, ch) < pivot_value) {
+ /*
+ * Might as well check out timed out entries here too.
+ */
+ if ((options.timeout > 0)
+ && ((now - right->lastupdate) / 60 > options.timeout)
+ && (!(right->inclosed))) {
+ right->timedout =
+ right->oth_connection->timedout = 1;
+ addtoclosedlist(table, right);
+
+ if (logging)
+ write_timeout_log(logging, logfile,
+ right);
+ }
+ right = right->prev_entry->prev_entry;
+ }
+
+ if (left->index < right->index) {
+ swap_tcp_entries(table, left, right);
+
+ if (*low == left)
+ *low = right;
+
+ if (*high == right)
+ *high = left;
+
+ ptmp = left;
+ left = right;
+ right = ptmp;
+ }
+ }
+ swap_tcp_entries(table, pivot, right);
+
+ if (*low == pivot)
+ *low = right;
+
+ if (*high == right)
+ *high = pivot;
+
+ return pivot;
+}
+
+/*
+ * Quicksort the TCP entries.
+ */
+static void quicksort_tcp_entries(struct tcptable *table,
+ struct tcptableent *low,
+ struct tcptableent *high, int ch,
+ int logging, FILE *logfile)
+{
+ struct tcptableent *pivot;
+
+ if ((high == NULL) || (low == NULL))
+ return;
+
+ if (high->index > low->index) {
+ pivot =
+ qt_partition(table, &low, &high, ch, logging, logfile);
+
+ if (pivot->prev_entry != NULL)
+ quicksort_tcp_entries(table, low,
+ pivot->prev_entry->prev_entry, ch,
+ logging, logfile);
+
+ quicksort_tcp_entries(table, pivot->next_entry->next_entry,
+ high, ch, logging, logfile);
+ }
+}
+
+/*
+ * This function sorts the TCP window. The old exchange sort has been
+ * replaced with a Quicksort algorithm.
+ */
+
+static void sortipents(struct tcptable *table, unsigned long *idx, int ch,
+ int logging, FILE *logfile)
+{
+ struct tcptableent *tcptmp1;
+ unsigned int idxtmp;
+
+ if ((table->head == NULL)
+ || (table->head->next_entry->next_entry == NULL))
+ return;
+
+ ch = toupper(ch);
+
+ if ((ch != 'P') && (ch != 'B'))
+ return;
+
+ quicksort_tcp_entries(table, table->head, table->tail->prev_entry, ch,
+ logging, logfile);
+
+ update_panels();
+ doupdate();
+ tx_colorwin(table->tcpscreen);
+
+ tcptmp1 = table->firstvisible = table->head;
+ *idx = 1;
+ idxtmp = 0;
+
+ while ((tcptmp1 != NULL) && (idxtmp <= table->imaxy - 1)) {
+ if (idxtmp++ <= table->imaxy - 1)
+ table->lastvisible = tcptmp1;
+ tcptmp1 = tcptmp1->next_entry;
+ }
+
+}
+
+/*
+ * Attempt to communicate with rvnamed, and if it doesn't respond, try
+ * to start it.
+ */
+
+static int checkrvnamed(void)
+{
+ pid_t cpid = 0;
+ int cstat;
+
+ indicate("Trying to communicate with reverse lookup server");
+ if (!rvnamedactive()) {
+ indicate("Starting reverse lookup server");
+
+ if ((cpid = fork()) == 0) {
+ char *args[] = {
+ "rvnamed-ng",
+ NULL
+ };
+ execvp("rvnamed-ng", args);
+ /*
+ * execvp() never returns, so if we reach this point, we have
+ * a problem.
+ */
+
+ die("unable execvp() rvnamed-ng");
+ } else if (cpid == -1) {
+ write_error("Can't spawn new process; lookups will block");
+ return 0;
+ } else {
+ while (waitpid(cpid, &cstat, 0) < 0)
+ if (errno != EINTR)
+ break;
+
+ if (WEXITSTATUS(cstat) == 1) {
+ write_error("Can't start rvnamed; lookups will block");
+ return 0;
+ } else {
+ sleep(1);
+ return 1;
+ }
+ }
+ }
+ return 1;
+}
+
+static void update_flowrate(struct tcptable *table, unsigned long msecs)
+{
+ struct tcptableent *entry;
+ for (entry = table->head; entry != NULL; entry = entry->next_entry) {
+ rate_add_rate(&entry->rate, entry->spanbr, msecs);
+ entry->spanbr = 0;
+ }
+}
+
+static void print_flowrate(struct tcptableent *entry, WINDOW *win)
+{
+ wattrset(win, IPSTATLABELATTR);
+ mvwprintw(win, 0, COLS * 47 / 80, "TCP flow rate: ");
+ wattrset(win, IPSTATATTR);
+
+ char buf[32];
+ rate_print(rate_get_average(&entry->rate), buf, sizeof(buf));
+ mvwprintw(win, 0, COLS * 52 / 80 + 13, "%s", buf);
+}
+
+/*
+ * The IP Traffic Monitor
+ */
+
+void ipmon(time_t facilitytime, char *ifptr)
+{
+ int logging = options.logging;
+
+ unsigned int frag_off;
+ struct tcphdr *transpacket; /* IP-encapsulated packet */
+ in_port_t sport = 0, dport = 0; /* TCP/UDP port values */
+ char sp_buf[10];
+
+ unsigned long screen_idx = 1;
+
+ struct timeval tv;
+ struct timeval tv_rate;
+ time_t starttime = 0;
+ time_t now = 0;
+ time_t timeint = 0;
+ struct timeval updtime;
+ time_t closedint = 0;
+
+ WINDOW *statwin;
+ PANEL *statpanel;
+
+ WINDOW *sortwin;
+ PANEL *sortpanel;
+
+ FILE *logfile = NULL;
+
+ int curwin = 0;
+
+ char *ifname = ifptr;
+
+ unsigned long long total_pkts = 0;
+
+ unsigned int br; /* bytes read. Differs from readlen */
+
+ struct tcptable table;
+ struct tcptableent *tcpentry;
+ struct tcptableent *tmptcp;
+ int mode = 0;
+
+ struct othptable othptbl;
+
+ int p_sstat = 0, p_dstat = 0; /* Reverse lookup statuses prior to */
+
+ /* reattempt in updateentry() */
+ int pkt_result = 0; /* Non-IP filter ok */
+
+ int fragment = 0; /* Set to 1 if not first fragment */
+
+ int fd;
+
+ int ch;
+ int keymode = 0;
+ char msgstring[80];
+
+ int rvnfd = 0;
+
+ int revlook = options.revlook;
+ int wasempty = 1;
+
+ const int statx = COLS * 47 / 80;
+
+ /*
+ * Mark this instance of the traffic monitor
+ */
+
+ if (ifptr && !dev_up(ifptr)) {
+ err_iface_down();
+ return;
+ }
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, ifptr);
+ promisc_set_list(&promisc);
+ }
+
+ init_tcp_table(&table);
+ init_othp_table(&othptbl);
+
+ statwin = newwin(1, COLS, LINES - 2, 0);
+ statpanel = new_panel(statwin);
+ wattrset(statwin, IPSTATLABELATTR);
+ wmove(statwin, 0, 0);
+ sprintf(sp_buf, "%%%dc", COLS);
+ wprintw(statwin, sp_buf, ' ');
+ prepare_statwin(statwin);
+ show_stats(statwin, 0);
+ markactive(curwin, table.borderwin, othptbl.borderwin);
+ update_panels();
+ doupdate();
+
+ if (revlook) {
+ if (checkrvnamed())
+ open_rvn_socket(&rvnfd);
+ } else
+ rvnfd = 0;
+
+ ipmonhelp();
+ uniq_help(0);
+
+ update_panels();
+ doupdate();
+
+ if (options.servnames)
+ setservent(1);
+
+ /*
+ * Try to open log file if logging activated. Turn off logging
+ * (for this session only) if an error was discovered in opening
+ * the log file. Configuration setting is kept. Who knows, the
+ * situation may be corrected later.
+ */
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ strncpy(current_logfile,
+ gen_instance_logname(IPMONLOG, getpid()),
+ 80);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, current_logfile);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_ipmon_log);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** IP traffic monitor started ********");
+ }
+
+ setprotoent(1);
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+ if(ifptr && dev_bind_ifname(fd, ifptr) == -1) {
+ write_error("Unable to bind interface on the socket");
+ goto err_close;
+ }
+
+ exitloop = 0;
+ gettimeofday(&tv, NULL);
+ tv_rate = tv;
+ updtime = tv;
+ starttime = timeint = closedint = tv.tv_sec;
+
+ PACKET_INIT(pkt);
+
+ while (!exitloop) {
+ char ifnamebuf[IFNAMSIZ];
+
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ /*
+ * Print timer at bottom of screen
+ */
+
+ if (now - timeint >= 5) {
+ printelapsedtime(starttime, now, othptbl.obmaxy - 1, 15,
+ othptbl.borderwin);
+ timeint = now;
+ }
+
+ /*
+ * Automatically clear closed/timed out entries
+ */
+
+ if ((options.closedint != 0)
+ && ((now - closedint) / 60 >= options.closedint)) {
+ flushclosedentries(&table, &screen_idx, logging,
+ logfile);
+ refreshtcpwin(&table, screen_idx, mode);
+ closedint = now;
+ }
+
+ /*
+ * Update screen at configured intervals.
+ */
+
+ if (screen_update_needed(&tv, &updtime)) {
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+
+ /*
+ * If highlight bar is on some entry, update the flow rate
+ * indicator after five seconds.
+ */
+ unsigned long rate_msecs = timeval_diff_msec(&tv, &tv_rate);
+ if (rate_msecs > 1000) {
+ update_flowrate(&table, rate_msecs);
+ if (table.barptr != NULL) {
+ print_flowrate(table.barptr, statwin);
+ } else {
+ wattrset(statwin, IPSTATATTR);
+ mvwprintw(statwin, 0, statx,
+ "No TCP entries ");
+ }
+ tv_rate = tv;
+ }
+
+ /*
+ * Terminate facility should a lifetime be specified at the
+ * command line
+ */
+ if ((facilitytime != 0)
+ && (((now - starttime) / 60) >= facilitytime))
+ exitloop = 1;
+
+ /*
+ * Close and rotate log file if signal was received
+ */
+ if (logging && (rotate_flag == 1)) {
+ announce_rotate_prepare(logfile);
+ write_tcp_unclosed(logging, logfile, &table);
+ rotate_logfile(&logfile, target_logname);
+ announce_rotate_complete(logfile);
+ rotate_flag = 0;
+ }
+
+ if (packet_get(fd, &pkt, &ch, table.tcpscreen) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ if (ch == ERR)
+ goto no_key_ready;
+
+ if (keymode == 0) {
+ switch (ch) {
+ case KEY_UP:
+ if (curwin) {
+ scrolllowerwin(&othptbl, SCROLLDOWN);
+ break;
+ }
+ if (!table.barptr
+ || !table.barptr->prev_entry)
+ break;
+
+ tmptcp = table.barptr;
+ table.barptr = table.barptr->prev_entry;
+
+ printentry(&table, tmptcp, screen_idx, mode);
+
+ if (table.baridx == 1)
+ scrollupperwin(&table, SCROLLDOWN,
+ &screen_idx, mode);
+ else
+ (table.baridx)--;
+
+ printentry(&table, table.barptr, screen_idx,
+ mode);
+ break;
+ case KEY_DOWN:
+ if (curwin) {
+ scrolllowerwin(&othptbl, SCROLLUP);
+ break;
+ }
+ if (!table.barptr
+ || !table.barptr->next_entry)
+ break;
+
+ tmptcp = table.barptr;
+ table.barptr = table.barptr->next_entry;
+ printentry(&table, tmptcp, screen_idx,mode);
+
+ if (table.baridx == table.imaxy)
+ scrollupperwin(&table, SCROLLUP,
+ &screen_idx, mode);
+ else
+ (table.baridx)++;
+
+ printentry(&table,table.barptr, screen_idx,
+ mode);
+ break;
+ case KEY_RIGHT:
+ if (!curwin)
+ break;
+
+ if (othptbl.strindex != VSCRL_OFFSET)
+ othptbl.strindex = VSCRL_OFFSET;
+
+ refresh_othwindow(&othptbl);
+ break;
+ case KEY_LEFT:
+ if (!curwin)
+ break;
+
+ if (othptbl.strindex != 0)
+ othptbl.strindex = 0;
+
+ refresh_othwindow(&othptbl);
+ break;
+ case KEY_PPAGE:
+ case '-':
+ if (curwin) {
+ pagelowerwin(&othptbl, SCROLLDOWN);
+ refresh_othwindow(&othptbl);
+ break;
+ }
+
+ if (!table.barptr)
+ break;
+
+ pageupperwin(&table, SCROLLDOWN, &screen_idx);
+ table.barptr = table.lastvisible;
+ table.baridx = table.lastvisible->index
+ - screen_idx + 1;
+ refreshtcpwin(&table, screen_idx, mode);
+ break;
+ case KEY_NPAGE:
+ case ' ':
+ if (curwin) {
+ pagelowerwin(&othptbl, SCROLLUP);
+ refresh_othwindow(&othptbl);
+ break;
+ }
+
+ if (!table.barptr)
+ break;
+
+ pageupperwin(&table, SCROLLUP, &screen_idx);
+ table.barptr = table.firstvisible;
+ table.baridx = 1;
+ refreshtcpwin(&table, screen_idx, mode);
+ break;
+ case KEY_F(6):
+ case 'w':
+ case 'W':
+ case 9:
+ curwin = !curwin;
+ markactive(curwin, table.borderwin,
+ othptbl.borderwin);
+ uniq_help(curwin);
+ break;
+ case 'm':
+ case 'M':
+ if (curwin)
+ break;
+ mode = (mode + 1) % 3;
+ if ((mode == 1) && !options.mac)
+ mode = 2;
+ refreshtcpwin(&table, screen_idx, mode);
+ break;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+
+ case 'F':
+ case 'f':
+ case 'c':
+ case 'C':
+ flushclosedentries(&table, &screen_idx, logging,
+ logfile);
+ refreshtcpwin(&table, screen_idx, mode);
+ break;
+ case 's':
+ case 'S':
+ keymode = 1;
+ show_tcpsort_win(&sortwin, &sortpanel);
+ break;
+ case 'Q':
+ case 'q':
+ case 'X':
+ case 'x':
+ case 24:
+ case 27:
+ exitloop = 1;
+ break;
+ }
+ } else if (keymode == 1) {
+ keymode = 0;
+ del_panel(sortpanel);
+ delwin(sortwin);
+ show_sort_statwin(&sortwin, &sortpanel);
+ update_panels();
+ doupdate();
+ sortipents(&table, &screen_idx, ch, logging,
+ logfile);
+
+ if (table.barptr != NULL) {
+ table.barptr = table.firstvisible;
+ table.baridx = 1;
+ }
+ refreshtcpwin(&table, screen_idx, mode);
+ del_panel(sortpanel);
+ delwin(sortwin);
+ update_panels();
+ doupdate();
+ }
+ no_key_ready:
+
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ total_pkts++;
+ show_stats(statwin, total_pkts);
+
+ pkt_result =
+ packet_process(&pkt, &br, &sport, &dport,
+ MATCH_OPPOSITE_ALWAYS,
+ options.v6inv4asv6);
+
+ if (pkt_result != PACKET_OK)
+ continue;
+
+ if (!ifptr) {
+ /* we're capturing on "All interfaces", */
+ /* so get the name of the interface */
+ /* of this packet */
+ int r = dev_get_ifname(pkt.pkt_ifindex, ifnamebuf);
+ if (r != 0) {
+ write_error("Unable to get interface name");
+ break; /* error getting interface name, get out! */
+ }
+ ifname = ifnamebuf;
+ }
+
+ struct sockaddr_storage saddr, daddr;
+ switch(pkt.pkt_protocol) {
+ case ETH_P_IP:
+ frag_off = pkt.iphdr->frag_off;
+ sockaddr_make_ipv4(&saddr, pkt.iphdr->saddr);
+ sockaddr_make_ipv4(&daddr, pkt.iphdr->daddr);
+ break;
+ case ETH_P_IPV6:
+ frag_off = 0;
+ sockaddr_make_ipv6(&saddr, &pkt.ip6_hdr->ip6_src);
+ sockaddr_make_ipv6(&daddr, &pkt.ip6_hdr->ip6_dst);
+ break;
+ default:
+ add_othp_entry(&othptbl, &pkt, NULL, NULL,
+ NOT_IP,
+ pkt.pkt_protocol,
+ pkt.pkt_payload, ifname, 0,
+ 0, logging, logfile, 0);
+ continue;
+ }
+
+ /* only when packets fragmented */
+ __u8 iphlen = pkt_iph_len(&pkt);
+ transpacket = (struct tcphdr *) (pkt.pkt_payload + iphlen);
+
+ __u8 ip_protocol = pkt_ip_protocol(&pkt);
+ if (ip_protocol == IPPROTO_TCP) {
+ sockaddr_set_port(&saddr, sport);
+ sockaddr_set_port(&daddr, dport);
+ tcpentry = in_table(&table, &saddr, &daddr, ifname,
+ logging, logfile, options.timeout);
+
+ /*
+ * Add a new entry if it doesn't exist, and,
+ * to reduce the chances of stales, not a FIN.
+ */
+
+ if (((ntohs(frag_off) & 0x3fff) == 0) /* first frag only */
+ && (tcpentry == NULL)
+ && (!(transpacket->fin))) {
+
+ /*
+ * Ok, so we have a packet. Add it if this connection
+ * is not yet closed, or if it is a SYN packet.
+ */
+ wasempty = (table.head == NULL);
+ tcpentry = addentry(&table, &saddr, &daddr,
+ pkt_ip_protocol(&pkt),
+ ifname, &revlook, rvnfd);
+ if (tcpentry != NULL) {
+ printentry(&table, tcpentry->oth_connection, screen_idx,
+ mode);
+
+ if (wasempty) {
+ table.barptr = table.firstvisible;
+ table.baridx = 1;
+ }
+ }
+ }
+ /*
+ * If we had an addentry() success, we should have no
+ * problem here. Same thing if we had a table lookup
+ * success.
+ */
+
+ if ((tcpentry != NULL)
+ && !(tcpentry->stat & FLAG_RST)) {
+ /*
+ * Don't bother updating the entry if the connection
+ * has been previously reset. (Does this really
+ * happen in practice?)
+ */
+
+ if (revlook) {
+ p_sstat = tcpentry->s_fstat;
+ p_dstat = tcpentry->d_fstat;
+ }
+
+ if (pkt.iphdr)
+ updateentry(&table, tcpentry, transpacket,
+ pkt.pkt_buf, pkt.pkt_hatype,
+ pkt.pkt_len, br, pkt.iphdr->frag_off,
+ logging, &revlook, rvnfd,
+ logfile);
+ else
+ updateentry(&table, tcpentry, transpacket,
+ pkt.pkt_buf, pkt.pkt_hatype,
+ pkt.pkt_len, pkt.pkt_len, 0, logging,
+ &revlook, rvnfd,
+ logfile);
+ /*
+ * Log first packet of a TCP connection except if
+ * it's a RST, which was already logged earlier in
+ * updateentry()
+ */
+
+ if (logging
+ && (tcpentry->pcount == 1)
+ && (!(tcpentry->stat & FLAG_RST))) {
+ strcpy(msgstring, "first packet");
+ if (transpacket->syn)
+ strcat(msgstring, " (SYN)");
+
+ writetcplog(logging, logfile, tcpentry,
+ pkt.pkt_len, msgstring);
+ }
+
+ if ((revlook)
+ && (((p_sstat != RESOLVED)
+ && (tcpentry->s_fstat == RESOLVED))
+ || ((p_dstat != RESOLVED)
+ && (tcpentry->d_fstat == RESOLVED)))) {
+ clearaddr(&table, tcpentry, screen_idx);
+ clearaddr(&table, tcpentry->oth_connection,
+ screen_idx);
+ }
+ printentry(&table, tcpentry, screen_idx, mode);
+
+ /*
+ * Special cases: Update other direction if it's
+ * an ACK in response to a FIN.
+ *
+ * -- or --
+ *
+ * Addresses were just resolved for the other
+ * direction, so we should also do so here.
+ */
+
+ if (((tcpentry->oth_connection->finsent == 2)
+ && /* FINed and ACKed */
+ (ntohl(transpacket->seq) == tcpentry->oth_connection->finack))
+ || ((revlook)
+ && (((p_sstat != RESOLVED)
+ && (tcpentry->s_fstat == RESOLVED))
+ || ((p_dstat != RESOLVED)
+ && (tcpentry->d_fstat == RESOLVED)))))
+ printentry(&table, tcpentry->oth_connection,
+ screen_idx, mode);
+ }
+ } else if (pkt.iphdr) {
+ fragment = ((ntohs(pkt.iphdr->frag_off) & 0x1fff) != 0);
+
+ if (pkt_ip_protocol(&pkt) == IPPROTO_ICMP) {
+
+ /*
+ * Cancel the corresponding TCP entry if an ICMP
+ * Destination Unreachable or TTL Exceeded message
+ * is received.
+ */
+
+ if (((struct icmphdr *) transpacket)->type == ICMP_DEST_UNREACH)
+ process_dest_unreach(&table, (char *) transpacket,
+ ifname);
+ }
+ add_othp_entry(&othptbl, &pkt, &saddr, &daddr,
+ IS_IP, pkt_ip_protocol(&pkt),
+ (char *) transpacket, ifname,
+ &revlook, rvnfd, logging, logfile,
+ fragment);
+
+ } else {
+ if (pkt_ip_protocol(&pkt) == IPPROTO_ICMPV6
+ && (((struct icmp6_hdr *) transpacket)->icmp6_type == ICMP6_DST_UNREACH))
+ process_dest_unreach(&table, (char *) transpacket,
+ ifname);
+
+ add_othp_entry(&othptbl, &pkt, &saddr, &daddr,
+ IS_IP, pkt_ip_protocol(&pkt),
+ (char *) transpacket, ifname,
+ &revlook, rvnfd, logging, logfile,
+ fragment);
+ }
+ }
+
+err_close:
+ close(fd);
+err:
+ killrvnamed();
+
+ if (options.servnames)
+ endservent();
+
+ endprotoent();
+ close_rvn_socket(rvnfd);
+
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ attrset(STDATTR);
+ mvprintw(0, COLS - 20, " ");
+ del_panel(table.tcppanel);
+ del_panel(table.borderpanel);
+ del_panel(othptbl.othppanel);
+ del_panel(othptbl.borderpanel);
+ del_panel(statpanel);
+ update_panels();
+ doupdate();
+ delwin(table.tcpscreen);
+ delwin(table.borderwin);
+ delwin(othptbl.othpwin);
+ delwin(othptbl.borderwin);
+ delwin(statwin);
+ destroytcptable(&table);
+ destroyothptable(&othptbl);
+ pkt_cleanup();
+
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ writelog(logging, logfile,
+ "******** IP traffic monitor stopped ********\n");
+ fclose(logfile);
+ strcpy(current_logfile, "");
+ }
+}
diff --git a/src/itrafmon.h b/src/itrafmon.h
new file mode 100644
index 0000000..2a62431
--- /dev/null
+++ b/src/itrafmon.h
@@ -0,0 +1,6 @@
+#ifndef IPTRAF_NG_ITRAFMON_H
+#define IPTRAF_NG_ITRAFMON_H
+
+void ipmon(time_t facilitytime, char *ifptr);
+
+#endif /* IPTRAF_NG_ITRAFMON_H */
diff --git a/src/landesc.c b/src/landesc.c
new file mode 100644
index 0000000..4d67ed8
--- /dev/null
+++ b/src/landesc.c
@@ -0,0 +1,368 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+landesc.c - LAN host description management module
+ Currently includes support for Ethernet, PLIP,
+ and FDDI
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/input.h"
+#include "tui/listbox.h"
+#include "tui/msgboxes.h"
+#include "tui/menurt.h"
+
+#include "landesc.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "dirs.h"
+
+static int check_mac_addr(const char *mac)
+{
+ if (strlen(mac) != 17)
+ return 0;
+
+ char a[3], b[3], c[3], d[3], e[3], f[3];
+
+ int success = sscanf(mac, "%02s:%02s:%02s:%02s:%02s:%02s",
+ a, b, c, d, e, f);
+
+ if (success != 6)
+ return 0;
+
+ char mac_hex[13];
+
+ sprintf(mac_hex, "%s%s%s%s%s%s", a, b, c, d, e, f);
+
+ for (int ii = 0; ii < 12; ++ii)
+ if (!isxdigit(mac_hex[ii]))
+ return 0;
+
+ return 1;
+}
+
+/* parse and insert unique eth description.
+ * caller is responsible for freeing whole list
+ */
+static void parse_eth_desc(FILE * fp, struct eth_desc *hd)
+{
+ char *l = NULL;
+ size_t len = 0;
+ ssize_t read;
+
+ while ((read = getline(&l, &len, fp)) != -1) {
+ if (l[0] == '\n' || l[0] == '#')
+ continue;
+
+ char *line = l;
+
+ if (strchr(line, '\n'))
+ strchr(line, '\n')[0] = '\0';
+ char mac[18] = { 0 };
+ strncpy(mac, line, 17);
+
+ if (!check_mac_addr(mac)) {
+ tui_error(ANYKEY_MSG, "Not a mac '%s' address, skipped",
+ mac);
+ continue;
+ }
+
+ /* skip mac address */
+ line += 17;
+
+ /* mandatory space between mac and ip */
+ if (!isspace(*line)) {
+ tui_error(ANYKEY_MSG,
+ "Missing mandatory space between"
+ "mac and host/ip address, skipped");
+ continue;
+ }
+
+ line = skip_whitespace(line);
+
+ if (!*line) {
+ tui_error(ANYKEY_MSG, "Missing description, skipped");
+ continue;
+ }
+
+ struct eth_desc *new = xmalloc(sizeof(struct eth_desc));
+
+ memcpy(new->hd_mac, mac, sizeof(mac));
+ new->hd_desc = xstrdup(line);
+
+ struct eth_desc *desc = NULL;
+
+ list_for_each_entry(desc, &hd->hd_list, hd_list)
+ if ((strcmp(desc->hd_mac, mac) == 0)
+ || (strcmp(desc->hd_desc, line) == 0))
+ goto dupe;
+
+ list_add_tail(&new->hd_list, &hd->hd_list);
+ dupe:;
+ }
+
+ free(l);
+}
+
+struct eth_desc *load_eth_desc(unsigned link_type)
+{
+/* why is usefull to have it two files with same content?
+ * There is two options how to merge it.
+ * 1) separate by comments
+ * $ cat ETHFILE
+ * # ethernet host description
+ * MAC ip/hostname
+ *
+ * # fddi host description
+ * MAC ip/hostname
+ * 2) put it into groups
+ * [ethernet]
+ * MAC ip/hostname
+ *
+ * [fddi]
+ * MAC ip/hostname
+ */
+ char *filename = NULL;
+ FILE *fp = NULL;
+
+ if (link_type == ARPHRD_ETHER)
+ filename = ETHFILE;
+ else if (link_type == ARPHRD_FDDI)
+ filename = FDDIFILE;
+
+ struct eth_desc *hd = xmallocz(sizeof(struct eth_desc));
+
+ INIT_LIST_HEAD(&hd->hd_list);
+
+ fp = fopen(filename, "r");
+ if (fp) {
+ parse_eth_desc(fp, hd);
+ fclose(fp);
+ }
+
+ /* merge with /etc/ethers */
+ fp = fopen("/etc/ethers", "r");
+ if (fp) {
+ parse_eth_desc(fp, hd);
+ fclose(fp);
+ }
+
+ return hd;
+}
+
+static void save_eth_desc(struct eth_desc *hd, unsigned linktype)
+{
+ FILE *fd = NULL;
+
+ if (linktype == ARPHRD_ETHER)
+ fd = fopen(ETHFILE, "w");
+ else if (linktype == ARPHRD_FDDI)
+ fd = fopen(FDDIFILE, "w");
+
+ if (!fd) {
+ tui_error(ANYKEY_MSG, "Unable to save host description file");
+ return;
+ }
+
+ fprintf(fd, "# see man ethers for syntax\n\n");
+ struct eth_desc *desc = NULL;
+
+ list_for_each_entry(desc, &hd->hd_list, hd_list)
+ fprintf(fd, "%s %s\n", desc->hd_mac, desc->hd_desc);
+
+ fclose(fd);
+}
+
+
+void free_eth_desc(struct eth_desc *hd)
+{
+ struct eth_desc *entry = NULL;
+ struct list_head *l, *n;
+
+ list_for_each_safe(l, n, &hd->hd_list) {
+ entry = list_entry(l, struct eth_desc, hd_list);
+
+ free(entry->hd_desc);
+ list_del(l);
+ free(entry);
+ }
+}
+
+static struct eth_desc *select_eth_desc(const struct eth_desc *hd)
+{
+
+ int resp;
+ struct scroll_list slist;
+ char descline[80];
+
+ if (list_empty(&hd->hd_list)) {
+ tui_error(ANYKEY_MSG, "No descriptions");
+ return NULL;
+ }
+
+ tx_init_listbox(&slist, COLS, 20, 0, (LINES - 20) / 2, STDATTR, BOXATTR,
+ BARSTDATTR, HIGHATTR);
+
+ tx_set_listbox_title(&slist, "Address", 1);
+ tx_set_listbox_title(&slist, "Description", 19);
+
+ struct eth_desc *entry = NULL;
+
+ list_for_each_entry(entry, &hd->hd_list, hd_list) {
+ snprintf(descline, 80, "%-18s%s", entry->hd_mac,
+ entry->hd_desc);
+ tx_add_list_entry(&slist, (char *) entry, descline);
+ }
+
+ tx_show_listbox(&slist);
+
+ int aborted = 0;
+
+ tx_operate_listbox(&slist, &resp, &aborted);
+
+ if (!aborted)
+ entry = (struct eth_desc *) slist.textptr->nodeptr;
+ else
+ entry = NULL;
+
+ tx_close_listbox(&slist);
+ tx_destroy_list(&slist);
+
+ update_panels();
+ doupdate();
+
+ return entry;
+}
+
+static int dialog_eth_desc(struct FIELDLIST *fields, const char *initaddr,
+ const char *initdesc)
+{
+ /* TODO: move to tui */
+ WINDOW *win = newwin(8, 70, 8, (COLS - 70) / 2);
+ PANEL *panel = new_panel(win);
+
+ wattrset(win, DLGBOXATTR);
+ tx_colorwin(win);
+ tx_box(win, ACS_VLINE, ACS_HLINE);
+ wmove(win, 6, 2 * COLS / 80);
+ tabkeyhelp(win);
+ wmove(win, 6, 20 * COLS / 80);
+ stdkeyhelp(win);
+
+ wattrset(win, DLGTEXTATTR);
+ wmove(win, 2, 2 * COLS / 80);
+ wprintw(win, "MAC Address:");
+ wmove(win, 4, 2 * COLS / 80);
+ wprintw(win, "Description:");
+
+ tx_initfields(fields, 3, 52, 10, (COLS - 52) / 2 + 6 * COLS / 80,
+ DLGTEXTATTR, FIELDATTR);
+ tx_addfield(fields, 17, 0, 0, initaddr);
+ tx_addfield(fields, 50, 2, 0, initdesc);
+
+ int aborted = 0;
+
+ tx_fillfields(fields, &aborted);
+
+ del_panel(panel);
+ delwin(win);
+
+ return aborted;
+}
+
+static void add_eth_desc(struct eth_desc *list)
+{
+ struct FIELDLIST fields;
+
+ int aborted = dialog_eth_desc(&fields, "", "");
+
+ if (!aborted) {
+ struct eth_desc *new = xmalloc(sizeof(struct eth_desc));
+
+ memcpy(new->hd_mac, fields.list->buf, sizeof(new->hd_mac));
+ new->hd_desc = xstrdup(fields.list->nextfield->buf);
+
+ list_add_tail(&new->hd_list, &list->hd_list);
+ }
+
+ tx_destroyfields(&fields);
+ update_panels();
+ doupdate();
+}
+
+static void edit_eth_desc(struct eth_desc *list)
+{
+ struct eth_desc *hd = select_eth_desc(list);
+
+ if (!hd)
+ return;
+
+ struct FIELDLIST fields;
+ int aborted = dialog_eth_desc(&fields, hd->hd_mac, hd->hd_desc);
+
+ if (!aborted) {
+ free(hd->hd_desc);
+ memcpy(hd->hd_mac, fields.list->buf, sizeof(hd->hd_mac));
+ hd->hd_desc = xstrdup(fields.list->nextfield->buf);
+ }
+
+ tx_destroyfields(&fields);
+}
+
+static void del_eth_desc(struct eth_desc *list)
+{
+ struct eth_desc *hd = select_eth_desc(list);
+
+ if (hd) {
+ free(hd->hd_desc);
+ list_del(&hd->hd_list);
+ free(hd);
+ }
+}
+
+void manage_eth_desc(unsigned linktype)
+{
+ struct MENU menu;
+ int row = 1;
+ int aborted = 0;
+
+ tx_initmenu(&menu, 7, 31, (LINES - 6) / 2, (COLS - 31) / 2, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+ tx_additem(&menu, " ^A^dd description...",
+ "Adds a description for a MAC address");
+ tx_additem(&menu, " ^E^dit description...",
+ "Modifies an existing MAC address description");
+ tx_additem(&menu, " ^D^elete description...",
+ "Deletes an existing MAC address description");
+ tx_additem(&menu, NULL, NULL);
+ tx_additem(&menu, " E^x^it menu", "Returns to the main menu");
+
+ struct eth_desc *list =
+ load_eth_desc(linktype /*, WITHOUTETCETHERS */ );
+
+ do {
+ tx_showmenu(&menu);
+ tx_operatemenu(&menu, &row, &aborted);
+
+ switch (row) {
+ case 1:
+ add_eth_desc(list);
+ break;
+ case 2:
+ edit_eth_desc(list);
+ break;
+ case 3:
+ del_eth_desc(list);
+ break;
+ }
+ } while (row != 5);
+
+ tx_destroymenu(&menu);
+ update_panels();
+ doupdate();
+ save_eth_desc(list, linktype);
+}
diff --git a/src/landesc.h b/src/landesc.h
new file mode 100644
index 0000000..078c428
--- /dev/null
+++ b/src/landesc.h
@@ -0,0 +1,27 @@
+#ifndef IPTRAF_NG_LANDESC_H
+#define IPTRAF_NG_LANDESC_H
+
+/***
+
+ethdesc.c - Ethernet host description management module
+
+***/
+
+#include "list.h"
+
+#define WITHETCETHERS 1
+#define WITHOUTETCETHERS 0
+
+struct eth_desc {
+ struct list_head hd_list;
+ char hd_mac[18];
+ char *hd_desc;
+};
+
+struct eth_desc *load_eth_desc(unsigned link_type);
+
+void free_eth_desc(struct eth_desc *hd);
+
+void manage_eth_desc(unsigned int linktype);
+
+#endif /* IPTRAF_NG_LANDESC_H */
diff --git a/src/list.h b/src/list.h
new file mode 100644
index 0000000..a7b495e
--- /dev/null
+++ b/src/list.h
@@ -0,0 +1,89 @@
+#ifndef IPTRAF_NG_LIST_H
+#define IPTRAF_NG_LIST_H
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+#define LIST_HEAD_INIT(name) { &(name), &(name) }
+
+#define LIST_HEAD(name) \
+ struct list_head name = LIST_HEAD_INIT(name)
+
+static inline void INIT_LIST_HEAD(struct list_head *list)
+{
+ list->next = list;
+ list->prev = list;
+}
+
+static inline void __list_add(struct list_head *new, struct list_head *prev,
+ struct list_head *next)
+{
+ next->prev = new;
+ new->next = next;
+ new->prev = prev;
+ prev->next = new;
+}
+
+static inline void list_add(struct list_head *new, struct list_head *head)
+{
+ __list_add(new, head, head->next);
+}
+
+static inline void list_add_tail(struct list_head *new, struct list_head *head)
+{
+ __list_add(new, head->prev, head);
+}
+
+static inline void list_add_tail_unique(struct list_head *new,
+ struct list_head *head)
+{
+ __list_add(new, head->prev, head);
+}
+
+static inline void __list_del(struct list_head *prev, struct list_head *next)
+{
+ next->prev = prev;
+ prev->next = next;
+}
+
+static inline void list_del(struct list_head *entry)
+{
+ __list_del(entry->prev, entry->next);
+ entry->next = NULL;
+ entry->prev = NULL;
+}
+
+static inline int list_is_last(const struct list_head *list,
+ const struct list_head *head)
+{
+ return list->next == head;
+}
+
+static inline int list_empty(const struct list_head *head)
+{
+ return head->next == head;
+}
+
+#define list_entry(ptr, type, member) \
+ ((type *)( (char *)(ptr) - offsetof(type, member) ))
+
+#define list_for_each(pos, head) \
+ for (pos = (head)->next; pos != (head); pos = pos->next)
+
+#define list_for_each_safe(pos, n, head) \
+ for (pos = (head)->next, n = pos->next; pos != (head); \
+ pos = n, n = pos->next)
+
+#define list_for_each_entry(pos, head, member) \
+ for (pos = list_entry((head)->next, typeof(*pos), member); \
+ &pos->member != (head); \
+ pos = list_entry(pos->member.next, typeof(*pos), member))
+
+#define list_for_each_entry_safe(pos, n, head, member) \
+ for (pos = list_entry((head)->next, typeof(*pos), member), \
+ n = list_entry(pos->member.next, typeof(*pos), member); \
+ &pos->member != (head); \
+ pos = n, n = list_entry(n->member.next, typeof(*n), member))
+
+#endif /* IPTRAF_NG_LIST_H */
diff --git a/src/log.c b/src/log.c
new file mode 100644
index 0000000..e956853
--- /dev/null
+++ b/src/log.c
@@ -0,0 +1,156 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+log.c - the iptraf logging facility
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "attrs.h"
+#include "deskman.h"
+#include "dirs.h"
+#include "log.h"
+
+#include "tui/input.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#define TARGET_LOGNAME_MAX 160
+
+int rotate_flag;
+char target_logname[TARGET_LOGNAME_MAX];
+char current_logfile[TARGET_LOGNAME_MAX];
+
+/*
+ * Generates a log file based on a template for a particular instance of
+ * a facility. Used by the IP Traffic Monitor and LAN Station Monitor.
+ */
+
+char *gen_instance_logname(char *template, int instance_num)
+{
+ static char filename[80];
+
+ snprintf(filename, 80, "%s-%d.log", template, instance_num);
+ return filename;
+}
+
+void input_logfile(char *target, int *logging)
+{
+ WINDOW *dlgwin;
+ PANEL *dlgpanel;
+ struct FIELDLIST fieldlist;
+ int aborted;
+
+ dlgwin = newwin(11, 60, (LINES - 11) / 2, (COLS - 60) / 2);
+ dlgpanel = new_panel(dlgwin);
+
+ wattrset(dlgwin, DLGBOXATTR);
+ tx_colorwin(dlgwin);
+ tx_box(dlgwin, ACS_VLINE, ACS_HLINE);
+ mvwprintw(dlgwin, 0, 1, " Logging Enabled ");
+ wattrset(dlgwin, DLGTEXTATTR);
+ mvwprintw(dlgwin, 2, 2,
+ "Enter the name of the file to which to write the log.");
+ mvwprintw(dlgwin, 4, 2,
+ "If you don't specify a path, the log file will");
+ mvwprintw(dlgwin, 5, 2, "be placed in %s.", LOGDIR);
+ wmove(dlgwin, 9, 2);
+ stdkeyhelp(dlgwin);
+ wprintw(dlgwin, " (turns logging off)");
+
+ tx_initfields(&fieldlist, 1, 50, (LINES - 1) / 2 + 2,
+ (COLS - 50) / 2 - 3, DLGTEXTATTR, FIELDATTR);
+ tx_addfield(&fieldlist, 48, 0, 0, target);
+ tx_fillfields(&fieldlist, &aborted);
+
+ if (!aborted) {
+ if (strchr(fieldlist.list->buf, '/') == NULL)
+ snprintf(target, 48, "%s/%s", LOGDIR,
+ fieldlist.list->buf);
+ else
+ strncpy(target, fieldlist.list->buf, 48);
+ }
+
+ *logging = !aborted;
+
+ tx_destroyfields(&fieldlist);
+ del_panel(dlgpanel);
+ delwin(dlgwin);
+ update_panels();
+ doupdate();
+}
+
+void opentlog(FILE ** fd, char *logfilename)
+{
+ *fd = fopen(logfilename, "a");
+
+ if (*fd == NULL)
+ tui_error(ANYKEY_MSG, "Unable to open log file");
+
+ rotate_flag = 0;
+ strcpy(target_logname, "");
+}
+
+void genatime(time_t now, char *atime)
+{
+ memset(atime, 0, TIME_TARGET_MAX);
+ strncpy(atime, ctime(&now), 26);
+ atime[strlen(atime) - 1] = '\0';
+}
+
+void writelog(int logging, FILE * fd, char *msg)
+{
+ char atime[TIME_TARGET_MAX];
+
+ if (logging) {
+ genatime(time(NULL), atime);
+ fprintf(fd, "%s; %s\n", atime, msg);
+ }
+
+ fflush(fd);
+}
+
+void write_daemon_err(char *msg, va_list vararg)
+{
+ char atime[TIME_TARGET_MAX];
+ FILE *fd;
+
+ genatime(time(NULL), atime);
+ fd = fopen(DAEMONLOG, "a");
+ fprintf(fd, "%s iptraf[%u]: ", atime, getpid());
+ vfprintf(fd, msg, vararg);
+ fprintf(fd, "\n");
+ fclose(fd);
+}
+
+void rotate_logfile(FILE ** fd, char *name)
+{
+ fclose(*fd);
+ *fd = fopen(name, "a");
+ rotate_flag = 0;
+}
+
+
+void announce_rotate_prepare(FILE * fd)
+{
+ writelog(1, fd,
+ "***** USR1 signal received, preparing to reopen log file *****");
+}
+
+void announce_rotate_complete(FILE * fd)
+{
+ writelog(1, fd, "***** Logfile reopened *****");
+}
+
+void check_rotate_flag(FILE ** logfile)
+{
+ if (rotate_flag == 1) {
+ announce_rotate_prepare(*logfile);
+ rotate_logfile(logfile, target_logname);
+ announce_rotate_complete(*logfile);
+ rotate_flag = 0;
+ }
+}
diff --git a/src/log.h b/src/log.h
new file mode 100644
index 0000000..aa786f7
--- /dev/null
+++ b/src/log.h
@@ -0,0 +1,23 @@
+#ifndef IPTRAF_NG_LOG_H
+#define IPTRAF_NG_LOG_H
+
+/***
+
+log.h - the iptraf logging facility header file
+
+***/
+
+#define TIME_TARGET_MAX 30
+
+char *gen_instance_logname(char *template, int instance_id);
+void input_logfile(char *target, int *aborted);
+void opentlog(FILE ** fd, char *logfilename);
+void writelog(int logging, FILE * fd, char *msg);
+void genatime(time_t now, char *atime);
+void write_daemon_err(char *msg, va_list vararg);
+void rotate_logfile(FILE ** fd, char *name);
+void check_rotate_flag(FILE ** fd);
+void announce_rotate_prepare(FILE * fd);
+void announce_rotate_complete(FILE * fd);
+
+#endif /* IPTRAF_NG_LOG_H */
diff --git a/src/logvars.h b/src/logvars.h
new file mode 100644
index 0000000..83e86df
--- /dev/null
+++ b/src/logvars.h
@@ -0,0 +1,8 @@
+#ifndef IPTRAF_NG_LOGVARS_H
+#define IPTRAF_NG_LOGVARS_H
+
+extern int rotate_flag;
+extern char target_logname[160];
+extern char current_logfile[160];
+
+#endif /* IPTRAF_NG_LOGVARS_H */
diff --git a/src/options.c b/src/options.c
new file mode 100644
index 0000000..a1cd4f8
--- /dev/null
+++ b/src/options.c
@@ -0,0 +1,389 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+options.c - implements the configuration section of the utility
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/input.h"
+#include "tui/menurt.h"
+#include "tui/msgboxes.h"
+#include "tui/winops.h"
+
+#include "serv.h"
+#include "options.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "landesc.h"
+#include "promisc.h"
+#include "dirs.h"
+
+#define ALLOW_ZERO 1
+#define DONT_ALLOW_ZERO 0
+
+struct OPTIONS options;
+
+static void makeoptionmenu(struct MENU *menu)
+{
+ tx_initmenu(menu, 20, 40, (LINES - 19) / 2 - 1, (COLS - 40) / 16,
+ BOXATTR, STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR,
+ DESCATTR);
+ tx_additem(menu, " ^R^everse DNS lookups",
+ "Toggles resolution of IP addresses into host names");
+ tx_additem(menu, " TCP/UDP ^s^ervice names",
+ "Displays TCP/UDP service names instead of numeric ports");
+ tx_additem(menu, " Force ^p^romiscuous mode",
+ "Toggles capture of all packets by LAN interfaces");
+ tx_additem(menu, " ^C^olor",
+ "Turns color on or off (restart IPTraf to effect change)");
+ tx_additem(menu, " ^L^ogging",
+ "Toggles logging of traffic to a data file");
+ tx_additem(menu, " Acti^v^ity mode",
+ "Toggles activity indicators between kbits/s and kbytes/s");
+ tx_additem(menu, " Source ^M^AC addrs in traffic monitor",
+ "Toggles display of source MAC addresses in the IP Traffic Monitor");
+ tx_additem(menu, " ^S^how v6-in-v4 traffic as IPv6",
+ "Toggled display of IPv6 tunnel in IPv4 as IPv6 traffic");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " ^T^imers...", "Configures timeouts and intervals");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " ^A^dditional ports...",
+ "Allows you to add port numbers higher than 1023 for the service stats");
+ tx_additem(menu, " ^D^elete port/range...",
+ "Deletes a port or range of ports earlier added");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " ^E^thernet/PLIP host descriptions...",
+ "Manages descriptions for Ethernet and PLIP addresses");
+ tx_additem(menu, " ^F^DDI/Token Ring host descriptions...",
+ "Manages descriptions for FDDI and FDDI addresses");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " E^x^it configuration", "Returns to main menu");
+}
+
+static void maketimermenu(struct MENU *menu)
+{
+ tx_initmenu(menu, 8, 35, (LINES - 19) / 2 + 7, (COLS - 35) / 2, BOXATTR,
+ STDATTR, HIGHATTR, BARSTDATTR, BARHIGHATTR, DESCATTR);
+
+ tx_additem(menu, " TCP ^t^imeout...",
+ "Sets the length of time before inactive TCP entries are considered idle");
+ tx_additem(menu, " ^L^ogging interval...",
+ "Sets the time between loggings for interface, host, and service stats");
+ tx_additem(menu, " ^S^creen update interval...",
+ "Sets the screen update interval in seconds (set to 0 for fastest updates)");
+ tx_additem(menu, " TCP closed/idle ^p^ersistence...",
+ "Determines how long closed/idle/reset entries stay onscreen");
+ tx_additem(menu, NULL, NULL);
+ tx_additem(menu, " E^x^it menu", "Returns to the configuration menu");
+}
+
+static void printoptonoff(unsigned int option, WINDOW * win)
+{
+ if (option)
+ wprintw(win, " On");
+ else
+ wprintw(win, "Off");
+}
+
+static void indicatesetting(int row, WINDOW *win)
+{
+ wmove(win, row, 30);
+ wattrset(win, HIGHATTR);
+
+ switch (row) {
+ case 1:
+ printoptonoff(options.revlook, win);
+ break;
+ case 2:
+ printoptonoff(options.servnames, win);
+ break;
+ case 3:
+ printoptonoff(options.promisc, win);
+ break;
+ case 4:
+ printoptonoff(options.color, win);
+ break;
+ case 5:
+ printoptonoff(options.logging, win);
+ break;
+ case 6:
+ wmove(win, row, 25);
+ if (options.actmode == KBITS)
+ wprintw(win, " kbits/s");
+ else
+ wprintw(win, "kbytes/s");
+ break;
+ case 7:
+ printoptonoff(options.mac, win);
+ break;
+ case 8:
+ printoptonoff(options.v6inv4asv6, win);
+ }
+
+}
+
+void saveoptions(void)
+{
+ int fd;
+ int bw;
+
+ fd = open(CONFIGFILE, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR);
+
+ if (fd < 0) {
+ tui_error(ANYKEY_MSG, "Cannot create config file: %s %s",
+ CONFIGFILE, strerror(errno));
+ return;
+ }
+ bw = write(fd, &options, sizeof(struct OPTIONS));
+
+ if (bw < 0)
+ tui_error(ANYKEY_MSG, "Unable to write config file");
+
+ close(fd);
+}
+
+static void setdefaultopts(void)
+{
+ options.revlook = 0;
+ options.promisc = 0;
+ options.servnames = 0;
+ options.color = 1;
+ options.logging = 0;
+ options.actmode = KBITS;
+ options.mac = 0;
+ options.timeout = 15;
+ options.logspan = 3600;
+ options.updrate = 0;
+ options.closedint = 0;
+ options.v6inv4asv6 = 1;
+}
+
+void loadoptions(void)
+{
+ int fd;
+
+ setdefaultopts();
+ fd = open(CONFIGFILE, O_RDONLY);
+
+ if (fd < 0)
+ return;
+
+ read(fd, &options, sizeof(struct OPTIONS));
+
+ close(fd);
+}
+
+static void updatetimes(WINDOW *win)
+{
+ wattrset(win, HIGHATTR);
+ mvwprintw(win, 10, 25, "%3u mins", options.timeout);
+ mvwprintw(win, 11, 25, "%3u mins", options.logspan / 60);
+ mvwprintw(win, 12, 25, "%3u secs", options.updrate);
+ mvwprintw(win, 13, 25, "%3u mins", options.closedint);
+}
+
+static void showoptions(WINDOW *win)
+{
+ int i;
+
+ for (i = 1; i <= 8; i++)
+ indicatesetting(i, win);
+
+ updatetimes(win);
+}
+
+static void settimeout(time_t *value, const char *units, int allow_zero,
+ int *aborted)
+{
+ WINDOW *dlgwin;
+ PANEL *dlgpanel;
+ struct FIELDLIST field;
+ time_t tmval = 0;
+
+ dlgwin = newwin(7, 40, (LINES - 7) / 2, (COLS - 40) / 4);
+ dlgpanel = new_panel(dlgwin);
+
+ wattrset(dlgwin, DLGBOXATTR);
+ tx_colorwin(dlgwin);
+ tx_box(dlgwin, ACS_VLINE, ACS_HLINE);
+
+ wattrset(dlgwin, DLGTEXTATTR);
+ wmove(dlgwin, 2, 2);
+ wprintw(dlgwin, "Enter value in %s", units);
+ wmove(dlgwin, 5, 2);
+ stdkeyhelp(dlgwin);
+
+ tx_initfields(&field, 1, 10, (LINES - 7) / 2 + 3, (COLS - 40) / 4 + 2,
+ DLGTEXTATTR, FIELDATTR);
+ tx_addfield(&field, 3, 0, 0, "");
+
+ do {
+ tx_fillfields(&field, aborted);
+
+ if (!(*aborted)) {
+ unsigned int tm;
+
+ tmval = 0;
+ int ret = strtoul_ui(field.list->buf, 10, &tm);
+ if ((ret == -1) || (!allow_zero && (tm == 0)))
+ tui_error(ANYKEY_MSG, "Invalid timeout value");
+ else
+ tmval = tm;
+ }
+ } while (((!allow_zero) && (tmval == 0)) && (!(*aborted)));
+
+ if (!(*aborted))
+ *value = tmval;
+
+ del_panel(dlgpanel);
+ delwin(dlgwin);
+
+ tx_destroyfields(&field);
+ update_panels();
+ doupdate();
+}
+
+void setoptions(void)
+{
+ int row = 1;
+ int trow = 1; /* row for timer submenu */
+ int aborted;
+
+ struct MENU menu;
+ struct MENU timermenu;
+
+ WINDOW *statwin;
+ PANEL *statpanel;
+
+ struct porttab *ports;
+
+ loadaddports(&ports);
+
+ makeoptionmenu(&menu);
+
+ statwin = newwin(15, 35, (LINES - 19) / 2 - 1, (COLS - 40) / 16 + 40);
+ statpanel = new_panel(statwin);
+
+ wattrset(statwin, BOXATTR);
+ tx_colorwin(statwin);
+ tx_box(statwin, ACS_VLINE, ACS_HLINE);
+ wmove(statwin, 9, 1);
+ whline(statwin, ACS_HLINE, 33);
+ mvwprintw(statwin, 0, 1, " Current Settings ");
+ wattrset(statwin, STDATTR);
+ mvwprintw(statwin, 1, 2, "Reverse DNS lookups:");
+ mvwprintw(statwin, 2, 2, "Service names:");
+ mvwprintw(statwin, 3, 2, "Promiscuous:");
+ mvwprintw(statwin, 4, 2, "Color:");
+ mvwprintw(statwin, 5, 2, "Logging:");
+ mvwprintw(statwin, 6, 2, "Activity mode:");
+ mvwprintw(statwin, 7, 2, "MAC addresses:");
+ mvwprintw(statwin, 8, 2, "v6-in-v4 as IPv6:");
+ mvwprintw(statwin, 10, 2, "TCP timeout:");
+ mvwprintw(statwin, 11, 2, "Log interval:");
+ mvwprintw(statwin, 12, 2, "Update interval:");
+ mvwprintw(statwin, 13, 2, "Closed/idle persist:");
+ showoptions(statwin);
+
+ do {
+ tx_showmenu(&menu);
+ tx_operatemenu(&menu, &row, &aborted);
+
+ switch (row) {
+ case 1:
+ options.revlook = ~options.revlook;
+ break;
+ case 2:
+ options.servnames = ~options.servnames;
+ break;
+ case 3:
+ options.promisc = ~options.promisc;
+ break;
+ case 4:
+ options.color = ~options.color;
+ break;
+ case 5:
+ options.logging = ~options.logging;
+ break;
+ case 6:
+ options.actmode = ~options.actmode;
+ break;
+ case 7:
+ options.mac = ~options.mac;
+ break;
+ case 8:
+ options.v6inv4asv6 = ~options.v6inv4asv6;
+ break;
+ case 10:
+ maketimermenu(&timermenu);
+ trow = 1;
+ do {
+ tx_showmenu(&timermenu);
+ tx_operatemenu(&timermenu, &trow, &aborted);
+
+ switch (trow) {
+ case 1:
+ settimeout(&options.timeout,
+ "minutes", DONT_ALLOW_ZERO,
+ &aborted);
+ if (!aborted)
+ updatetimes(statwin);
+ break;
+ case 2:
+ settimeout(&options.logspan,
+ "minutes", DONT_ALLOW_ZERO,
+ &aborted);
+ if (!aborted) {
+ options.logspan =
+ options.logspan * 60;
+ updatetimes(statwin);
+ }
+ break;
+ case 3:
+ settimeout(&options.updrate, "seconds",
+ ALLOW_ZERO, &aborted);
+ if (!aborted)
+ updatetimes(statwin);
+ break;
+ case 4:
+ settimeout(&options.closedint,
+ "minutes", ALLOW_ZERO,
+ &aborted);
+ if (!aborted)
+ updatetimes(statwin);
+ break;
+ }
+ } while (trow != 6);
+
+ tx_destroymenu(&timermenu);
+ update_panels();
+ doupdate();
+ break;
+ case 12:
+ addmoreports(&ports);
+ break;
+ case 13:
+ removeaport(&ports);
+ break;
+ case 15:
+ manage_eth_desc(ARPHRD_ETHER);
+ break;
+ case 16:
+ manage_eth_desc(ARPHRD_FDDI);
+ break;
+ }
+
+ indicatesetting(row, statwin);
+ } while (row != 18);
+
+ destroyporttab(ports);
+ tx_destroymenu(&menu);
+ del_panel(statpanel);
+ delwin(statwin);
+ update_panels();
+ doupdate();
+}
diff --git a/src/options.h b/src/options.h
new file mode 100644
index 0000000..2304600
--- /dev/null
+++ b/src/options.h
@@ -0,0 +1,19 @@
+#ifndef IPTRAF_NG_OPTIONS_H
+#define IPTRAF_NG_OPTIONS_H
+
+struct OPTIONS {
+ unsigned int color:1, logging:1, revlook:1, servnames:1, promisc:1,
+ actmode:1, mac:1, v6inv4asv6:1, dummy:8;
+ time_t timeout;
+ time_t logspan;
+ time_t updrate;
+ time_t closedint;
+};
+
+extern struct OPTIONS options;
+
+void setoptions(void);
+void loadoptions(void);
+void saveoptions(void);
+
+#endif /* IPTRAF_NG_OPTIONS_H */
diff --git a/src/othptab.c b/src/othptab.c
new file mode 100644
index 0000000..142c9c2
--- /dev/null
+++ b/src/othptab.c
@@ -0,0 +1,777 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+othptab.c - non-TCP protocol display module
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/winops.h"
+
+#include "arphdr.h"
+#include "options.h"
+#include "tcptable.h"
+#include "othptab.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "log.h"
+#include "revname.h"
+#include "rvnamed.h"
+#include "servname.h"
+#include "addproto.h"
+#include "packet.h"
+#include "hostmon.h"
+#include "sockaddr.h"
+
+#define MSGSTRING_MAX 240
+#define SHORTSTRING_MAX 40
+
+/*
+* A trick to suppress uninitialized variable warning without generating any
+* code
+*/
+#define uninitialized_var(x) x = x
+
+static void writeothplog(int logging, FILE *fd, char *protname,
+ char *description, char *additional, int is_ip,
+ int withmac, struct othptabent *entry)
+{
+ char msgbuffer[MSGSTRING_MAX];
+ char scratchpad[MSGSTRING_MAX];
+
+ if (logging) {
+ memset(msgbuffer, 0, MSGSTRING_MAX);
+
+ strcpy(msgbuffer, protname);
+ strcat(msgbuffer, "; ");
+ strcat(msgbuffer, entry->iface);
+ sprintf(scratchpad, "; %u bytes;", entry->pkt_length);
+ strcat(msgbuffer, scratchpad);
+
+ if ((entry->smacaddr[0] != '\0') && (withmac)) {
+ sprintf(scratchpad, " source MAC address %s;",
+ entry->smacaddr);
+ strcat(msgbuffer, scratchpad);
+ }
+
+ if (is_ip) {
+ if (((entry->protocol == IPPROTO_UDP)
+ && (!(entry->fragment)))
+ || (entry->protocol == IPPROTO_TCP))
+ sprintf(scratchpad, " from %s:%s to %s:%s",
+ entry->s_fqdn, entry->un.udp.s_sname,
+ entry->d_fqdn, entry->un.udp.d_sname);
+ else
+ sprintf(scratchpad, " from %s to %s",
+ entry->s_fqdn, entry->d_fqdn);
+ } else
+ sprintf(scratchpad, " from %s to %s ", entry->smacaddr,
+ entry->dmacaddr);
+
+ strcat(msgbuffer, scratchpad);
+ strcpy(scratchpad, "");
+ if (strcmp(description, "") != 0) {
+ sprintf(scratchpad, "; %s", description);
+ strcat(msgbuffer, scratchpad);
+ }
+ strcpy(scratchpad, "");
+ if (strcmp(additional, "") != 0) {
+ sprintf(scratchpad, " (%s)", additional);
+ strcat(msgbuffer, scratchpad);
+ }
+ writelog(logging, fd, msgbuffer);
+ }
+}
+
+void init_othp_table(struct othptable *table)
+{
+ unsigned int winht;
+ unsigned int wintop;
+ unsigned int obmaxx __unused;
+
+ winht = LINES - (LINES * 0.6) - 2;
+ wintop = (LINES * 0.6) + 1;
+
+ table->count = 0;
+ table->lastpos = 0;
+ table->strindex = 0;
+ table->htstat = NOHTIND;
+ table->head = table->tail = NULL;
+ table->firstvisible = table->lastvisible = NULL;
+ table->borderwin = newwin(winht, COLS, wintop, 0);
+ table->borderpanel = new_panel(table->borderwin);
+ wattrset(table->borderwin, BOXATTR);
+ tx_box(table->borderwin, ACS_VLINE, ACS_HLINE);
+
+ table->head = table->tail = NULL;
+ table->othpwin = newwin(winht - 2, COLS - 2, wintop + 1, 1);
+ table->othppanel = new_panel(table->othpwin);
+ wattrset(table->othpwin, STDATTR);
+ tx_colorwin(table->othpwin);
+ update_panels();
+ doupdate();
+
+ tx_stdwinset(table->othpwin);
+ getmaxyx(table->borderwin, table->obmaxy, obmaxx);
+ table->oimaxy = table->obmaxy - 2;
+}
+
+void process_dest_unreach(struct tcptable *table, char *packet, char *ifname)
+{
+ struct iphdr *ip;
+ struct ip6_hdr *ip6;
+ struct tcphdr *tcp;
+ struct tcptableent *tcpentry;
+
+ ip = (struct iphdr *) (packet + 8);
+
+ /*
+ * Timeout checking won't be performed either, so we just pass 0
+ * as timeout variable.
+ */
+
+ if (ip->version == 6) {
+ ip6 = (struct ip6_hdr *) (packet + 8);
+ if (ip6->ip6_nxt != IPPROTO_TCP)
+ return;
+ tcp = (struct tcphdr *) (packet + 48);
+ struct sockaddr_storage saddr, daddr;
+ sockaddr_make_ipv6(&saddr, &ip6->ip6_src);
+ sockaddr_set_port(&saddr, ntohs(tcp->source));
+ sockaddr_make_ipv6(&daddr, &ip6->ip6_dst);
+ sockaddr_set_port(&daddr, ntohs(tcp->dest));
+ tcpentry =
+ in_table(table, &saddr, &daddr, ifname, 0, NULL, 0);
+ } else {
+ if (ip->protocol != IPPROTO_TCP)
+ return;
+ tcp = (struct tcphdr *) (packet + 8 + (ip->ihl * 4));
+ struct sockaddr_storage saddr, daddr;
+ sockaddr_make_ipv4(&saddr, ip->saddr);
+ sockaddr_set_port(&saddr, ntohs(tcp->source));
+ sockaddr_make_ipv4(&daddr, ip->daddr);
+ sockaddr_set_port(&daddr, ntohs(tcp->dest));
+ tcpentry =
+ in_table(table, &saddr, &daddr, ifname, 0, NULL, 0);
+ }
+
+ if (tcpentry != NULL) {
+ tcpentry->stat = tcpentry->oth_connection->stat = FLAG_RST;
+ addtoclosedlist(table, tcpentry);
+ }
+}
+
+struct othptabent *add_othp_entry(struct othptable *table, struct pkt_hdr *pkt,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ int is_ip,
+ int protocol,
+ char *packet2,
+ char *ifname, int *rev_lookup, int rvnfd,
+ int logging, FILE *logfile, int fragment)
+{
+ struct othptabent *new_entry;
+ struct othptabent *temp;
+
+ new_entry = xmallocz(sizeof(struct othptabent));
+
+ new_entry->is_ip = is_ip;
+ new_entry->fragment = fragment;
+
+ if (options.mac || !is_ip) {
+ if (pkt->pkt_hatype == ARPHRD_ETHER) {
+ convmacaddr((char *) pkt->ethhdr->h_source, new_entry->smacaddr);
+ convmacaddr((char *) pkt->ethhdr->h_dest, new_entry->dmacaddr);
+ } else if (pkt->pkt_hatype == ARPHRD_FDDI) {
+ convmacaddr((char *) pkt->fddihdr->saddr, new_entry->smacaddr);
+ convmacaddr((char *) pkt->fddihdr->daddr, new_entry->dmacaddr);
+ }
+ }
+
+ if (is_ip) {
+ sockaddr_copy(&new_entry->saddr, saddr);
+ sockaddr_copy(&new_entry->daddr, daddr);
+
+ revname(rev_lookup, saddr, new_entry->s_fqdn,
+ sizeof(new_entry->s_fqdn), rvnfd);
+ revname(rev_lookup, daddr, new_entry->d_fqdn,
+ sizeof(new_entry->d_fqdn), rvnfd);
+
+ if (!fragment) {
+ if (protocol == IPPROTO_ICMP) {
+ new_entry->un.icmp.type =
+ ((struct icmphdr *) packet2)->type;
+ new_entry->un.icmp.code =
+ ((struct icmphdr *) packet2)->code;
+ } else if (protocol == IPPROTO_ICMPV6) {
+ new_entry->un.icmp6.type =
+ ((struct icmp6_hdr *) packet2)->icmp6_type;
+ new_entry->un.icmp6.code =
+ ((struct icmp6_hdr *) packet2)->icmp6_code;
+ } else if (protocol == IPPROTO_UDP) {
+ servlook(ntohs(((struct udphdr *) packet2)->source),
+ IPPROTO_UDP, new_entry->un.udp.s_sname,
+ 10);
+ servlook(ntohs(((struct udphdr *) packet2)->dest),
+ IPPROTO_UDP, new_entry->un.udp.d_sname,
+ 10);
+ } else if (protocol == IPPROTO_OSPFIGP) {
+ new_entry->un.ospf.type =
+ ((struct ospfhdr *) packet2)->ospf_type;
+ new_entry->un.ospf.area =
+ ntohl(((struct ospfhdr *) packet2)->
+ ospf_areaid.s_addr);
+ inet_ntop(AF_INET,
+ &((struct ospfhdr *)packet2)->ospf_routerid,
+ new_entry->un.ospf.routerid,
+ sizeof(new_entry->un.ospf.routerid));
+ }
+ }
+ } else {
+ new_entry->linkproto = pkt->pkt_hatype;
+
+ if (protocol == ETH_P_ARP) {
+ new_entry->un.arp.opcode =
+ ((struct arp_hdr *) packet2)->ar_op;
+ memcpy(&(new_entry->un.arp.src_ip_address),
+ &(((struct arp_hdr *) packet2)->ar_sip), 4);
+ memcpy(&(new_entry->un.arp.dest_ip_address),
+ &(((struct arp_hdr *) packet2)->ar_tip), 4);
+ } else if (protocol == ETH_P_RARP) {
+ new_entry->un.rarp.opcode =
+ ((struct arphdr *) packet2)->ar_op;
+ memcpy(&(new_entry->un.rarp.src_mac_address),
+ &(((struct arp_hdr *) packet2)->ar_sha), 6);
+ memcpy(&(new_entry->un.rarp.dest_mac_address),
+ &(((struct arp_hdr *) packet2)->ar_tha), 6);
+ }
+ }
+
+ new_entry->protocol = protocol;
+ strcpy(new_entry->iface, ifname);
+
+ new_entry->pkt_length = pkt->pkt_len;
+
+ if (table->head == NULL) {
+ new_entry->prev_entry = NULL;
+ table->head = new_entry;
+ table->firstvisible = new_entry;
+ }
+ /*
+ * Max number of entries in the lower window is 512. Upon reaching
+ * this figure, oldest entries are thrown out.
+ */
+
+ if (table->count == 512) {
+ if (table->firstvisible == table->head) {
+ wscrl(table->othpwin, 1);
+ printothpentry(table, table->lastvisible->next_entry,
+ table->oimaxy - 1, logging, logfile);
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->lastvisible->next_entry;
+ }
+ temp = table->head;
+ table->head = table->head->next_entry;
+ table->head->prev_entry = NULL;
+ free(temp);
+ } else
+ table->count++;
+
+ if (table->tail != NULL) {
+ new_entry->prev_entry = table->tail;
+ table->tail->next_entry = new_entry;
+ }
+ table->tail = new_entry;
+ new_entry->next_entry = NULL;
+
+ table->lastpos++;
+ new_entry->index = table->lastpos;
+
+ if (table->count <= table->oimaxy) {
+ table->lastvisible = new_entry;
+ printothpentry(table, new_entry, table->count - 1, logging,
+ logfile);
+ } else if (table->lastvisible == table->tail->prev_entry) {
+ wscrl(table->othpwin, 1);
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->tail;
+ printothpentry(table, new_entry, table->oimaxy - 1, logging,
+ logfile);
+ }
+ return new_entry;
+}
+
+/*
+ * Function to retrieve non-IP packet tags. No further details are
+ * provided beyond the type.
+ */
+
+static char *packetlookup(unsigned int protocol)
+{
+ unsigned int i = 0;
+ static struct packetstruct packettypes[] = {
+ {"DEC MOP dump/load", 0x6001},
+ {"DEC MOP remote console", 0x6002},
+ {"DEC DECnet Phase IV", 0x6003},
+ {"DEC LAT", 0x6004},
+ {"DEC DECnet Diagnostics", 0x6005},
+ {"DEC DECnet Customer Use", 0x6006},
+ {"DEC DECnet SCA", 0x6007},
+ {"IPX", 0x8137},
+ {NULL, 0x0}
+ };
+
+
+ while ((packettypes[i].packet_name != NULL)
+ && (packettypes[i].protocol != protocol))
+ i++;
+
+ return packettypes[i].packet_name;
+
+}
+
+void printothpentry(struct othptable *table, struct othptabent *entry,
+ unsigned int target_row, int logging, FILE * logfile)
+{
+ char protname[SHORTSTRING_MAX];
+ char description[SHORTSTRING_MAX];
+ char additional[MSGSTRING_MAX];
+ char msgstring[MSGSTRING_MAX];
+ char scratchpad[MSGSTRING_MAX];
+ char sp_buf[SHORTSTRING_MAX];
+ char *startstr;
+
+ char *packet_type;
+
+ struct in_addr uninitialized_var(saddr);
+
+ char rarp_mac_addr[18];
+
+ unsigned int unknown = 0;
+
+ struct protoent *protptr;
+
+ sprintf(sp_buf, "%%%dc", COLS - 2);
+
+ wmove(table->borderwin, table->obmaxy - 1, 1);
+ if ((table->lastvisible == table->tail) && (table->htstat != TIND)
+ && (table->count >= table->oimaxy)) {
+ wprintw(table->borderwin, " Bottom ");
+ table->htstat = TIND;
+ } else if ((table->firstvisible == table->head)
+ && (table->htstat != HIND)) {
+ wprintw(table->borderwin, " Top ");
+ table->htstat = HIND;
+ }
+ if (!(entry->is_ip)) {
+ wmove(table->othpwin, target_row, 0);
+ scrollok(table->othpwin, 0);
+ wattrset(table->othpwin, UNKNATTR);
+ wprintw(table->othpwin, sp_buf, ' ');
+ scrollok(table->othpwin, 1);
+ wmove(table->othpwin, target_row, 1);
+
+ switch (entry->protocol) {
+ case ETH_P_ARP:
+ sprintf(msgstring, "ARP ");
+ switch (ntohs(entry->un.arp.opcode)) {
+ case ARPOP_REQUEST:
+ strcat(msgstring, "request for ");
+ memcpy(&(saddr.s_addr),
+ entry->un.arp.dest_ip_address, 4);
+ break;
+ case ARPOP_REPLY:
+ strcat(msgstring, "reply from ");
+ memcpy(&(saddr.s_addr),
+ entry->un.arp.src_ip_address, 4);
+ break;
+ }
+
+ inet_ntop(AF_INET, &saddr, scratchpad, sizeof(scratchpad));
+ strcat(msgstring, scratchpad);
+ wattrset(table->othpwin, ARPATTR);
+ break;
+ case ETH_P_RARP:
+ sprintf(msgstring, "RARP ");
+ memset(rarp_mac_addr, 0, sizeof(rarp_mac_addr));
+ switch (ntohs(entry->un.rarp.opcode)) {
+ case ARPOP_RREQUEST:
+ strcat(msgstring, "request for ");
+ convmacaddr(entry->un.rarp.dest_mac_address,
+ rarp_mac_addr);
+ break;
+ case ARPOP_RREPLY:
+ strcat(msgstring, "reply from ");
+ convmacaddr(entry->un.rarp.src_mac_address,
+ rarp_mac_addr);
+ break;
+ }
+
+ sprintf(scratchpad, rarp_mac_addr);
+ strcat(msgstring, scratchpad);
+ wattrset(table->othpwin, ARPATTR);
+ break;
+ default:
+ packet_type = packetlookup(entry->protocol);
+ if (packet_type == NULL)
+ sprintf(msgstring, "Non-IP (0x%x)",
+ entry->protocol);
+ else
+ sprintf(msgstring, "Non-IP (%s)", packet_type);
+
+ wattrset(table->othpwin, UNKNATTR);
+ }
+
+ strcpy(protname, msgstring);
+ sprintf(scratchpad, " (%u bytes)", entry->pkt_length);
+ strcat(msgstring, scratchpad);
+
+ if ((entry->linkproto == ARPHRD_ETHER)
+ || (entry->linkproto == ARPHRD_FDDI)) {
+ sprintf(scratchpad, " from %s to %s on %s",
+ entry->smacaddr, entry->dmacaddr, entry->iface);
+
+ strcat(msgstring, scratchpad);
+ }
+ startstr = msgstring + table->strindex;
+ waddnstr(table->othpwin, startstr, COLS - 4);
+ writeothplog(logging, logfile, protname, "", "", 0, 0, entry);
+ return;
+ }
+ strcpy(additional, "");
+ strcpy(description, "");
+
+ switch (entry->protocol) {
+ case IPPROTO_UDP:
+ wattrset(table->othpwin, UDPATTR);
+ strcpy(protname, "UDP");
+ break;
+ case IPPROTO_ICMP:
+ wattrset(table->othpwin, STDATTR);
+ strcpy(protname, "ICMP");
+ break;
+ case IPPROTO_OSPFIGP:
+ wattrset(table->othpwin, OSPFATTR);
+ strcpy(protname, "OSPF");
+ break;
+ case IPPROTO_IGP:
+ wattrset(table->othpwin, IGPATTR);
+ strcpy(protname, "IGP");
+ break;
+ case IPPROTO_IGMP:
+ wattrset(table->othpwin, IGMPATTR);
+ strcpy(protname, "IGMP");
+ break;
+ case IPPROTO_IGRP:
+ wattrset(table->othpwin, IGRPATTR);
+ strcpy(protname, "IGRP");
+ break;
+ case IPPROTO_GRE:
+ wattrset(table->othpwin, GREATTR);
+ strcpy(protname, "GRE");
+ break;
+ case IPPROTO_ICMPV6:
+ wattrset(table->othpwin, ICMPV6ATTR);
+ strcpy(protname, "ICMPv6");
+ break;
+ case IPPROTO_IPV6:
+ wattrset(table->othpwin, IPV6ATTR);
+ strcpy(protname, "IPv6 tun");
+ break;
+ default:
+ wattrset(table->othpwin, UNKNIPATTR);
+ protptr = getprotobynumber(entry->protocol);
+ if (protptr != NULL) {
+ sprintf(protname, protptr->p_aliases[0]);
+ } else {
+ sprintf(protname, "IP protocol");
+ unknown = 1;
+ }
+ }
+
+ if (!(entry->fragment)) {
+ if (entry->protocol == IPPROTO_ICMP) {
+ switch (entry->un.icmp.type) {
+ case ICMP_ECHOREPLY:
+ strcpy(description, "echo rply");
+ break;
+ case ICMP_ECHO:
+ strcpy(description, "echo req");
+ break;
+ case ICMP_DEST_UNREACH:
+ strcpy(description, "dest unrch");
+ switch (entry->un.icmp.code) {
+ case ICMP_NET_UNREACH:
+ strcpy(additional, "ntwk");
+ break;
+ case ICMP_HOST_UNREACH:
+ strcpy(additional, "host");
+ break;
+ case ICMP_PROT_UNREACH:
+ strcpy(additional, "proto");
+ break;
+ case ICMP_PORT_UNREACH:
+ strcpy(additional, "port");
+ break;
+ case ICMP_FRAG_NEEDED:
+ strcpy(additional, "DF set");
+ break;
+ case ICMP_SR_FAILED:
+ strcpy(additional, "src rte fail");
+ break;
+ case ICMP_NET_UNKNOWN:
+ strcpy(additional, "net unkn");
+ break;
+ case ICMP_HOST_UNKNOWN:
+ strcpy(additional, "host unkn");
+ break;
+ case ICMP_HOST_ISOLATED:
+ strcpy(additional, "src isltd");
+ break;
+ case ICMP_NET_ANO:
+ strcpy(additional, "net comm denied");
+ break;
+ case ICMP_HOST_ANO:
+ strcpy(additional, "host comm denied");
+ break;
+ case ICMP_NET_UNR_TOS:
+ strcpy(additional, "net unrch for TOS");
+ break;
+ case ICMP_HOST_UNR_TOS:
+ strcpy(additional,
+ "host unrch for TOS");
+ break;
+ case ICMP_PKT_FILTERED:
+ strcpy(additional, "pkt fltrd");
+ break;
+ case ICMP_PREC_VIOLATION:
+ strcpy(additional, "prec violtn");
+ break;
+ case ICMP_PREC_CUTOFF:
+ strcpy(additional, "prec cutoff");
+ break;
+ }
+
+ break;
+ case ICMP_SOURCE_QUENCH:
+ strcpy(description, "src qnch");
+ break;
+ case ICMP_REDIRECT:
+ strcpy(description, "redirct");
+ break;
+ case ICMP_TIME_EXCEEDED:
+ strcpy(description, "time excd");
+ break;
+ case ICMP_PARAMETERPROB:
+ strcpy(description, "param prob");
+ break;
+ case ICMP_TIMESTAMP:
+ strcpy(description, "timestmp req");
+ break;
+ case ICMP_INFO_REQUEST:
+ strcpy(description, "info req");
+ break;
+ case ICMP_INFO_REPLY:
+ strcpy(description, "info rep");
+ break;
+ case ICMP_ADDRESS:
+ strcpy(description, "addr mask req");
+ break;
+ case ICMP_ADDRESSREPLY:
+ strcpy(description, "addr mask rep");
+ break;
+ default:
+ strcpy(description, "bad/unkn");
+ break;
+ }
+ } else if (entry->protocol == IPPROTO_ICMPV6) {
+ switch (entry->un.icmp6.type) {
+ case ICMP6_DST_UNREACH:
+ strcpy(description, "dest unrch");
+ switch (entry->un.icmp6.code) {
+ case ICMP6_DST_UNREACH_NOROUTE:
+ strcpy(additional, "no route");
+ break;
+ case ICMP6_DST_UNREACH_ADMIN:
+ strcpy(additional, "admin");
+ break;
+#ifdef ICMP6_DST_UNREACH_NOTNEIGHBOR
+ case ICMP6_DST_UNREACH_NOTNEIGHBOR:
+ strcpy(additional, "not neigh");
+#else
+ case ICMP6_DST_UNREACH_BEYONDSCOPE:
+ strcpy(additional, "not beyondsp");
+#endif
+ break;
+ case ICMP6_DST_UNREACH_ADDR:
+ strcpy(additional, "unreach addr");
+ break;
+ case ICMP6_DST_UNREACH_NOPORT:
+ strcpy(additional, "no port");
+ break;
+ }
+ break;
+ case ICMP6_PACKET_TOO_BIG:
+ strcpy(description, "pkt too big");
+ break;
+ case ICMP6_TIME_EXCEEDED:
+ strcpy(description, "time exceeded");
+ break;
+ case ICMP6_PARAM_PROB:
+ strcpy(description, "param prob");
+ break;
+ case ICMP6_ECHO_REQUEST:
+ strcpy(description, "echo req");
+ break;
+ case ICMP6_ECHO_REPLY:
+ strcpy(description, "echo rply");
+ break;
+ case ND_ROUTER_SOLICIT:
+ strcpy(description, "router sol");
+ break;
+ case ND_ROUTER_ADVERT:
+ strcpy(description, "router adv");
+ break;
+#ifdef ICMP6_MEMBERSHIP_QUERY
+ case ICMP6_MEMBERSHIP_QUERY:
+ strcpy(description, "mbrship query");
+ break;
+#endif
+#ifdef ICMP6_MEMBERSHIP_REPORT
+ case ICMP6_MEMBERSHIP_REPORT:
+ strcpy(description, "mbrship report");
+ break;
+#endif
+#ifdef ICMP6_MEMBERSHIP_REDUCTION
+ case ICMP6_MEMBERSHIP_REDUCTION:
+ strcpy(description, "mbrship reduc");
+ break;
+#endif
+ case ND_NEIGHBOR_SOLICIT:
+ strcpy(description, "neigh sol");
+ break;
+ case ND_NEIGHBOR_ADVERT:
+ strcpy(description, "neigh adv");
+ break;
+ case ND_REDIRECT:
+ strcpy(description, "redirect");
+ break;
+ default:
+ strcpy(description, "bad/unkn");
+ break;
+ }
+ } else if (entry->protocol == IPPROTO_OSPFIGP) {
+ switch (entry->un.ospf.type) {
+ case OSPF_TYPE_HELLO:
+ strcpy(description, "hlo");
+ break;
+ case OSPF_TYPE_DB:
+ strcpy(description, "DB desc");
+ break;
+ case OSPF_TYPE_LSR:
+ strcpy(description, "LSR");
+ break;
+ case OSPF_TYPE_LSU:
+ strcpy(description, "LSU");
+ break;
+ case OSPF_TYPE_LSA:
+ strcpy(description, "LSA");
+ break;
+ }
+ sprintf(additional, "a=%lu r=%s", entry->un.ospf.area,
+ entry->un.ospf.routerid);
+ }
+ } else
+ strcpy(description, "fragment");
+
+ strcpy(msgstring, protname);
+ strcat(msgstring, " ");
+
+ if (strcmp(description, "") != 0) {
+ strcat(msgstring, description);
+ strcat(msgstring, " ");
+ }
+ if (strcmp(additional, "") != 0) {
+ sprintf(scratchpad, "(%s) ", additional);
+ strcat(msgstring, scratchpad);
+ }
+ if (unknown) {
+ sprintf(scratchpad, "%u ", entry->protocol);
+ strcat(msgstring, scratchpad);
+ }
+ sprintf(scratchpad, "(%u bytes) ", entry->pkt_length);
+ strcat(msgstring, scratchpad);
+
+ if ((entry->protocol == IPPROTO_UDP) && (!(entry->fragment))) {
+ sprintf(scratchpad, "from %.40s:%s to %.40s:%s", entry->s_fqdn,
+ entry->un.udp.s_sname, entry->d_fqdn,
+ entry->un.udp.d_sname);
+ } else {
+ sprintf(scratchpad, "from %.40s to %.40s", entry->s_fqdn,
+ entry->d_fqdn);
+ }
+
+ strcat(msgstring, scratchpad);
+
+ if (((entry->smacaddr)[0] != '\0') && options.mac) {
+ snprintf(scratchpad, MSGSTRING_MAX, " (src HWaddr %s)",
+ entry->smacaddr);
+ strcat(msgstring, scratchpad);
+ }
+ strcat(msgstring, " on ");
+ strcat(msgstring, entry->iface);
+
+ wmove(table->othpwin, target_row, 0);
+ scrollok(table->othpwin, 0);
+ wprintw(table->othpwin, sp_buf, ' ');
+ scrollok(table->othpwin, 1);
+ wmove(table->othpwin, target_row, 1);
+ startstr = msgstring + table->strindex;
+ waddnstr(table->othpwin, startstr, COLS - 4);
+
+ if (logging)
+ writeothplog(logging, logfile, protname, description,
+ additional, 1, options.mac, entry);
+}
+
+void refresh_othwindow(struct othptable *table)
+{
+ int target_row = 0;
+ struct othptabent *entry;
+
+ wattrset(table->othpwin, STDATTR);
+ tx_colorwin(table->othpwin);
+
+ entry = table->firstvisible;
+
+ while ((entry != NULL) && (entry != table->lastvisible->next_entry)) {
+ printothpentry(table, entry, target_row, 0, NULL);
+ target_row++;
+ entry = entry->next_entry;
+ }
+
+ update_panels();
+ doupdate();
+}
+
+void destroyothptable(struct othptable *table)
+{
+ struct othptabent *ctemp;
+ struct othptabent *ctemp_next;
+
+ if (table->head != NULL) {
+ ctemp = table->head;
+ ctemp_next = table->head->next_entry;
+
+ while (ctemp != NULL) {
+ free(ctemp);
+ ctemp = ctemp_next;
+
+ if (ctemp_next != NULL)
+ ctemp_next = ctemp_next->next_entry;
+ }
+ }
+}
diff --git a/src/othptab.h b/src/othptab.h
new file mode 100644
index 0000000..1987ea7
--- /dev/null
+++ b/src/othptab.h
@@ -0,0 +1,139 @@
+#ifndef IPTRAF_NG_OTHPTAB_H
+#define IPTRAF_NG_OTHPTAB_H
+
+/***
+
+othptab.h - header file for the non-TCP routines
+
+***/
+
+#include "packet.h"
+
+#define NONIP -1
+#define IS_IP 1
+#define NOT_IP 0
+
+#define NOHTIND 0 /* Bottom or Top (head or tail) indicator printed */
+#define TIND 1 /* Tail indicator printed */
+#define HIND 2 /* Head indicator printed */
+
+#define VSCRL_OFFSET 60 /* Characters to vertically scroll */
+
+struct othptabent {
+ struct sockaddr_storage saddr;
+ struct sockaddr_storage daddr;
+ char smacaddr[18]; /* FIXME: use dynamicly allocated space */
+ char dmacaddr[18];
+ unsigned short linkproto;
+ char s_fqdn[100];
+ char d_fqdn[100];
+ int s_fstat;
+ int d_fstat;
+ unsigned int protocol;
+ char iface[IFNAMSIZ];
+ unsigned int pkt_length;
+
+ union {
+ struct {
+ char s_sname[15];
+ char d_sname[15];
+ } udp;
+ struct {
+ unsigned int type;
+ unsigned int code;
+ } icmp;
+ struct {
+ unsigned char type;
+ unsigned long area;
+ char routerid[16];
+ } ospf;
+ struct {
+ unsigned short opcode;
+ char src_ip_address[4];
+ char dest_ip_address[4];
+ } arp;
+ struct {
+ unsigned short opcode;
+ char src_mac_address[6];
+ char dest_mac_address[6];
+ } rarp;
+ struct {
+ uint8_t type;
+ uint8_t code;
+ } icmp6;
+ } un;
+ unsigned int type;
+ unsigned int code;
+ unsigned int index;
+ int is_ip;
+ int fragment;
+ struct othptabent *prev_entry;
+ struct othptabent *next_entry;
+};
+
+struct othptable {
+ struct othptabent *head;
+ struct othptabent *tail;
+ struct othptabent *firstvisible;
+ struct othptabent *lastvisible;
+ unsigned int count;
+ unsigned int lastpos;
+ unsigned int strindex; /* starting index of the string to display */
+ int htstat;
+ unsigned int obmaxy; /* number of lines in the border window */
+ unsigned int oimaxy; /* number of lines inside the border */
+ WINDOW *othpwin;
+ PANEL *othppanel;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+};
+
+/* Added by David Harbaugh for Non-IP protocol identification */
+
+struct packetstruct {
+ char *packet_name; /* Name of packet type */
+ unsigned int protocol; /* Number of packet type */
+};
+
+
+/* partially stolen from ospf.h from tcpdump */
+
+#define OSPF_TYPE_UMD 0
+#define OSPF_TYPE_HELLO 1
+#define OSPF_TYPE_DB 2
+#define OSPF_TYPE_LSR 3
+#define OSPF_TYPE_LSU 4
+#define OSPF_TYPE_LSA 5
+#define OSPF_TYPE_MAX 6
+
+struct ospfhdr {
+ u_char ospf_version;
+ u_char ospf_type;
+ u_short ospf_len;
+ struct in_addr ospf_routerid;
+ struct in_addr ospf_areaid;
+ u_short ospf_chksum;
+ u_short ospf_authtype;
+};
+
+void init_othp_table(struct othptable *table);
+
+void process_dest_unreach(struct tcptable *table, char *packet, char *ifname);
+
+struct othptabent *add_othp_entry(struct othptable *table, struct pkt_hdr *pkt,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ int is_ip,
+ int protocol,
+ char *packet2,
+ char *ifname, int *rev_lookup, int rvnamedon,
+ int logging, FILE *logfile, int fragment);
+
+void printothpentry(struct othptable *table, struct othptabent *entry,
+ unsigned int screen_idx, int logging, FILE * logfile);
+
+void refresh_othwindow(struct othptable *table);
+
+void destroyothptable(struct othptable *table);
+
+#endif /* IPTRAF_NG_OTHPTAB_H */
diff --git a/src/packet.c b/src/packet.c
new file mode 100644
index 0000000..bc8ed21
--- /dev/null
+++ b/src/packet.c
@@ -0,0 +1,344 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+packet.c - routines to open the raw socket, read socket data and
+ adjust the initial packet pointer
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "deskman.h"
+#include "error.h"
+#include "options.h"
+#include "fltdefs.h"
+#include "fltselect.h"
+#include "ipfilter.h"
+#include "ifaces.h"
+#include "packet.h"
+#include "ipfrag.h"
+
+#define pkt_cast_hdrp_l2off_t(hdr, pkt, off) \
+ do { \
+ pkt->hdr = (struct hdr *) (pkt->pkt_buf + off); \
+ } while (0)
+
+#define pkt_cast_hdrp_l2(hdr, pkt) \
+ pkt_cast_hdrp_l2off_t(hdr, pkt, 0)
+
+
+#define pkt_cast_hdrp_l3off_t(hdr, pkt, off) \
+ do { \
+ pkt->hdr = (struct hdr *) (pkt->pkt_payload + off); \
+ } while (0)
+
+#define pkt_cast_hdrp_l3(hdr, pkt) \
+ pkt_cast_hdrp_l3off_t(hdr, pkt, 0)
+
+/* code taken from http://www.faqs.org/rfcs/rfc1071.html. See section 4.1 "C" */
+static int in_cksum(u_short * addr, int len)
+{
+ register int sum = 0;
+
+ while (len > 1) {
+ sum += *(u_short *) addr++;
+ len -= 2;
+ }
+
+ if (len > 0)
+ sum += *(unsigned char *) addr;
+
+ while (sum >> 16)
+ sum = (sum & 0xffff) + (sum >> 16);
+
+ return (u_short) (~sum);
+}
+
+static int packet_adjust(struct pkt_hdr *pkt)
+{
+ int retval = 0;
+
+ switch (pkt->pkt_hatype) {
+ case ARPHRD_ETHER:
+ case ARPHRD_LOOPBACK:
+ pkt_cast_hdrp_l2(ethhdr, pkt);
+ pkt->pkt_payload = pkt->pkt_buf;
+ pkt->pkt_payload += ETH_HLEN;
+ pkt->pkt_len -= ETH_HLEN;
+ break;
+ case ARPHRD_SLIP:
+ case ARPHRD_CSLIP:
+ case ARPHRD_SLIP6:
+ case ARPHRD_CSLIP6:
+ case ARPHRD_PPP:
+ case ARPHRD_TUNNEL:
+ case ARPHRD_SIT:
+ case ARPHRD_NONE:
+ case ARPHRD_IPGRE:
+ pkt->pkt_payload = pkt->pkt_buf;
+ break;
+ case ARPHRD_FRAD:
+ case ARPHRD_DLCI:
+ pkt->pkt_payload = pkt->pkt_buf;
+ pkt->pkt_payload += 4;
+ pkt->pkt_len -= 4;
+ break;
+ case ARPHRD_FDDI:
+ pkt_cast_hdrp_l2(fddihdr, pkt);
+ pkt->pkt_payload = pkt->pkt_buf;
+ pkt->pkt_payload += sizeof(struct fddihdr);
+ pkt->pkt_len -= sizeof(struct fddihdr);
+ break;
+ default:
+ /* return a NULL packet to signal an unrecognized link */
+ /* protocol to the caller. Hopefully, this switch statement */
+ /* will grow. */
+ pkt->pkt_payload = NULL;
+ retval = -1;
+ break;
+ }
+ return retval;
+}
+
+/* initialize all layer3 protocol pointers (we need to initialize all
+ * of them, because of case we change pkt->pkt_protocol) */
+static void packet_set_l3_hdrp(struct pkt_hdr *pkt)
+{
+ switch (pkt->pkt_protocol) {
+ case ETH_P_IP:
+ pkt_cast_hdrp_l3(iphdr, pkt);
+ pkt->ip6_hdr = NULL;
+ break;
+ case ETH_P_IPV6:
+ pkt->iphdr = NULL;
+ pkt_cast_hdrp_l3(ip6_hdr, pkt);
+ break;
+ default:
+ pkt->iphdr = NULL;
+ pkt->ip6_hdr = NULL;
+ break;
+ }
+}
+
+/* IPTraf input function; reads both keystrokes and network packets. */
+int packet_get(int fd, struct pkt_hdr *pkt, int *ch, WINDOW *win)
+{
+ struct pollfd pfds[2];
+ nfds_t nfds = 0;
+ int ss;
+
+ /* Monitor raw socket */
+ pfds[0].fd = fd;
+ pfds[0].events = POLLIN;
+ nfds++;
+
+ /* Monitor stdin only if in interactive, not daemon mode. */
+ if (ch && !daemonized) {
+ pfds[1].fd = 0;
+ pfds[1].events = POLLIN;
+ nfds++;
+ }
+ do {
+ ss = poll(pfds, nfds, DEFAULT_UPDATE_DELAY);
+ } while ((ss == -1) && (errno == EINTR));
+
+ PACKET_INIT_STRUCT(pkt);
+ if ((ss > 0) && (pfds[0].revents & POLLIN) != 0) {
+ struct sockaddr_ll from;
+ struct iovec iov;
+ struct msghdr msg;
+
+ iov.iov_len = pkt->pkt_bufsize;
+ iov.iov_base = pkt->pkt_buf;
+
+ msg.msg_name = &from;
+ msg.msg_namelen = sizeof(from);
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = NULL;
+ msg.msg_controllen = 0;
+ msg.msg_flags = 0;
+
+ ssize_t len = recvmsg(fd, &msg, MSG_TRUNC | MSG_DONTWAIT);
+ if (len > 0) {
+ pkt->pkt_len = len;
+ pkt->pkt_caplen = len;
+ if (pkt->pkt_caplen > pkt->pkt_bufsize)
+ pkt->pkt_caplen = pkt->pkt_bufsize;
+ pkt->pkt_payload = NULL;
+ pkt->pkt_protocol = ntohs(from.sll_protocol);
+ pkt->pkt_ifindex = from.sll_ifindex;
+ pkt->pkt_hatype = from.sll_hatype;
+ pkt->pkt_pkttype = from.sll_pkttype;
+ } else
+ ss = len;
+ }
+
+ if (ch) {
+ *ch = ERR; /* signalize we have no key ready */
+ if (!daemonized && (ss > 0) && ((pfds[1].revents & POLLIN) != 0))
+ *ch = wgetch(win);
+ }
+
+ return ss;
+}
+
+int packet_process(struct pkt_hdr *pkt, unsigned int *total_br,
+ in_port_t *sport, in_port_t *dport,
+ int match_opposite, int v6inv4asv6)
+{
+ /* move packet pointer (pkt->pkt_payload) past data link header */
+ if (packet_adjust(pkt) != 0)
+ return INVALID_PACKET;
+
+again:
+ packet_set_l3_hdrp(pkt);
+ switch (pkt->pkt_protocol) {
+ case ETH_P_IP: {
+ struct iphdr *ip = pkt->iphdr;
+ int hdr_check;
+ register int ip_checksum;
+ in_port_t f_sport = 0, f_dport = 0;
+
+ /*
+ * Compute and verify IP header checksum.
+ */
+
+ ip_checksum = ip->check;
+ ip->check = 0;
+ hdr_check = in_cksum((u_short *) pkt->iphdr, pkt_iph_len(pkt));
+
+ if ((hdr_check != ip_checksum))
+ return CHECKSUM_ERROR;
+
+ if ((ip->protocol == IPPROTO_TCP || ip->protocol == IPPROTO_UDP)
+ && (sport != NULL && dport != NULL)) {
+ in_port_t sport_tmp, dport_tmp;
+
+ /*
+ * Process TCP/UDP fragments
+ */
+ if ((ntohs(ip->frag_off) & 0x3fff) != 0) {
+ int firstin;
+
+ /*
+ * total_br contains total byte count of all fragments
+ * not yet retrieved. Will differ only if fragments
+ * arrived before the first fragment, in which case
+ * the total accumulated fragment sizes will be returned
+ * once the first fragment arrives.
+ */
+
+ if (total_br != NULL)
+ *total_br =
+ processfragment(ip, &sport_tmp,
+ &dport_tmp,
+ &firstin);
+
+ if (!firstin)
+ return MORE_FRAGMENTS;
+ } else {
+ struct tcphdr *tcp;
+ struct udphdr *udp;
+ char *ip_payload = (char *) ip + pkt_iph_len(pkt);
+
+ switch (ip->protocol) {
+ case IPPROTO_TCP:
+ tcp = (struct tcphdr *) ip_payload;
+ sport_tmp = ntohs(tcp->source);
+ dport_tmp = ntohs(tcp->dest);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct udphdr *) ip_payload;
+ sport_tmp = ntohs(udp->source);
+ dport_tmp = ntohs(udp->dest);
+ break;
+ default:
+ sport_tmp = 0;
+ dport_tmp = 0;
+ break;
+ }
+
+ if (total_br != NULL)
+ *total_br = pkt->pkt_len;
+ }
+
+ if (sport != NULL)
+ *sport = sport_tmp;
+
+ if (dport != NULL)
+ *dport = dport_tmp;
+
+ f_sport = sport_tmp;
+ f_dport = dport_tmp;
+ }
+ /* Process IP filter */
+ if ((ofilter.filtercode != 0)
+ &&
+ (!ipfilter
+ (ip->saddr, ip->daddr, f_sport, f_dport, ip->protocol,
+ match_opposite)))
+ return PACKET_FILTERED;
+ if (v6inv4asv6 && (ip->protocol == IPPROTO_IPV6)) {
+ pkt->pkt_protocol = ETH_P_IPV6;
+ pkt->pkt_payload += pkt_iph_len(pkt);
+ pkt->pkt_len -= pkt_iph_len(pkt);
+ goto again;
+ }
+ break; }
+ case ETH_P_IPV6: {
+ struct tcphdr *tcp;
+ struct udphdr *udp;
+ struct ip6_hdr *ip6 = pkt->ip6_hdr;
+ char *ip_payload = (char *) ip6 + pkt_iph_len(pkt);
+
+ //TODO: Filter packets
+ switch (pkt_ip_protocol(pkt)) {
+ case IPPROTO_TCP:
+ tcp = (struct tcphdr *) ip_payload;
+ if (sport)
+ *sport = ntohs(tcp->source);
+ if (dport)
+ *dport = ntohs(tcp->dest);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct udphdr *) ip_payload;
+ if (sport)
+ *sport = ntohs(udp->source);
+ if (dport)
+ *dport = ntohs(udp->dest);
+ break;
+ default:
+ if (sport)
+ *sport = 0;
+ if (dport)
+ *dport = 0;
+ break;
+ }
+ break; }
+ case ETH_P_8021Q:
+ case ETH_P_QINQ1: /* ETH_P_QINQx are not officially */
+ case ETH_P_QINQ2: /* registered IDs */
+ case ETH_P_QINQ3:
+ case ETH_P_8021AD:
+ /* strip 802.1Q/QinQ/802.1ad VLAN header */
+ pkt->pkt_payload += 4;
+ pkt->pkt_len -= 4;
+ /* update network protocol */
+ pkt->pkt_protocol = ntohs(*((unsigned short *) pkt->pkt_payload));
+ goto again;
+ default:
+ /* not IPv4 and not IPv6: apply non-IP packet filter */
+ if (!nonipfilter(pkt->pkt_protocol)) {
+ return PACKET_FILTERED;
+ }
+ }
+ return PACKET_OK;
+}
+
+void pkt_cleanup(void)
+{
+ destroyfraglist();
+}
diff --git a/src/packet.h b/src/packet.h
new file mode 100644
index 0000000..895d63b
--- /dev/null
+++ b/src/packet.h
@@ -0,0 +1,85 @@
+#ifndef IPTRAF_NG_PACKET_H
+#define IPTRAF_NG_PACKET_H
+
+/***
+
+packet.h - external declarations for packet.c
+
+***/
+
+/*
+ * Number of bytes from captured packet to move into a buffer.
+ * 96 bytes should be enough for the IP header, TCP/UDP/ICMP/whatever header
+ * with reasonable numbers of options.
+ */
+#define MAX_PACKET_SIZE 96
+
+#define INVALID_PACKET 0
+#define PACKET_OK 1
+#define CHECKSUM_ERROR 2
+#define PACKET_FILTERED 3
+#define MORE_FRAGMENTS 4
+
+struct pkt_hdr {
+ size_t pkt_bufsize;
+ char *pkt_payload;
+ size_t pkt_caplen; /* bytes captured */
+ size_t pkt_len; /* bytes on-the-wire */
+ int pkt_ifindex; /* Interface number */
+ unsigned short pkt_protocol; /* Physical layer protocol: ETH_P_* */
+ unsigned short pkt_hatype; /* Header type: ARPHRD_* */
+ unsigned char pkt_pkttype; /* Packet type: PACKET_OUTGOING, PACKET_BROADCAST, ... */
+ unsigned char pkt_halen; /* Length of address */
+ unsigned char pkt_addr[8]; /* Physical layer address */
+ struct ethhdr *ethhdr;
+ struct fddihdr *fddihdr;
+ struct iphdr *iphdr;
+ struct ip6_hdr *ip6_hdr;
+ char pkt_buf[MAX_PACKET_SIZE];
+};
+
+static inline void PACKET_INIT_STRUCT(struct pkt_hdr *p)
+{
+ p->pkt_bufsize = MAX_PACKET_SIZE;
+ p->pkt_payload = NULL;
+ p->ethhdr = NULL;
+ p->fddihdr = NULL;
+ p->iphdr = NULL;
+ p->ip6_hdr = NULL;
+ p->pkt_len = 0; /* signalize we have no packet prepared */
+}
+
+#define PACKET_INIT(packet) \
+ struct pkt_hdr packet; \
+ PACKET_INIT_STRUCT(&packet)
+
+static inline __u8 pkt_iph_len(const struct pkt_hdr *pkt)
+{
+ switch (pkt->pkt_protocol) {
+ case ETH_P_IP:
+ return pkt->iphdr->ihl * 4;
+ case ETH_P_IPV6:
+ return 40;
+ default:
+ return 0;
+ }
+}
+
+static inline __u8 pkt_ip_protocol(const struct pkt_hdr *p)
+{
+ switch (p->pkt_protocol) {
+ case ETH_P_IP:
+ return p->iphdr->protocol;
+ case ETH_P_IPV6:
+ return p->ip6_hdr->ip6_nxt; /* FIXME: extension headers ??? */
+ };
+ return 0;
+}
+
+int packet_get(int fd, struct pkt_hdr *pkt, int *ch, WINDOW *win);
+int packet_process(struct pkt_hdr *pkt, unsigned int *total_br,
+ in_port_t *sport, in_port_t *dport,
+ int match_opposite, int v6inv4asv6);
+void pkt_cleanup(void);
+
+#endif /* IPTRAF_NG_PACKET_H */
diff --git a/src/parse-options.c b/src/parse-options.c
new file mode 100644
index 0000000..e54ebb5
--- /dev/null
+++ b/src/parse-options.c
@@ -0,0 +1,160 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+#include "parse-options.h"
+
+static int parse_opt_size(const struct options *opt)
+{
+ unsigned size = 1;
+
+ for (; opt->type != OPTION_END; opt++)
+ size++;
+
+ return size;
+}
+
+#define USAGE_OPTS_WIDTH 24
+#define USAGE_GAP 2
+
+void __noreturn parse_usage_and_die(const char *const *usage,
+ const struct options *opt)
+{
+ fprintf(stderr, "usage: %s\n", *usage++);
+
+ while (*usage && **usage)
+ fprintf(stderr, " or: %s\n", *usage++);
+
+ if (opt->type != OPTION_GROUP)
+ fputc('\n', stderr);
+
+ for (; opt->type != OPTION_END; opt++) {
+ size_t pos;
+ int pad;
+
+ if (opt->type == OPTION_GROUP) {
+ fputc('\n', stderr);
+ if (*opt->help)
+ fprintf(stderr, "%s\n", opt->help);
+ continue;
+ }
+
+ pos = fprintf(stderr, " ");
+ if (opt->short_name)
+ pos += fprintf(stderr, "-%c", opt->short_name);
+
+ if (opt->short_name && opt->long_name)
+ pos += fprintf(stderr, ", ");
+
+ if (opt->long_name)
+ pos += fprintf(stderr, "--%s", opt->long_name);
+
+ if (opt->argh)
+ pos += fprintf(stderr, " <%s>", opt->argh);
+
+ if (pos <= USAGE_OPTS_WIDTH)
+ pad = USAGE_OPTS_WIDTH - pos;
+ else {
+ fputc('\n', stderr);
+ pad = USAGE_OPTS_WIDTH;
+ }
+ fprintf(stderr, "%*s%s\n", pad + USAGE_GAP, "", opt->help);
+ }
+ fputc('\n', stderr);
+ exit(1);
+}
+
+static int get_value(const struct options *opt)
+{
+ char *s = NULL;
+
+ switch (opt->type) {
+ case OPTION_BOOL:
+ *(int *) opt->value += 1;
+ break;
+ case OPTION_INTEGER:
+ *(int *) opt->value = strtol(optarg, (char **) &s, 10);
+ if (*s) {
+ error("invalid number -- %s", s);
+ return -1;
+ }
+ break;
+ case OPTION_STRING:
+ if (optarg)
+ *(char **) opt->value = (char *) optarg;
+ break;
+ case OPTION_GROUP:
+ case OPTION_END:
+ break;
+ }
+
+ return 0;
+}
+
+void parse_opts(int argc, char **argv, const struct options *opt,
+ const char *const usage[])
+{
+ int size = parse_opt_size(opt);
+
+ int nr = 0, alloc = 0;
+
+ char *shortopts = NULL;
+ struct option *longopts = xmallocz(sizeof(longopts[0]) * (size + 2));
+ const struct options *curopt = opt;
+ struct option *curlongopts = longopts;
+
+ for (; curopt->type != OPTION_END; curopt++, curlongopts++) {
+ curlongopts->name = curopt->long_name;
+
+ switch (curopt->type) {
+ case OPTION_BOOL:
+ curlongopts->has_arg = no_argument;
+ if (curopt->short_name) {
+ ALLOC_GROW(shortopts, nr + 1, alloc);
+ shortopts[nr++] = curopt->short_name;
+ }
+ break;
+ case OPTION_INTEGER:
+ case OPTION_STRING:
+ curlongopts->has_arg = required_argument;
+ if (curopt->short_name) {
+ ALLOC_GROW(shortopts, nr + 2, alloc);
+ shortopts[nr++] = curopt->short_name;
+ shortopts[nr++] = ':';
+ }
+ break;
+ case OPTION_GROUP:
+ case OPTION_END:
+ break;
+ }
+
+ curlongopts->flag = 0;
+ curlongopts->val = curopt->short_name;
+ }
+
+ while (1) {
+ curopt = opt;
+ int c = getopt_long(argc, argv, shortopts, longopts, NULL);
+
+ if (c == -1)
+ break;
+
+ if (c == '?') {
+ free(longopts);
+ free(shortopts);
+ parse_usage_and_die(usage, opt);
+ }
+
+ for (; curopt->type != OPTION_END; curopt++) {
+ if (curopt->short_name != c)
+ continue;
+
+ /* for now it fails only when string is badly converted */
+ if (get_value(curopt) < 0)
+ parse_usage_and_die(usage, opt);
+ }
+ }
+
+ free(longopts);
+ free(shortopts);
+}
diff --git a/src/parse-options.h b/src/parse-options.h
new file mode 100644
index 0000000..d72041f
--- /dev/null
+++ b/src/parse-options.h
@@ -0,0 +1,42 @@
+#ifndef IPTRAF_NG_PARSE_OPTIONS_H
+#define IPTRAF_NG_PARSE_OPTIONS_H
+
+enum parse_opt_type {
+ OPTION_BOOL,
+ OPTION_GROUP,
+ OPTION_STRING,
+ OPTION_INTEGER,
+ OPTION_END,
+};
+
+struct options {
+ enum parse_opt_type type;
+ int short_name;
+ const char *long_name;
+ void *value;
+ const char *argh;
+ const char *help;
+};
+
+/*
+ * s - short_name
+ * l - long_name
+ * v - value
+ * a - argh argument help
+ * h - help
+ */
+#define OPT_END() { OPTION_END, 0, NULL, NULL, NULL, NULL }
+#define OPT_BOOL(s, l, v, h) { OPTION_BOOL, (s), (l), (v), NULL, (h) }
+#define OPT_GROUP(h) { OPTION_GROUP, 0, NULL, NULL, NULL, (h) }
+#define OPT_INTEGER(s, l, v, h) { OPTION_INTEGER, (s), (l), (v), "n", (h) }
+#define OPT_STRING(s, l, v, a, h) { OPTION_STRING, (s), (l), (v), (a), (h) }
+
+#define OPT__VERBOSE(v) OPT_BOOL('v', "verbose", (v), "be verbose")
+#define OPT__HELP(v) OPT_BOOL('h', "help", (v), "show this help message")
+
+void parse_opts(int argc, char **argv, const struct options *opt,
+ const char *const usage[]);
+
+void parse_usage_and_die(const char *const *usage, const struct options *opt);
+
+#endif /* IPTRAF_NG_PARSE_OPTIONS_H */
diff --git a/src/parseproto.c b/src/parseproto.c
new file mode 100644
index 0000000..d42c87f
--- /dev/null
+++ b/src/parseproto.c
@@ -0,0 +1,160 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/*
+ * parseports.c - code to extract the protocol codes or ranges thereof from
+ * the user-defined string.
+ *
+ */
+
+#include "iptraf-ng-compat.h"
+#include "parseproto.h"
+
+
+/*
+ * Extracts next token from the buffer.
+ */
+static char *get_next_token(char **cptr)
+{
+ static char rtoken[32];
+ int i;
+
+ i = 0;
+
+ skip_whitespace(*cptr);
+
+ if (**cptr == ',' || **cptr == '-') {
+ rtoken[0] = **cptr;
+ rtoken[1] = '\0';
+ (*cptr)++;
+ } else {
+ while (!isspace(**cptr) && **cptr != '-' && **cptr != ','
+ && **cptr != '\0') {
+ rtoken[i] = **cptr;
+ (*cptr)++;
+ i++;
+ }
+ rtoken[i] = '\0';
+ }
+
+ return rtoken;
+}
+
+void get_next_protorange(char **cptr, unsigned int *proto1,
+ unsigned int *proto2, int *parse_result,
+ char **badtokenptr)
+{
+ char toktmp[5];
+ char prototmp1[5];
+ char prototmp2[5];
+ char *cerr_ptr;
+ static char bad_token[5];
+ unsigned int tmp;
+
+ memset(toktmp, 0, 5);
+ memset(prototmp1, 0, 5);
+ memset(prototmp2, 0, 5);
+ memset(bad_token, 0, 5);
+
+ strncpy(prototmp1, get_next_token(cptr), 5);
+ if (prototmp1[0] == '\0') {
+ *parse_result = NO_MORE_TOKENS;
+ return;
+ }
+
+ strncpy(toktmp, get_next_token(cptr), 5);
+
+ *parse_result = RANGE_OK;
+
+ switch (toktmp[0]) {
+ case '-':
+ strncpy(prototmp2, get_next_token(cptr), 5);
+
+ /*
+ * Check for missing right-hand token for -
+ */
+ if (prototmp2[0] == '\0') {
+ *parse_result = INVALID_RANGE;
+ strcpy(bad_token, "-");
+ *badtokenptr = bad_token;
+ break;
+ }
+ *proto2 = (unsigned int) strtoul(prototmp2, &cerr_ptr, 10);
+ /*
+ * First check for an invalid character
+ */
+ if (*cerr_ptr != '\0') {
+ *parse_result = INVALID_RANGE;
+ strncpy(bad_token, prototmp2, 5);
+ *badtokenptr = bad_token;
+ } else {
+ /*
+ * Then check for the validity of the token
+ */
+
+ if (*proto2 > 255) {
+ strncpy(bad_token, prototmp2, 5);
+ *badtokenptr = bad_token;
+ *parse_result = OUT_OF_RANGE;
+ }
+
+ /*
+ * Then check if the next token is a comma
+ */
+ strncpy(toktmp, get_next_token(cptr), 5);
+ if (toktmp[0] != '\0' && toktmp[0] != ',') {
+ *parse_result = COMMA_EXPECTED;
+ strncpy(bad_token, toktmp, 5);
+ *badtokenptr = bad_token;
+ }
+ }
+
+ break;
+ case ',':
+ case '\0':
+ *proto2 = 0;
+ break;
+ default:
+ *parse_result = COMMA_EXPECTED;
+ strncpy(bad_token, toktmp, 5);
+ *badtokenptr = bad_token;
+ break;
+ }
+
+ if (*parse_result != RANGE_OK)
+ return;
+
+ *proto1 = (unsigned int) strtoul(prototmp1, &cerr_ptr, 10);
+ if (*cerr_ptr != '\0') {
+ *parse_result = INVALID_RANGE;
+ strncpy(bad_token, prototmp1, 5);
+ *badtokenptr = bad_token;
+ } else if (*proto1 > 255) {
+ *parse_result = OUT_OF_RANGE;
+ strncpy(bad_token, prototmp1, 5);
+ *badtokenptr = bad_token;
+ } else
+ *badtokenptr = NULL;
+
+ if (*proto2 != 0 && *proto1 > *proto2) {
+ tmp = *proto1;
+ *proto1 = *proto2;
+ *proto2 = tmp;
+ }
+}
+
+int validate_ranges(char *samplestring, int *parse_result, char **badtokenptr)
+{
+ unsigned int proto1, proto2;
+ char *cptr = samplestring;
+
+ do {
+ get_next_protorange(&cptr, &proto1, &proto2,
+ parse_result, badtokenptr);
+ } while (*parse_result == RANGE_OK);
+
+ if (*parse_result != NO_MORE_TOKENS)
+ return 0;
+
+ return 1;
+}
diff --git a/src/parseproto.h b/src/parseproto.h
new file mode 100644
index 0000000..b8d5efc
--- /dev/null
+++ b/src/parseproto.h
@@ -0,0 +1,15 @@
+#ifndef IPTRAF_NG_PARSEPROTO_H
+#define IPTRAF_NG_PARSEPROTO_H
+
+#define RANGE_OK 0
+#define COMMA_EXPECTED 1
+#define INVALID_RANGE 2
+#define OUT_OF_RANGE 4
+#define NO_MORE_TOKENS 5
+
+void get_next_protorange(char **cptr, unsigned int *proto1,
+ unsigned int *proto2, int *parse_result,
+ char **badtokenptr);
+int validate_ranges(char *src, int *parse_result, char **bptr);
+
+#endif /* IPTRAF_NG_PARSEPROTO_H */
diff --git a/src/pktsize.c b/src/pktsize.c
new file mode 100644
index 0000000..f30210f
--- /dev/null
+++ b/src/pktsize.c
@@ -0,0 +1,344 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+pktsize.c - the packet size breakdown facility
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/winops.h"
+
+#include "attrs.h"
+#include "dirs.h"
+#include "fltdefs.h"
+#include "ifaces.h"
+#include "packet.h"
+#include "deskman.h"
+#include "error.h"
+#include "pktsize.h"
+#include "options.h"
+#include "timer.h"
+#include "log.h"
+#include "logvars.h"
+#include "promisc.h"
+
+struct ifstat_brackets {
+ unsigned int floor;
+ unsigned int ceil;
+ unsigned long count;
+};
+
+static void rotate_size_log(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, current_logfile);
+ signal(SIGUSR1, rotate_size_log);
+}
+
+static void write_size_log(struct ifstat_brackets *brackets,
+ unsigned long nsecs, char *ifname, unsigned int mtu,
+ FILE *logfile)
+{
+ char atime[TIME_TARGET_MAX];
+ int i;
+
+ genatime(time(NULL), atime);
+ fprintf(logfile, "*** Packet Size Distribution, generated %s\n\n",
+ atime);
+ fprintf(logfile, "Interface: %s MTU: %u\n\n", ifname, mtu);
+ fprintf(logfile, "Packet Size (bytes)\tCount\n");
+
+ for (i = 0; i <= 19; i++) {
+ fprintf(logfile, "%u to %u:\t\t%lu\n", brackets[i].floor,
+ brackets[i].ceil, brackets[i].count);
+ }
+ fprintf(logfile, "\nRunning time: %lu seconds\n", nsecs);
+ fflush(logfile);
+}
+
+static int initialize_brackets(struct ifstat_brackets *brackets,
+ unsigned int *interval, int mtu,
+ WINDOW *win)
+{
+ int i;
+
+ *interval = mtu / 20; /* There are 20 packet size brackets */
+
+ for (i = 0; i <= 19; i++) {
+ brackets[i].floor = *interval * i + 1;
+ brackets[i].ceil = *interval * (i + 1);
+ brackets[i].count = 0;
+ }
+
+ brackets[19].ceil = mtu;
+
+ for (i = 0; i <= 9; i++) {
+ wattrset(win, STDATTR);
+ wmove(win, i + 5, 2);
+ wprintw(win, "%4u to %4u:", brackets[i].floor,
+ brackets[i].ceil);
+ wmove(win, i + 5, 23);
+ wattrset(win, HIGHATTR);
+ wprintw(win, "%8lu", 0);
+ }
+
+ for (i = 10; i <= 19; i++) {
+ wattrset(win, STDATTR);
+ wmove(win, (i - 10) + 5, 36);
+
+ if (i != 19)
+ wprintw(win, "%4u to %4u:", brackets[i].floor,
+ brackets[i].ceil);
+ else
+ wprintw(win, "%4u to %4u+:", brackets[i].floor,
+ brackets[i].ceil);
+
+ wmove(win, (i - 10) + 5, 57);
+ wattrset(win, HIGHATTR);
+ wprintw(win, "%8lu", 0);
+ }
+
+ wattrset(win, STDATTR);
+ mvwprintw(win, 17, 1,
+ "Interface MTU is %d bytes, not counting the data-link header",
+ mtu);
+ mvwprintw(win, 18, 1,
+ "Maximum packet size is the MTU plus the data-link header length");
+ mvwprintw(win, 19, 1,
+ "Packet size computations include data-link headers, if any");
+
+ return 0;
+}
+
+static void update_size_distrib(unsigned int length,
+ struct ifstat_brackets *brackets,
+ unsigned int interval)
+{
+ unsigned int i;
+
+ i = (length - 1) / interval; /* minus 1 to keep interval
+ boundary lengths within the
+ proper brackets */
+
+ if (i > 19) /* This is for extras for MTU's not */
+ i = 19; /* divisible by 20 */
+
+ brackets[i].count++;
+}
+
+static void print_size_distrib(struct ifstat_brackets *brackets, WINDOW *win)
+{
+ for (unsigned int i = 0; i <= 19; i++) {
+ if (i < 10)
+ wmove(win, i + 5, 23);
+ else
+ wmove(win, (i - 10) + 5, 57);
+
+ wprintw(win, "%8lu", brackets[i].count);
+ }
+}
+
+void packet_size_breakdown(char *ifname, time_t facilitytime)
+{
+ WINDOW *win;
+ PANEL *panel;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+
+ struct ifstat_brackets brackets[20];
+ unsigned int interval;
+
+ int ch;
+
+ int mtu;
+
+ int pkt_result;
+
+ struct timeval tv;
+ time_t starttime, startlog, timeint;
+ time_t now;
+ struct timeval updtime;
+
+ int logging = options.logging;
+ FILE *logfile = NULL;
+
+ int fd;
+
+ if (!dev_up(ifname)) {
+ err_iface_down();
+ goto err_unmark;
+ }
+
+ mtu = dev_get_mtu(ifname);
+ if (mtu < 0) {
+ write_error("Unable to obtain interface MTU");
+ goto err_unmark;
+ }
+
+ borderwin = newwin(LINES - 2, COLS, 1, 0);
+ borderpanel = new_panel(borderwin);
+
+ wattrset(borderwin, BOXATTR);
+ tx_box(borderwin, ACS_VLINE, ACS_HLINE);
+ mvwprintw(borderwin, 0, 1, " Packet Distribution by Size ");
+
+ win = newwin(LINES - 4, COLS - 2, 2, 1);
+ panel = new_panel(win);
+
+ tx_stdwinset(win);
+ wtimeout(win, -1);
+ wattrset(win, STDATTR);
+ tx_colorwin(win);
+
+ move(LINES - 1, 1);
+ stdexitkeyhelp();
+
+ initialize_brackets(brackets, &interval, mtu, win);
+
+ mvwprintw(win, 1, 1, "Packet size brackets for interface %s", ifname);
+ wattrset(win, BOXATTR);
+
+ mvwprintw(win, 4, 1, "Packet Size (bytes)");
+ mvwprintw(win, 4, 26, "Count");
+ mvwprintw(win, 4, 36, "Packet Size (bytes)");
+ mvwprintw(win, 4, 60, "Count");
+ wattrset(win, HIGHATTR);
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ snprintf(current_logfile, 80, "%s-%s.log", PKTSIZELOG,
+ ifname);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, current_logfile);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_size_log);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** Packet size distribution facility started ********");
+ }
+
+ exitloop = 0;
+ gettimeofday(&tv, NULL);
+ updtime = tv;
+ now = starttime = startlog = timeint = tv.tv_sec;
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, ifname);
+ promisc_set_list(&promisc);
+ }
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+ if(dev_bind_ifname(fd, ifname) == -1) {
+ write_error("Unable to bind interface on the socket");
+ goto err_close;
+ }
+
+ PACKET_INIT(pkt);
+
+ do {
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ if (screen_update_needed(&tv, &updtime)) {
+ print_size_distrib(brackets, win);
+
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+ if (now - timeint >= 5) {
+ printelapsedtime(starttime, now, LINES - 3, 1,
+ borderwin);
+ timeint = now;
+ }
+ if (logging) {
+ check_rotate_flag(&logfile);
+ if ((now - startlog) >= options.logspan) {
+ write_size_log(brackets, now - starttime,
+ ifname, mtu, logfile);
+ startlog = now;
+ }
+ }
+
+ if ((facilitytime != 0)
+ && (((now - starttime) / 60) >= facilitytime))
+ exitloop = 1;
+
+ if (packet_get(fd, &pkt, &ch, win) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ if (ch != ERR) {
+ switch (ch) {
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ case 'x':
+ case 'X':
+ case 'q':
+ case 'Q':
+ case 27:
+ case 24:
+ exitloop = 1;
+ }
+ }
+
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ pkt_result = packet_process(&pkt, NULL, NULL, NULL,
+ MATCH_OPPOSITE_USECONFIG, 0);
+
+ if (pkt_result != PACKET_OK)
+ continue;
+
+ update_size_distrib(pkt.pkt_len, brackets, interval);
+ } while (!exitloop);
+
+err_close:
+ close(fd);
+err:
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ write_size_log(brackets, now - starttime, ifname, mtu, logfile);
+ writelog(logging, logfile,
+ "******** Packet size distribution facility stopped ********");
+ fclose(logfile);
+ }
+
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ del_panel(panel);
+ delwin(win);
+ del_panel(borderpanel);
+ delwin(borderwin);
+err_unmark:
+ strcpy(current_logfile, "");
+}
diff --git a/src/pktsize.h b/src/pktsize.h
new file mode 100644
index 0000000..ad0fc9d
--- /dev/null
+++ b/src/pktsize.h
@@ -0,0 +1,6 @@
+#ifndef IPTRAF_NG_PKTSIZE_H
+#define IPTRAF_NG_PKTSIZE_H
+
+void packet_size_breakdown(char *iface, time_t facilitytime);
+
+#endif /* IPTRAF_NG_PKTSIZE_H */
diff --git a/src/promisc.c b/src/promisc.c
new file mode 100644
index 0000000..ffab126
--- /dev/null
+++ b/src/promisc.c
@@ -0,0 +1,84 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+promisc.c - handles the promiscuous mode flag for the Ethernet/FDDI/
+ Token Ring interfaces
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "ifaces.h"
+#include "error.h"
+#include "promisc.h"
+
+static void promisc_add_dev(struct list_head *promisc, const char *dev_name)
+{
+ struct promisc_list *p = xmallocz(sizeof(*p));
+ strcpy(p->ifname, dev_name);
+ INIT_LIST_HEAD(&p->list);
+
+ list_add_tail(&p->list, promisc);
+}
+
+void promisc_init(struct list_head *promisc, const char *device_name)
+{
+ if (device_name) {
+ int flags = dev_promisc_flag(device_name);
+ if (flags < 0)
+ return;
+
+ promisc_add_dev(promisc, device_name);
+
+ return;
+ }
+
+ FILE *fp = open_procnetdev();
+ if (!fp)
+ die_errno("%s: open_procnetdev", __func__);
+
+ char dev_name[IFNAMSIZ];
+ while (get_next_iface(fp, dev_name, sizeof(dev_name))) {
+ if (!strcmp(dev_name, ""))
+ continue;
+
+ int flags = dev_promisc_flag(dev_name);
+ if (flags < 0)
+ continue;
+
+ promisc_add_dev(promisc, dev_name);
+ }
+
+ fclose(fp);
+}
+
+void promisc_set_list(struct list_head *promisc)
+{
+ struct promisc_list *entry = NULL;
+ list_for_each_entry(entry, promisc, list) {
+ int r = dev_set_promisc(entry->ifname);
+ if (r < 0)
+ write_error("Failed to set promiscuous mode on %s", entry->ifname);
+ }
+}
+
+void promisc_restore_list(struct list_head *promisc)
+{
+ struct promisc_list *entry = NULL;
+ list_for_each_entry(entry, promisc, list) {
+ int r = dev_clr_promisc(entry->ifname);
+ if (r < 0)
+ write_error("Failed to clear promiscuous mode on %s", entry->ifname);
+ }
+}
+
+void promisc_destroy(struct list_head *promisc)
+{
+ struct promisc_list *entry, *tmp;
+ list_for_each_entry_safe(entry, tmp, promisc, list) {
+ list_del(&entry->list);
+ free(entry);
+ }
+}
diff --git a/src/promisc.h b/src/promisc.h
new file mode 100644
index 0000000..79587dc
--- /dev/null
+++ b/src/promisc.h
@@ -0,0 +1,17 @@
+#ifndef IPTRAF_NG_PROMISC_H
+#define IPTRAF_NG_PROMISC_H
+
+#include "list.h"
+
+struct promisc_list {
+ struct list_head list;
+ char ifname[IFNAMSIZ];
+};
+
+void promisc_init(struct list_head *promisc, const char *device_name);
+void promisc_destroy(struct list_head *promisc);
+
+void promisc_set_list(struct list_head *promisc);
+void promisc_restore_list(struct list_head *promisc);
+
+#endif /* IPTRAF_NG_PROMISC_H */
diff --git a/src/rate.c b/src/rate.c
new file mode 100644
index 0000000..7b08852
--- /dev/null
+++ b/src/rate.c
@@ -0,0 +1,131 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+#include "options.h"
+#include "rate.h"
+
+void rate_init(struct rate *rate)
+{
+ if (!rate)
+ return;
+
+ rate->index = 0;
+ rate->sma = 0;
+ memset(rate->rates, 0, rate->n * sizeof(rate->rates[0]));
+}
+
+void rate_alloc(struct rate *rate, unsigned int n)
+{
+ if (!rate)
+ return;
+
+ rate->n = n;
+ rate->rates = xmalloc(n * sizeof(rate->rates[0]));
+
+ rate_init(rate);
+}
+
+void rate_destroy(struct rate *rate)
+{
+ if (!rate)
+ return;
+
+ rate->n = 0;
+ if (!rate->rates)
+ return;
+
+ free(rate->rates);
+ rate->rates = NULL;
+}
+
+void rate_add_rate(struct rate *rate, unsigned long bytes,
+ unsigned long msecs)
+{
+ if (!rate)
+ return;
+
+ rate->rates[rate->index] = bytes * 1000ULL / msecs;
+
+ if ((rate->index + 1) >= rate->n)
+ rate->index = 0;
+ else
+ rate->index++;
+
+ /* compute the moving average */
+ unsigned long long sum = 0;
+ for(unsigned int i = 0; i < rate->n; i++)
+ sum += rate->rates[i];
+ rate->sma = sum / rate->n;
+}
+
+unsigned long rate_get_average(struct rate *rate)
+{
+ if (rate)
+ return rate->sma;
+ else
+ return 0UL;
+}
+
+int rate_print(unsigned long rate, char *buf, unsigned n)
+{
+ char *suffix[] = { "k", "M", "G", "T", "P", "E", "Z", "Y" };
+ unsigned n_suffix = ARRAY_SIZE(suffix);
+
+ int chars;
+
+ if (options.actmode == KBITS) {
+ unsigned long tmp = rate;
+ unsigned int i = 0;
+ unsigned long divider = 1000;
+
+ rate *= 8;
+ while(tmp >= 100000000) {
+ tmp /= 1000;
+ i++;
+ divider *= 1000;
+ }
+ if (i >= n_suffix)
+ chars = snprintf(buf, n, "error");
+ else
+ chars = snprintf(buf, n, "%9.2f %sbps", (double)rate / divider, suffix[i]);
+ } else {
+ unsigned int i = 0;
+
+ while(rate > 99 * (1UL << 20)) {
+ rate >>= 10;
+ i++;
+ }
+ if (i >= n_suffix)
+ chars = snprintf(buf, n, "error");
+ else
+ chars = snprintf(buf, n, "%9.2f %sBps", (double)rate / 1024, suffix[i]);
+ }
+ buf[n - 1] = '\0';
+
+ return chars;
+}
+
+int rate_print_no_units(unsigned long rate, char *buf, unsigned n)
+{
+ int chars;
+
+ if (options.actmode == KBITS) {
+ chars = snprintf(buf, n, "%8.1f", (double)rate * 8 / 1000);
+ } else {
+ chars = snprintf(buf, n, "%8.1f", (double)rate / 1024);
+ }
+ buf[n - 1] = '\0';
+
+ return chars;
+}
+
+int rate_print_pps(unsigned long rate, char *buf, unsigned n)
+{
+ int chars;
+
+ chars = snprintf(buf, n, "%9lu pps", rate);
+ buf[n - 1] = '\0';
+
+ return chars;
+}
diff --git a/src/rate.h b/src/rate.h
new file mode 100644
index 0000000..871d8e5
--- /dev/null
+++ b/src/rate.h
@@ -0,0 +1,36 @@
+#ifndef IPTRAF_NG_RATE_H
+#define IPTRAF_NG_RATE_H
+
+#include <sys/time.h>
+
+/* SMA = Simple Moving Average */
+
+/*
+ * SMA = (p(M) + p(M-1) + ... + p(M-n-1)) / n
+ *
+ * or
+ *
+ * SMA = last_SMA - (p(M-n) / n) + (p(M) / n)
+ *
+ * I choose the first one because there is smaller rounding
+ * error when using integer divide.
+ */
+
+struct rate {
+ unsigned int n; /* number of elements */
+ unsigned int index; /* index into the values array */
+ unsigned long long *rates; /* units are: bytes per second */
+ unsigned long sma; /* simple moving average */
+};
+
+void rate_init(struct rate *rate);
+void rate_alloc(struct rate *rate, unsigned int n);
+void rate_destroy(struct rate *rate);
+void rate_add_rate(struct rate *rate, unsigned long bytes,
+ unsigned long msecs);
+unsigned long rate_get_average(struct rate *rate);
+int rate_print(unsigned long rate, char *buf, unsigned n);
+int rate_print_no_units(unsigned long rate, char *buf, unsigned n);
+int rate_print_pps(unsigned long rate, char *buf, unsigned n);
+
+#endif /* IPTRAF_NG_RATE_H */
diff --git a/src/revname.c b/src/revname.c
new file mode 100644
index 0000000..8188789
--- /dev/null
+++ b/src/revname.c
@@ -0,0 +1,207 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+revname.c - reverse DNS resolution module for IPTraf. As of IPTraf 1.1,
+this module now communicates with the rvnamed process to resolve in the
+background while allowing the foreground process to continue with the
+interim IP addresses in the meantime.
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "deskman.h"
+#include "getpath.h"
+#include "revname.h"
+#include "rvnamed.h"
+#include "sockaddr.h"
+
+char revname_socket[80];
+
+static char *gen_unix_sockname(void)
+{
+ static char scratch[80];
+
+ srandom(time(NULL));
+ snprintf(scratch, 80, "%s-%lu%d%ld", SOCKET_PREFIX, time(NULL),
+ getpid(), random());
+
+ return scratch;
+}
+
+int rvnamedactive(void)
+{
+ int fd;
+ fd_set sockset;
+ struct rvn rpkt;
+ struct sockaddr_un su;
+ int sstat;
+ struct timeval tv;
+ socklen_t fr;
+ int br;
+ char unix_socket[80];
+
+ strncpy(unix_socket, get_path(T_WORKDIR, gen_unix_sockname()), 80);
+ unlink(unix_socket);
+
+ fd = socket(PF_UNIX, SOCK_DGRAM, 0);
+ su.sun_family = AF_UNIX;
+ strcpy(su.sun_path, unix_socket);
+ bind(fd, (struct sockaddr *) &su,
+ sizeof(su.sun_family) + strlen(su.sun_path));
+
+ su.sun_family = AF_UNIX;
+ strcpy(su.sun_path, IPTSOCKNAME);
+
+ rpkt.type = RVN_HELLO;
+
+ sendto(fd, &rpkt, sizeof(struct rvn), 0, (struct sockaddr *) &su,
+ sizeof(su.sun_family) + strlen(su.sun_path));
+
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+
+ FD_ZERO(&sockset);
+ FD_SET(fd, &sockset);
+
+ do {
+ sstat = select(fd + 1, &sockset, NULL, NULL, &tv);
+ } while ((sstat < 0) && (errno != ENOMEM) && (errno == EINTR));
+
+ if (sstat == 1) {
+ fr = sizeof(su.sun_family) + strlen(su.sun_path);
+ do {
+ br = recvfrom(fd, &rpkt, sizeof(struct rvn), 0,
+ (struct sockaddr *) &su, &fr);
+ } while ((br < 0) && (errno == EINTR));
+
+ if (br < 0)
+ printipcerr();
+ }
+
+ close(fd);
+ unlink(unix_socket);
+
+ if (sstat == 0)
+ return 0;
+ else
+ return 1;
+}
+
+/*
+ * Terminate rvnamed process
+ */
+
+void killrvnamed(void)
+{
+ int fd;
+ struct sockaddr_un su;
+ struct rvn rvnpkt;
+
+ fd = socket(PF_UNIX, SOCK_DGRAM, 0);
+ su.sun_family = AF_UNIX;
+ strcpy(su.sun_path, IPTSOCKNAME);
+
+ rvnpkt.type = RVN_QUIT;
+
+ sendto(fd, &rvnpkt, sizeof(struct rvn), 0, (struct sockaddr *) &su,
+ sizeof(su.sun_family) + strlen(su.sun_path));
+
+ close(fd);
+}
+
+void open_rvn_socket(int *fd)
+{
+ struct sockaddr_un su;
+
+ strncpy(revname_socket, get_path(T_WORKDIR, gen_unix_sockname()), 80);
+ unlink(revname_socket);
+
+ *fd = socket(PF_UNIX, SOCK_DGRAM, 0);
+ su.sun_family = AF_UNIX;
+ strcpy(su.sun_path, revname_socket);
+ bind(*fd, (struct sockaddr *) &su,
+ sizeof(su.sun_family) + strlen(su.sun_path));
+}
+
+void close_rvn_socket(int fd)
+{
+ if (fd > 0) {
+ close(fd);
+ unlink(revname_socket);
+ }
+}
+
+int revname(int *lookup, struct sockaddr_storage *addr,
+ char *target, size_t target_size, int rvnfd)
+{
+ struct rvn rpkt;
+ int br;
+ struct sockaddr_un su;
+ socklen_t fl;
+ fd_set sockset;
+ struct timeval tv;
+ int sstat = 0;
+
+ memset(target, 0, target_size);
+ if (*lookup) {
+ if (rvnfd > 0) {
+ su.sun_family = AF_UNIX;
+ strcpy(su.sun_path, IPTSOCKNAME);
+
+ rpkt.type = RVN_REQUEST;
+ sockaddr_copy(&rpkt.addr, addr);
+
+ sendto(rvnfd, &rpkt, sizeof(struct rvn), 0,
+ (struct sockaddr *) &su,
+ sizeof(su.sun_family) + strlen(su.sun_path));
+
+ fl = sizeof(su.sun_family) + strlen(su.sun_path);
+ do {
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+
+ FD_ZERO(&sockset);
+ FD_SET(rvnfd, &sockset);
+
+ do {
+ sstat =
+ select(rvnfd + 1, &sockset, NULL,
+ NULL, &tv);
+ } while ((sstat < 0) && (errno == EINTR));
+
+ if (FD_ISSET(rvnfd, &sockset))
+ br = recvfrom(rvnfd, &rpkt,
+ sizeof(struct rvn), 0,
+ (struct sockaddr *) &su,
+ &fl);
+ else
+ br = -1;
+ } while ((br < 0) && (errno == EINTR));
+
+ if (br < 0) {
+ sockaddr_ntop(addr, target, target_size);
+ printipcerr();
+ *lookup = 0;
+ return RESOLVED;
+ }
+ strncpy(target, rpkt.fqdn, target_size - 1);
+ return (rpkt.ready);
+ } else {
+ struct hostent *he = sockaddr_gethostbyaddr(addr);
+ if (he == NULL) {
+ sockaddr_ntop(addr, target, target_size);
+ } else {
+ strncpy(target, he->h_name, target_size - 1);
+ }
+
+ return RESOLVED;
+ }
+ } else {
+ sockaddr_ntop(addr, target, target_size);
+ return RESOLVED;
+ }
+ return NOTRESOLVED;
+}
diff --git a/src/revname.h b/src/revname.h
new file mode 100644
index 0000000..847d832
--- /dev/null
+++ b/src/revname.h
@@ -0,0 +1,18 @@
+#ifndef IPTRAF_NG_REVNAME_H
+#define IPTRAF_NG_REVNAME_H
+
+/***
+
+revname.h - public declarations related to reverse name resolution
+
+***/
+
+int rvnamedactive(void);
+void killrvnamed(void);
+void open_rvn_socket(int *fd);
+void close_rvn_socket(int fd);
+
+int revname(int *lookup, struct sockaddr_storage *addr,
+ char *target, size_t target_size, int rvnfd);
+
+#endif /* IPTRAF_NG_REVNAME_H */
diff --git a/src/rvnamed-ng.8 b/src/rvnamed-ng.8
new file mode 100644
index 0000000..1208b65
--- /dev/null
+++ b/src/rvnamed-ng.8
@@ -0,0 +1,26 @@
+.TH RVNAMED 8 "rvnamed Help Page"
+.SH NAME
+rvnamed \- reverse name resolution daemon for
+.BR iptraf (8)
+
+.SH DESCRIPTION
+.B rvnamed
+is a supplementary program distributed with iptraf. This is a reverse name resolution daemon used by iptraf to resolve IP addresses to host names in the background, keeping iptraf from waiting until the lookup is completed.
+.PP
+
+This program is only used by iptraf and, therefore, is useless alone.
+
+.SH FILES
+ /var/log/iptraf/rvnamed.log - log file
+
+.SH SEE ALSO
+README.rvnamed - documentation from the author
+.br
+
+.SH AUTHOR
+Gerard Paul Java (riker@mozcom.com)
+
+.SH MANUAL AUTHOR
+Frederic Peters (fpeters@debian.org), using README.rvnamed
+General manual page modifications bu Gerard Paul Java (riker@mozcom.com)
+
diff --git a/src/rvnamed.c b/src/rvnamed.c
new file mode 100644
index 0000000..2ad1fd4
--- /dev/null
+++ b/src/rvnamed.c
@@ -0,0 +1,478 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+rvnamed - reverse DNS lookup daemon for the IPTraf network
+ statistics utility.
+
+Version 2.6.1 Parallel with IPTraf 2.6
+
+Written by Gerard Paul Java
+Copyright (c) Gerard Paul Java 1998-2001
+
+rvnamed is a daemon designed to do reverse DNS lookups, but return the
+IP address immediately while the lookup goes on in the background.
+A process requesting the lookup issues a request, and will immediately
+get a reply with the IP address. Meanwhile, rvnamed will fork and do
+the lookup. The requesting process simply needs to reissue the request
+until a full domain name is returned.
+
+This program is designed to be used by the IPTraf program to minimize
+blocking and allow smoother keyboard control and packet counting when
+reverse DNS lookups are enabled.
+
+rvnamed and IPTraf communicate with each other using the BSD UNIX domain
+socket protocol.
+
+***/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/un.h>
+#include <time.h>
+#include <netdb.h>
+#include <string.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include "rvnamed.h"
+#include "dirs.h"
+#include "sockaddr.h"
+
+#define NUM_CACHE_ENTRIES 2048
+#define TIME_TARGET_MAX 30
+
+#define __unused __attribute__((unused))
+
+struct hosts {
+ struct sockaddr_storage addr;
+ char fqdn[45];
+ int ready;
+};
+
+static int fork_count = 0;
+static int max_fork_count = 0;
+
+/*
+ * This is the classic zombie-preventer
+ */
+
+static void childreap(int s __unused)
+{
+ signal(SIGCHLD, childreap);
+
+ while (waitpid(-1, NULL, WNOHANG) > 0)
+ fork_count--;
+}
+
+static void auto_terminate(int s __unused)
+{
+ exit(2);
+}
+
+/*
+ * Process reverse DNS request from the client
+ */
+
+static void process_rvn_packet(struct rvn *rvnpacket)
+{
+ int ccfd;
+ struct sockaddr_un ccsa;
+
+ struct hostent *he;
+
+ ccfd = socket(PF_UNIX, SOCK_DGRAM, 0);
+
+ he = sockaddr_gethostbyaddr(&rvnpacket->addr);
+ if (he == NULL) {
+ sockaddr_ntop(&rvnpacket->addr, rvnpacket->fqdn,
+ sizeof(rvnpacket->fqdn));
+ } else {
+ memset(rvnpacket->fqdn, 0, sizeof(rvnpacket->fqdn));
+ strncpy(rvnpacket->fqdn, he->h_name,
+ sizeof(rvnpacket->fqdn) - 1);
+ }
+
+ ccsa.sun_family = AF_UNIX;
+ strcpy(ccsa.sun_path, CHILDSOCKNAME);
+
+ sendto(ccfd, rvnpacket, sizeof(struct rvn), 0,
+ (struct sockaddr *) &ccsa,
+ sizeof(ccsa.sun_family) + strlen(ccsa.sun_path));
+ close(ccfd);
+}
+
+/*
+ * Check if name is already resolved and in the cache.
+ */
+
+static int name_resolved(struct rvn *rvnpacket, struct hosts *hostlist,
+ unsigned int lastfree)
+{
+ for (unsigned int i = 0; i != lastfree; i++)
+ if ((hostlist[i].ready == RESOLVED)
+ && sockaddr_is_equal(&rvnpacket->addr, &hostlist[i].addr))
+ return i;
+
+ return -1;
+}
+
+/*
+ * Return the resolution status (NOTRESOLVED, RESOLVING, RESOLVED) of
+ * the given IP address
+ */
+
+static int addrstat(struct rvn *rvnpacket, struct hosts *hostlist,
+ unsigned int lastfree)
+{
+ for (unsigned int i = 0; i != lastfree; i++)
+ if (sockaddr_is_equal(&rvnpacket->addr, &hostlist[i].addr))
+ return hostlist[i].ready;
+
+ return NOTRESOLVED;
+}
+
+static void writervnlog(FILE * fd, char *msg)
+{
+ time_t now;
+ char atime[TIME_TARGET_MAX] = "";
+
+ now = time(NULL);
+
+ strcpy(atime, ctime(&now));
+ atime[strlen(atime) - 1] = '\0';
+
+ fprintf(fd, "%s: %s\n", atime, msg);
+}
+
+int main(void)
+{
+ int cfd;
+ int ifd;
+
+ struct hosts hostlist[NUM_CACHE_ENTRIES];
+ char logmsg[160];
+
+ unsigned int hostindex = 0;
+ unsigned int lastfree = 0;
+ unsigned int hi = 0;
+ int readyidx = 0;
+ int fr = 0;
+ int maxlogged = 0;
+
+ struct rvn rvnpacket;
+
+ int br;
+
+ int ss = 0;
+
+ fd_set sockset;
+
+ struct sockaddr_un csa, isa; /* child and iptraf comm sockets */
+ struct sockaddr_un fromaddr;
+ socklen_t fromlen;
+
+ FILE *logfile;
+
+ /* Daemonization Sequence */
+
+ switch (fork()) {
+ case -1:
+ exit(1);
+ case 0:
+ break;
+ default:
+ exit(0);
+ }
+
+ setsid();
+ int i = chdir("/");
+
+ (void) i;
+
+ signal(SIGCHLD, childreap);
+
+ logfile = fopen(RVNDLOGFILE, "a");
+
+ if (logfile == NULL)
+ logfile = fopen("/dev/null", "a");
+
+ writervnlog(logfile, "******** rvnamed started ********");
+ writervnlog(logfile, "Clearing socket names");
+
+ /*
+ * Get rid of any residue socket names in case of a previous
+ * abormal termination of rvnamed.
+ */
+
+ unlink(CHILDSOCKNAME);
+ unlink(IPTSOCKNAME);
+
+ writervnlog(logfile, "Opening sockets");
+ csa.sun_family = AF_UNIX;
+ strcpy(csa.sun_path, CHILDSOCKNAME);
+
+ isa.sun_family = AF_UNIX;
+ strcpy(isa.sun_path, IPTSOCKNAME);
+
+ cfd = socket(PF_UNIX, SOCK_DGRAM, 0);
+
+ if (cfd < 0) {
+ writervnlog(logfile,
+ "Unable to open child communication socket, aborting");
+ exit(1);
+ }
+ if (bind
+ (cfd, (struct sockaddr *) &csa,
+ sizeof(csa.sun_family) + strlen(csa.sun_path)) < 0) {
+ writervnlog(logfile,
+ "Error binding child communication socket, aborting");
+ exit(1);
+ }
+ ifd = socket(PF_UNIX, SOCK_DGRAM, 0);
+
+ if (ifd < 0) {
+ writervnlog(logfile,
+ "Unable to open client communication socket, aborting");
+ exit(1);
+ }
+ if (bind
+ (ifd, (struct sockaddr *) &isa,
+ sizeof(isa.sun_family) + strlen(isa.sun_path)) < 0) {
+ writervnlog(logfile,
+ "Error binding client communication socket, aborting");
+ exit(1);
+ }
+ while (1) {
+ FD_ZERO(&sockset);
+ FD_SET(cfd, &sockset);
+ FD_SET(ifd, &sockset);
+
+ do {
+ ss = select(ifd + 1, &sockset, NULL, NULL, NULL);
+ } while ((ss < 0) && (errno != ENOMEM));
+
+ if (errno == ENOMEM) {
+ writervnlog(logfile,
+ "Fatal error: no memory for descriptor monitoring");
+ close(ifd);
+ close(cfd);
+ fclose(logfile);
+ exit(1);
+ }
+ /*
+ * Code to process packets coming from the forked child.
+ */
+
+ if (FD_ISSET(cfd, &sockset)) {
+ fromlen =
+ sizeof(fromaddr.sun_family) +
+ strlen(fromaddr.sun_path);
+ br = recvfrom(cfd, &rvnpacket, sizeof(struct rvn), 0,
+ (struct sockaddr *) &fromaddr, &fromlen);
+
+ if (br > 0) {
+ hi = 0;
+
+ while (hi <= lastfree) {
+ if (sockaddr_is_equal(&hostlist[hi].addr, &rvnpacket.addr))
+ break;
+ hi++;
+ }
+
+ if (hi == lastfree) { /* Address not in cache */
+ memset(&(hostlist[hi]), 0,
+ sizeof(struct hosts));
+ hi = hostindex;
+ hostindex++;
+ if (hostindex == NUM_CACHE_ENTRIES)
+ hostindex = 0;
+
+ sockaddr_copy(&hostlist[hi].addr, &rvnpacket.addr);
+ }
+ strncpy(hostlist[hi].fqdn, rvnpacket.fqdn, sizeof(hostlist[hi].fqdn) - 1);
+
+ hostlist[hi].ready = RESOLVED;
+ }
+ }
+ /*
+ * This code section processes packets received from the IPTraf
+ * program.
+ */
+
+ if (FD_ISSET(ifd, &sockset)) {
+ fromlen = sizeof(struct sockaddr_un);
+ br = recvfrom(ifd, &rvnpacket, sizeof(struct rvn), 0,
+ (struct sockaddr *) &fromaddr, &fromlen);
+ if (br > 0) {
+ switch (rvnpacket.type) {
+ case RVN_HELLO:
+ sendto(ifd, &rvnpacket,
+ sizeof(struct rvn), 0,
+ (struct sockaddr *)
+ &fromaddr,
+ sizeof(fromaddr.sun_family) +
+ strlen(fromaddr.sun_path));
+ break;
+ case RVN_QUIT:
+ writervnlog(logfile,
+ "Received quit instruction");
+ writervnlog(logfile, "Closing sockets");
+ close(ifd);
+ close(cfd);
+ writervnlog(logfile,
+ "Clearing socket names");
+ unlink(IPTSOCKNAME);
+ unlink(CHILDSOCKNAME);
+ sprintf(logmsg,
+ "rvnamed terminating: max processes spawned: %d",
+ max_fork_count);
+ writervnlog(logfile, logmsg);
+ writervnlog(logfile,
+ "******** rvnamed terminated ********");
+ fclose(logfile);
+ exit(0);
+ case RVN_REQUEST:
+ readyidx =
+ name_resolved(&rvnpacket, hostlist,
+ lastfree);
+ if (readyidx >= 0) {
+ rvnpacket.type = RVN_REPLY;
+ memset(rvnpacket.fqdn, 0, sizeof(rvnpacket.fqdn));
+ strncpy(rvnpacket.fqdn,
+ hostlist[readyidx].fqdn,
+ sizeof(rvnpacket.fqdn)-1);
+ rvnpacket.ready = RESOLVED;
+
+ br = sendto(ifd, &rvnpacket,
+ sizeof(struct rvn),
+ 0,
+ (struct sockaddr *)
+ &fromaddr,
+ sizeof(fromaddr.
+ sun_family)
+ +
+ strlen(fromaddr.
+ sun_path));
+ } else {
+
+ /*
+ * Add this IP address to the cache if this is a
+ * new one.
+ */
+
+ if (addrstat
+ (&rvnpacket, hostlist,
+ lastfree) == NOTRESOLVED) {
+ fflush(logfile); /* flush all data prior */
+ /* to fork() */
+
+ if (fork_count <=
+ MAX_RVNAMED_CHILDREN)
+ {
+ /*
+ * If we can still fork(), we add the data
+ * to the cache array, but we don't update
+ * the indexes until after the fork()
+ * succeeds. If the fork() fails, we'll
+ * just reuse this slot for the next query.
+ *
+ * This is so that if the fork() fails due
+ * to a temporary condition, rvnamed won't
+ * think it's RESOLVING while there isn't
+ * any actual child doing the resolution
+ * before the entry expires.
+ *
+ * However, we'll still tell IPTraf that the
+ * address is RESOLVING.
+ *
+ */
+ sockaddr_copy(&hostlist[hostindex].addr, &rvnpacket.addr);
+ hostlist[hostindex].ready = RESOLVING;
+
+ maxlogged = 0;
+ fr = fork();
+ } else {
+ fr = -1;
+ if (!maxlogged)
+ writervnlog
+ (logfile,
+ "Maximum child process limit reached");
+ maxlogged = 1;
+ }
+
+ switch (fr) {
+ case 0: /* spawned child */
+ fclose(logfile); /* no logging in child */
+ close(ifd); /* no comm with client */
+
+ /*
+ * Set auto-terminate timeout
+ */
+ signal(SIGALRM,
+ auto_terminate);
+ alarm(300);
+ process_rvn_packet
+ (&rvnpacket);
+ exit(0);
+ case -1:
+ if (!maxlogged)
+ writervnlog
+ (logfile,
+ "Error on fork, returning IP address");
+ break;
+ default: /* parent */
+ if (fork_count >
+ max_fork_count)
+ max_fork_count
+ =
+ fork_count;
+
+ /*
+ * Increase cache indexes only if fork()
+ * succeeded, otherwise the previously
+ * allocated slots will be used for the
+ * next query.
+ */
+
+ hostindex++;
+
+ if (hostindex ==
+ NUM_CACHE_ENTRIES)
+ hostindex
+ = 0;
+
+ if (lastfree <
+ NUM_CACHE_ENTRIES)
+ lastfree++;
+
+ fork_count++;
+ break;
+ }
+ }
+ rvnpacket.type = RVN_REPLY;
+ sockaddr_ntop(&rvnpacket.addr, rvnpacket.fqdn, sizeof(rvnpacket.fqdn));
+ rvnpacket.ready = RESOLVING;
+
+ br = sendto(ifd, &rvnpacket,
+ sizeof(struct rvn),
+ 0,
+ (struct sockaddr *)
+ &fromaddr,
+ sizeof(fromaddr.
+ sun_family)
+ +
+ strlen(fromaddr.
+ sun_path));
+
+ }
+ }
+ }
+ } /* end block for packets from IPTraf */
+ }
+}
diff --git a/src/rvnamed.h b/src/rvnamed.h
new file mode 100644
index 0000000..6155493
--- /dev/null
+++ b/src/rvnamed.h
@@ -0,0 +1,31 @@
+#ifndef IPTRAF_NG_RVNAMED_H
+#define IPTRAF_NG_RVNAMED_H
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#define CHILDSOCKNAME "/dev/rvndcldcomsk"
+#define PARENTSOCKNAME "/dev/rvndpntcomsk"
+#define IPTSOCKNAME "/dev/rvndiptcomsk"
+
+#define SOCKET_PREFIX "isock"
+
+#define NOTRESOLVED 0
+#define RESOLVING 1
+#define RESOLVED 2
+
+#define RVN_HELLO 0
+#define RVN_REQUEST 1
+#define RVN_REPLY 2
+#define RVN_QUIT 3
+
+#define MAX_RVNAMED_CHILDREN 200
+
+struct rvn {
+ int type;
+ int ready;
+ struct sockaddr_storage addr;
+ char fqdn[45];
+};
+
+#endif /* IPTRAF_NG_RVNAMED_H */
diff --git a/src/serv.c b/src/serv.c
new file mode 100644
index 0000000..a41d627
--- /dev/null
+++ b/src/serv.c
@@ -0,0 +1,1377 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+serv.c - TCP/UDP port statistics module
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/input.h"
+#include "tui/labels.h"
+#include "tui/listbox.h"
+#include "tui/msgboxes.h"
+
+#include "dirs.h"
+#include "deskman.h"
+#include "fltdefs.h"
+#include "packet.h"
+#include "ipfrag.h"
+#include "ifaces.h"
+#include "attrs.h"
+#include "serv.h"
+#include "servname.h"
+#include "log.h"
+#include "timer.h"
+#include "promisc.h"
+#include "options.h"
+#include "packet.h"
+#include "logvars.h"
+#include "error.h"
+#include "counters.h"
+#include "rate.h"
+
+#define SCROLLUP 0
+#define SCROLLDOWN 1
+
+#define LEFT 0
+#define RIGHT 1
+
+struct serv_spans {
+ int spanbr_in;
+ int spanbr_out;
+ int spanbr;
+};
+
+struct portlistent {
+ in_port_t port;
+ unsigned int protocol;
+ char servname[11];
+ unsigned int idx;
+ struct proto_counter serv_count;
+ struct proto_counter span;
+
+ struct timeval starttime;
+ struct timeval proto_starttime;
+
+ struct rate rate;
+ struct rate rate_in;
+ struct rate rate_out;
+
+ struct portlistent *prev_entry;
+ struct portlistent *next_entry;
+};
+
+struct portlist {
+ struct portlistent *head;
+ struct portlistent *tail;
+ struct portlistent *firstvisible;
+ struct portlistent *lastvisible;
+ struct portlistent *barptr;
+ unsigned imaxy;
+ unsigned int baridx;
+ unsigned int count;
+ unsigned long bcount;
+ WINDOW *win;
+ PANEL *panel;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+};
+
+/*
+ * SIGUSR1 logfile rotation signal handler
+ */
+
+static void rotate_serv_log(int s __unused)
+{
+ rotate_flag = 1;
+ strcpy(target_logname, current_logfile);
+ signal(SIGUSR1, rotate_serv_log);
+}
+
+static void writeutslog(struct portlistent *list, unsigned long nsecs, FILE *fd)
+{
+ char atime[TIME_TARGET_MAX];
+ struct portlistent *ptmp = list;
+ struct timeval now;
+
+ gettimeofday(&now, NULL);
+
+ genatime(time(NULL), atime);
+
+ fprintf(fd, "\n*** TCP/UDP traffic log, generated %s\n\n", atime);
+
+ while (ptmp != NULL) {
+ unsigned long secs = timeval_diff_msec(&now, &ptmp->proto_starttime) / 1000UL;
+ char bps_string[64];
+
+ if (ptmp->protocol == IPPROTO_TCP)
+ fprintf(fd, "TCP/%s: ", ptmp->servname);
+ else
+ fprintf(fd, "UDP/%s: ", ptmp->servname);
+
+ fprintf(fd, "%llu packets, %llu bytes total",
+ ptmp->serv_count.proto_total.pc_packets,
+ ptmp->serv_count.proto_total.pc_bytes);
+
+ rate_print(ptmp->serv_count.proto_total.pc_bytes / secs,
+ bps_string, sizeof(bps_string));
+ fprintf(fd, ", %s", bps_string);
+
+ fprintf(fd, "; %llu packets, %llu bytes incoming",
+ ptmp->serv_count.proto_in.pc_packets,
+ ptmp->serv_count.proto_in.pc_bytes);
+
+ rate_print(ptmp->serv_count.proto_in.pc_bytes / secs,
+ bps_string, sizeof(bps_string));
+ fprintf(fd, ", %s", bps_string);
+
+ fprintf(fd, "; %llu packets, %llu bytes outgoing",
+ ptmp->serv_count.proto_out.pc_packets,
+ ptmp->serv_count.proto_out.pc_bytes);
+
+ rate_print(ptmp->serv_count.proto_out.pc_bytes / secs,
+ bps_string, sizeof(bps_string));
+ fprintf(fd, ", %s", bps_string);
+
+ fprintf(fd, "\n\n");
+ ptmp = ptmp->next_entry;
+ }
+
+ fprintf(fd, "\nRunning time: %lu seconds\n", nsecs);
+ fflush(fd);
+}
+
+static void initportlist(struct portlist *list)
+{
+ float screen_scale = ((float) COLS / 80 + 1) / 2;
+ int scratchx __unused;
+
+ list->head = list->tail = list->barptr = NULL;
+ list->firstvisible = list->lastvisible = NULL;
+ list->count = 0;
+ list->baridx = 0;
+
+ list->borderwin = newwin(LINES - 3, COLS, 1, 0);
+ list->borderpanel = new_panel(list->borderwin);
+ wattrset(list->borderwin, BOXATTR);
+ tx_box(list->borderwin, ACS_VLINE, ACS_HLINE);
+
+ wmove(list->borderwin, 0, 1 * screen_scale);
+ wprintw(list->borderwin, " Proto/Port ");
+ wmove(list->borderwin, 0, 22 * screen_scale);
+ wprintw(list->borderwin, " Pkts ");
+ wmove(list->borderwin, 0, 31 * screen_scale);
+ wprintw(list->borderwin, " Bytes ");
+ wmove(list->borderwin, 0, 40 * screen_scale);
+ wprintw(list->borderwin, " PktsTo ");
+ wmove(list->borderwin, 0, 49 * screen_scale);
+ wprintw(list->borderwin, " BytesTo ");
+ wmove(list->borderwin, 0, 58 * screen_scale);
+ wprintw(list->borderwin, " PktsFrom ");
+ wmove(list->borderwin, 0, 67 * screen_scale);
+ wprintw(list->borderwin, " BytesFrom ");
+
+ list->win = newwin(LINES - 5, COLS - 2, 2, 1);
+ list->panel = new_panel(list->win);
+ getmaxyx(list->win, list->imaxy, scratchx);
+
+ tx_stdwinset(list->win);
+ wtimeout(list->win, -1);
+ wattrset(list->win, STDATTR);
+ tx_colorwin(list->win);
+ update_panels();
+ doupdate();
+}
+
+static struct portlistent *addtoportlist(struct portlist *list,
+ unsigned int protocol,
+ in_port_t port)
+{
+ struct portlistent *ptemp;
+
+ ptemp = xmalloc(sizeof(struct portlistent));
+ if (list->head == NULL) {
+ ptemp->prev_entry = NULL;
+ list->head = ptemp;
+ list->firstvisible = ptemp;
+ }
+
+ if (list->tail != NULL) {
+ list->tail->next_entry = ptemp;
+ ptemp->prev_entry = list->tail;
+ }
+ list->tail = ptemp;
+ ptemp->next_entry = NULL;
+
+ ptemp->protocol = protocol;
+ ptemp->port = port; /* This is used in checks later. */
+ rate_alloc(&ptemp->rate, 5);
+ rate_alloc(&ptemp->rate_in, 5);
+ rate_alloc(&ptemp->rate_out, 5);
+
+ /*
+ * Obtain appropriate service name
+ */
+
+ servlook(port, protocol, ptemp->servname, 10);
+
+ memset(&ptemp->serv_count, 0, sizeof(ptemp->serv_count));
+
+ list->count++;
+ ptemp->idx = list->count;
+
+ gettimeofday(&ptemp->proto_starttime, NULL);
+
+ if (list->count <= (unsigned) LINES - 5)
+ list->lastvisible = ptemp;
+
+ wmove(list->borderwin, LINES - 4, 1);
+ wprintw(list->borderwin, " %u entries ", list->count);
+
+ return ptemp;
+}
+
+static int portinlist(struct porttab *table, in_port_t port)
+{
+ struct porttab *ptmp = table;
+
+ while (ptmp != NULL) {
+ if (((ptmp->port_max == 0) && (ptmp->port_min == port))
+ || ((port >= ptmp->port_min) && (port <= ptmp->port_max)))
+ return 1;
+
+ ptmp = ptmp->next_entry;
+ }
+
+ return 0;
+}
+
+static int goodport(in_port_t port, struct porttab *table)
+{
+ return ((port < 1024) || (portinlist(table, port)));
+}
+
+static struct portlistent *inportlist(struct portlist *list,
+ unsigned int protocol, in_port_t port)
+{
+ struct portlistent *ptmp = list->head;
+
+ while (ptmp != NULL) {
+ if ((ptmp->port == port) && (ptmp->protocol == protocol))
+ return ptmp;
+
+ ptmp = ptmp->next_entry;
+ }
+
+ return NULL;
+}
+
+static void printportent(struct portlist *list, struct portlistent *entry,
+ unsigned int idx)
+{
+ unsigned int target_row;
+ float screen_scale = ((float) COLS / 80 + 1) / 2;
+ int tcplabelattr;
+ int udplabelattr;
+ int highattr;
+ char sp_buf[10];
+
+ if ((entry->idx < idx) || (entry->idx > idx + (LINES - 6)))
+ return;
+
+ target_row = entry->idx - idx;
+
+ if (entry == list->barptr) {
+ tcplabelattr = BARSTDATTR;
+ udplabelattr = BARPTRATTR;
+ highattr = BARHIGHATTR;
+ } else {
+ tcplabelattr = STDATTR;
+ udplabelattr = PTRATTR;
+ highattr = HIGHATTR;
+ }
+
+ wattrset(list->win, tcplabelattr);
+ sprintf(sp_buf, "%%%dc", COLS - 2);
+ scrollok(list->win, 0);
+ mvwprintw(list->win, target_row, 0, sp_buf, ' ');
+ scrollok(list->win, 1);
+
+ wmove(list->win, target_row, 1);
+ if (entry->protocol == IPPROTO_TCP) {
+ wattrset(list->win, tcplabelattr);
+ wprintw(list->win, "TCP");
+ } else if (entry->protocol == IPPROTO_UDP) {
+ wattrset(list->win, udplabelattr);
+ wprintw(list->win, "UDP");
+ }
+
+ wprintw(list->win, "/%s ", entry->servname);
+ wattrset(list->win, highattr);
+ wmove(list->win, target_row, 17 * screen_scale);
+ printlargenum(entry->serv_count.proto_total.pc_packets, list->win);
+ wmove(list->win, target_row, 27 * screen_scale);
+ printlargenum(entry->serv_count.proto_total.pc_bytes, list->win);
+ wmove(list->win, target_row, 37 * screen_scale);
+ printlargenum(entry->serv_count.proto_in.pc_packets, list->win);
+ wmove(list->win, target_row, 47 * screen_scale);
+ printlargenum(entry->serv_count.proto_in.pc_bytes, list->win);
+ wmove(list->win, target_row, 57 * screen_scale);
+ printlargenum(entry->serv_count.proto_out.pc_packets, list->win);
+ wmove(list->win, target_row, 67 * screen_scale);
+ printlargenum(entry->serv_count.proto_out.pc_bytes, list->win);
+}
+
+static void destroyportlist(struct portlist *list)
+{
+ struct portlistent *ptmp = list->head;
+ struct portlistent *ctmp = NULL;
+
+ if (list->head != NULL)
+ ctmp = list->head->next_entry;
+
+ while (ptmp != NULL) {
+ rate_destroy(&ptmp->rate_out);
+ rate_destroy(&ptmp->rate_in);
+ rate_destroy(&ptmp->rate);
+ free(ptmp);
+ ptmp = ctmp;
+
+ if (ctmp != NULL)
+ ctmp = ctmp->next_entry;
+ }
+}
+
+static void updateportent(struct portlist *list, unsigned int protocol,
+ in_port_t sport, in_port_t dport, int br,
+ struct porttab *ports)
+{
+ struct portlistent *sport_listent = NULL;
+ struct portlistent *dport_listent = NULL;
+ enum {
+ PORT_INCOMING = 0,
+ PORT_OUTGOING
+ };
+
+ if (goodport(sport, ports)) {
+ sport_listent = inportlist(list, protocol, sport);
+
+ if (!sport_listent)
+ sport_listent =
+ addtoportlist(list, protocol, sport);
+
+ if (sport_listent == NULL)
+ return;
+
+ update_proto_counter(&sport_listent->serv_count, PORT_OUTGOING, br);
+ update_proto_counter(&sport_listent->span, PORT_OUTGOING, br);
+ }
+
+ if (goodport(dport, ports)) {
+ dport_listent = inportlist(list, protocol, dport);
+
+ if (!dport_listent)
+ dport_listent =
+ addtoportlist(list, protocol, dport);
+
+ if (dport_listent == NULL)
+ return;
+
+ update_proto_counter(&dport_listent->serv_count, PORT_INCOMING, br);
+ update_proto_counter(&dport_listent->span, PORT_INCOMING, br);
+ }
+}
+
+/*
+ * Swap two port list entries. p1 must be previous to p2.
+ */
+
+static void swapportents(struct portlist *list, struct portlistent *p1,
+ struct portlistent *p2)
+{
+ register unsigned int tmp;
+ struct portlistent *p1prevsaved;
+ struct portlistent *p2nextsaved;
+
+ if (p1 == p2)
+ return;
+
+ tmp = p1->idx;
+ p1->idx = p2->idx;
+ p2->idx = tmp;
+
+ if (p1->prev_entry != NULL)
+ p1->prev_entry->next_entry = p2;
+ else
+ list->head = p2;
+
+ if (p2->next_entry != NULL)
+ p2->next_entry->prev_entry = p1;
+ else
+ list->tail = p1;
+
+ p2nextsaved = p2->next_entry;
+ p1prevsaved = p1->prev_entry;
+
+ if (p1->next_entry == p2) {
+ p2->next_entry = p1;
+ p1->prev_entry = p2;
+ } else {
+ p2->next_entry = p1->next_entry;
+ p1->prev_entry = p2->prev_entry;
+ p2->prev_entry->next_entry = p1;
+ p1->next_entry->prev_entry = p2;
+ }
+
+ p2->prev_entry = p1prevsaved;
+ p1->next_entry = p2nextsaved;
+}
+
+/*
+ * Retrieve the appropriate sort criterion based on keystroke.
+ */
+static unsigned long long qp_getkey(struct portlistent *entry, int ch)
+{
+ unsigned long long result = 0;
+
+ switch (ch) {
+ case 'R':
+ result = entry->port;
+ break;
+ case 'B':
+ result = entry->serv_count.proto_total.pc_bytes;
+ break;
+ case 'O':
+ result = entry->serv_count.proto_in.pc_bytes;
+ break;
+ case 'M':
+ result = entry->serv_count.proto_out.pc_bytes;
+ break;
+ case 'P':
+ result = entry->serv_count.proto_total.pc_packets;
+ break;
+ case 'T':
+ result = entry->serv_count.proto_in.pc_packets;
+ break;
+ case 'F':
+ result = entry->serv_count.proto_out.pc_packets;
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * Refresh TCP/UDP service screen.
+ */
+
+static void refresh_serv_screen(struct portlist *table, int idx)
+{
+ struct portlistent *ptmp = table->firstvisible;
+
+ wattrset(table->win, STDATTR);
+ tx_colorwin(table->win);
+
+ while ((ptmp != NULL) && (ptmp->prev_entry != table->lastvisible)) {
+ printportent(table, ptmp, idx);
+ ptmp = ptmp->next_entry;
+ }
+ update_panels();
+ doupdate();
+}
+
+
+/*
+ * Compare the sort criterion with the pivot value. Receives a parameter
+ * specifying whether the criterion is left or right of the pivot value.
+ *
+ * If criterion is the port number: return true if criterion is less than or
+ * equal to the pivot when the SIDE is left. If SIDE is right, return
+ * true if the value is greater than the pivot. This results in an
+ * ascending sort.
+ *
+ * If the criterion is a count: return true when the criterion is greater than
+ * or equal to the pivot when the SIDE is left, otherwise, when SIDE is
+ * right, return true if the value is less than the pivot. This results
+ * in a descending sort.
+ */
+
+static int qp_compare(struct portlistent *entry, unsigned long long pv, int ch,
+ int side)
+{
+ int result = 0;
+ unsigned long long value;
+
+ value = qp_getkey(entry, ch);
+
+ if (ch == 'R') {
+ if (side == LEFT)
+ result = (value <= pv);
+ else
+ result = (value > pv);
+ } else {
+ if (side == LEFT)
+ result = (value >= pv);
+ else
+ result = (value < pv);
+ }
+
+ return result;
+}
+
+/*
+ * Partition port list such that a pivot is selected, and that all values
+ * left of the pivot are less (or greater) than or equal to the pivot,
+ * and that all values right of the pivot are greater (or less) than
+ * the pivot.
+ */
+static struct portlistent *qp_partition(struct portlist *table,
+ struct portlistent **low,
+ struct portlistent **high, int ch)
+{
+ struct portlistent *pivot = *low;
+
+ struct portlistent *left = *low;
+ struct portlistent *right = *high;
+ struct portlistent *ptmp;
+
+ unsigned long long pivot_value;
+
+ pivot_value = qp_getkey(pivot, ch);
+
+ while (left->idx < right->idx) {
+ while ((qp_compare(left, pivot_value, ch, LEFT))
+ && (left->next_entry != NULL))
+ left = left->next_entry;
+
+ while (qp_compare(right, pivot_value, ch, RIGHT))
+ right = right->prev_entry;
+
+ if (left->idx < right->idx) {
+ swapportents(table, left, right);
+ if (*low == left)
+ *low = right;
+
+ if (*high == right)
+ *high = left;
+
+ ptmp = left;
+ left = right;
+ right = ptmp;
+ }
+ }
+ swapportents(table, pivot, right);
+
+ if (*low == pivot)
+ *low = right;
+
+ if (*high == right)
+ *high = pivot;
+
+ return pivot;
+}
+
+/*
+ * Quicksort for the port list.
+ */
+static void quicksort_port_entries(struct portlist *table,
+ struct portlistent *low,
+ struct portlistent *high, int ch)
+{
+ struct portlistent *pivot;
+
+ if ((high == NULL) || (low == NULL))
+ return;
+
+ if (high->idx > low->idx) {
+ pivot = qp_partition(table, &low, &high, ch);
+
+ quicksort_port_entries(table, low, pivot->prev_entry, ch);
+ quicksort_port_entries(table, pivot->next_entry, high, ch);
+ }
+}
+
+static void sortportents(struct portlist *list, unsigned int *idx, int command)
+{
+ struct portlistent *ptemp1;
+ int idxtmp;
+
+ if (!(list->head))
+ return;
+
+ command = toupper(command);
+
+ if ((command != 'R') && (command != 'B') && (command != 'O')
+ && (command != 'M') && (command != 'P') && (command != 'T')
+ && (command != 'F'))
+ return;
+
+ quicksort_port_entries(list, list->head, list->tail, command);
+
+ ptemp1 = list->firstvisible = list->head;
+ *idx = 1;
+ idxtmp = 1;
+
+ while ((ptemp1) && (idxtmp <= LINES - 5)) { /* printout */
+ printportent(list, ptemp1, *idx);
+ if (idxtmp <= LINES - 5)
+ list->lastvisible = ptemp1;
+ ptemp1 = ptemp1->next_entry;
+ idxtmp++;
+ }
+}
+
+static void scrollservwin(struct portlist *table, int direction,
+ unsigned int *idx)
+{
+ char sp_buf[10];
+
+ sprintf(sp_buf, "%%%dc", COLS - 2);
+ wattrset(table->win, STDATTR);
+ if (direction == SCROLLUP) {
+ if (table->lastvisible != table->tail) {
+ wscrl(table->win, 1);
+ table->lastvisible = table->lastvisible->next_entry;
+ table->firstvisible = table->firstvisible->next_entry;
+ (*idx)++;
+ wmove(table->win, LINES - 6, 0);
+ scrollok(table->win, 0);
+ wprintw(table->win, sp_buf, ' ');
+ scrollok(table->win, 1);
+ printportent(table, table->lastvisible, *idx);
+ }
+ } else {
+ if (table->firstvisible != table->head) {
+ wscrl(table->win, -1);
+ table->lastvisible = table->lastvisible->prev_entry;
+ table->firstvisible = table->firstvisible->prev_entry;
+ (*idx)--;
+ wmove(table->win, 0, 0);
+ wprintw(table->win, sp_buf, ' ');
+ printportent(table, table->firstvisible, *idx);
+ }
+ }
+}
+
+static void pageservwin(struct portlist *table, int direction,
+ unsigned int *idx)
+{
+ int i = 1;
+
+ if (direction == SCROLLUP) {
+ while ((i <= LINES - 9) && (table->lastvisible != table->tail)) {
+ i++;
+ table->firstvisible = table->firstvisible->next_entry;
+ table->lastvisible = table->lastvisible->next_entry;
+ (*idx)++;
+ }
+ } else {
+ while ((i <= LINES - 9) && (table->firstvisible != table->head)) {
+ i++;
+ table->firstvisible = table->firstvisible->prev_entry;
+ table->lastvisible = table->lastvisible->prev_entry;
+ (*idx)--;
+ }
+ }
+ refresh_serv_screen(table, *idx);
+}
+
+static void show_portsort_keywin(WINDOW ** win, PANEL ** panel)
+{
+ *win = newwin(14, 35, (LINES - 10) / 2, COLS - 40);
+ *panel = new_panel(*win);
+
+ wattrset(*win, DLGBOXATTR);
+ tx_colorwin(*win);
+ tx_box(*win, ACS_VLINE, ACS_HLINE);
+
+ wattrset(*win, DLGTEXTATTR);
+ mvwprintw(*win, 2, 2, "Select sort criterion");
+ wmove(*win, 4, 2);
+ tx_printkeyhelp("R", " - port number", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 5, 2);
+ tx_printkeyhelp("P", " - total packets", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ wmove(*win, 6, 2);
+ tx_printkeyhelp("B", " - total bytes", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 7, 2);
+ tx_printkeyhelp("T", " - packets to", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 8, 2);
+ tx_printkeyhelp("O", " - bytes to", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 9, 2);
+ tx_printkeyhelp("F", " - packets from", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 10, 2);
+ tx_printkeyhelp("M", " - bytes from", *win, DLGHIGHATTR, DLGTEXTATTR);
+ wmove(*win, 11, 2);
+ tx_printkeyhelp("Any other key", " - cancel sort", *win, DLGHIGHATTR,
+ DLGTEXTATTR);
+ update_panels();
+ doupdate();
+}
+
+static void print_serv_rates(struct portlistent *ple, WINDOW *win)
+{
+ char buf[64];
+
+ wattrset(win, IPSTATLABELATTR);
+ mvwprintw(win, 0, 1, "Protocol data rates:");
+ mvwprintw(win, 0, 36, "total");
+ mvwprintw(win, 0, 57, "in");
+ mvwprintw(win, 0, 76, "out");
+
+ wattrset(win, IPSTATATTR);
+ rate_print(rate_get_average(&ple->rate), buf, sizeof(buf));
+ mvwprintw(win, 0, 21, "%s", buf);
+ rate_print(rate_get_average(&ple->rate_in), buf, sizeof(buf));
+ mvwprintw(win, 0, 42, "%s", buf);
+ rate_print(rate_get_average(&ple->rate_out), buf, sizeof(buf));
+ mvwprintw(win, 0, 61, "%s", buf);
+}
+
+static void update_serv_rates(struct portlist *list, unsigned long msecs)
+{
+ /* update rates of all portlistents */
+ for (struct portlistent *ple = list->head; ple != NULL; ple = ple->next_entry) {
+ rate_add_rate(&ple->rate, ple->span.proto_total.pc_bytes, msecs);
+ rate_add_rate(&ple->rate_in, ple->span.proto_in.pc_bytes, msecs);
+ rate_add_rate(&ple->rate_out, ple->span.proto_out.pc_bytes, msecs);
+
+ memset(&ple->span, 0, sizeof(ple->span));
+ }
+}
+
+/*
+ * The TCP/UDP service monitor
+ */
+
+void servmon(char *ifname, time_t facilitytime)
+{
+ int logging = options.logging;
+ int pkt_result;
+
+ int keymode = 0;
+
+ unsigned int idx = 1;
+
+ in_port_t sport = 0;
+ in_port_t dport = 0;
+
+ struct timeval tv;
+ struct timeval tv_rate;
+ time_t starttime, startlog, timeint;
+ time_t now;
+ struct timeval updtime;
+
+ unsigned int tot_br;
+
+ int ch;
+
+ struct portlist list;
+ struct portlistent *serv_tmp;
+
+ FILE *logfile = NULL;
+
+ WINDOW *sortwin;
+ PANEL *sortpanel;
+
+ WINDOW *statwin;
+ PANEL *statpanel;
+
+ char sp_buf[10];
+
+ int fd;
+
+ struct porttab *ports;
+
+ if (!dev_up(ifname)) {
+ err_iface_down();
+ return;
+ }
+
+ loadaddports(&ports);
+
+ LIST_HEAD(promisc);
+ if (options.promisc) {
+ promisc_init(&promisc, ifname);
+ promisc_set_list(&promisc);
+ }
+
+ initportlist(&list);
+ statwin = newwin(1, COLS, LINES - 2, 0);
+ statpanel = new_panel(statwin);
+ scrollok(statwin, 0);
+ wattrset(statwin, IPSTATLABELATTR);
+ sprintf(sp_buf, "%%%dc", COLS);
+ mvwprintw(statwin, 0, 0, sp_buf, ' ');
+
+ move(LINES - 1, 1);
+ scrollkeyhelp();
+ sortkeyhelp();
+ stdexitkeyhelp();
+
+ if (options.servnames)
+ setservent(1);
+
+ if (logging) {
+ if (strcmp(current_logfile, "") == 0) {
+ snprintf(current_logfile, 80, "%s-%s.log", TCPUDPLOG,
+ ifname);
+
+ if (!daemonized)
+ input_logfile(current_logfile, &logging);
+ }
+ }
+
+ if (logging) {
+ opentlog(&logfile, current_logfile);
+
+ if (logfile == NULL)
+ logging = 0;
+ }
+ if (logging) {
+ signal(SIGUSR1, rotate_serv_log);
+
+ rotate_flag = 0;
+ writelog(logging, logfile,
+ "******** TCP/UDP service monitor started ********");
+ }
+
+ exitloop = 0;
+ gettimeofday(&tv, NULL);
+ tv_rate = tv;
+ updtime = tv;
+ starttime = startlog = timeint = tv.tv_sec;
+
+ wattrset(statwin, IPSTATATTR);
+ mvwprintw(statwin, 0, 1, "No entries");
+ update_panels();
+ doupdate();
+
+ fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+ if(fd == -1) {
+ write_error("Unable to obtain monitoring socket");
+ goto err;
+ }
+ if(dev_bind_ifname(fd, ifname) == -1) {
+ write_error("Unable to bind interface on the socket");
+ goto err_close;
+ }
+
+ PACKET_INIT(pkt);
+
+ while (!exitloop) {
+ gettimeofday(&tv, NULL);
+ now = tv.tv_sec;
+
+ if (now - timeint >= 5) {
+ printelapsedtime(starttime, now, LINES - 4, 20,
+ list.borderwin);
+ timeint = now;
+ }
+ if (logging) {
+ check_rotate_flag(&logfile);
+ if ((now - startlog) >= options.logspan) {
+ writeutslog(list.head, now - starttime,
+ logfile);
+ startlog = now;
+ }
+ }
+
+ unsigned long rate_msecs = timeval_diff_msec(&tv, &tv_rate);
+ if (rate_msecs >= 1000) {
+ /* update all portlistent rates ... */
+ update_serv_rates(&list, rate_msecs);
+
+ /* ... and print the current one */
+ if (list.barptr != NULL)
+ print_serv_rates(list.barptr, statwin);
+
+ tv_rate = tv;
+ }
+
+ if (screen_update_needed(&tv, &updtime)) {
+ refresh_serv_screen(&list, idx);
+
+ update_panels();
+ doupdate();
+
+ updtime = tv;
+ }
+
+ if ((facilitytime != 0)
+ && (((now - starttime) / 60) >= facilitytime))
+ exitloop = 1;
+
+ if (packet_get(fd, &pkt, &ch, list.win) == -1) {
+ write_error("Packet receive failed");
+ exitloop = 1;
+ break;
+ }
+
+ if (ch == ERR)
+ goto no_key_ready;
+
+ if (keymode == 0) {
+ switch (ch) {
+ case KEY_UP:
+ if (!list.barptr
+ || !list.barptr->prev_entry)
+ break;
+
+ serv_tmp = list.barptr;
+ list.barptr = list.barptr->prev_entry;
+ printportent(&list, serv_tmp, idx);
+
+ if (list.baridx == 1)
+ scrollservwin(&list, SCROLLDOWN, &idx);
+ else
+ list.baridx--;
+
+ printportent(&list, list.barptr, idx);
+
+ print_serv_rates(list.barptr, statwin);
+ break;
+ case KEY_DOWN:
+ if (!list.barptr
+ || !list.barptr->next_entry)
+ break;
+
+ serv_tmp = list.barptr;
+ list.barptr = list.barptr->next_entry;
+ printportent(&list,serv_tmp, idx);
+
+ if (list.baridx == list.imaxy)
+ scrollservwin(&list, SCROLLUP, &idx);
+ else
+ list.baridx++;
+
+ printportent(&list, list.barptr, idx);
+
+ print_serv_rates(list.barptr, statwin);
+ break;
+ case KEY_PPAGE:
+ case '-':
+ if (!list.barptr)
+ break;
+
+ pageservwin(&list, SCROLLDOWN, &idx);
+
+ list.barptr = list.lastvisible;
+ list.baridx = list.lastvisible->idx - idx + 1;
+
+ refresh_serv_screen(&list, idx);
+
+ print_serv_rates(list.barptr, statwin);
+ break;
+ case KEY_NPAGE:
+ case ' ':
+ if (!list.barptr)
+ break;
+
+ pageservwin(&list, SCROLLUP, &idx);
+
+ list.barptr = list.firstvisible;
+ list.baridx = 1;
+
+ refresh_serv_screen(&list, idx);
+
+ print_serv_rates(list.barptr, statwin);
+ break;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ case 's':
+ case 'S':
+ show_portsort_keywin(&sortwin,
+ &sortpanel);
+ keymode = 1;
+ break;
+ case 'q':
+ case 'Q':
+ case 'x':
+ case 'X':
+ case 27:
+ case 24:
+ exitloop = 1;
+ }
+ } else if (keymode == 1) {
+ del_panel(sortpanel);
+ delwin(sortwin);
+ sortportents(&list, &idx, ch);
+ keymode = 0;
+ if (list.barptr != NULL) {
+ list.barptr = list.firstvisible;
+ list.baridx = 1;
+ print_serv_rates(list.barptr, statwin);
+ }
+ refresh_serv_screen(&list, idx);
+ update_panels();
+ doupdate();
+ }
+ no_key_ready:
+
+ if (pkt.pkt_len <= 0)
+ continue;
+
+ pkt_result =
+ packet_process(&pkt, &tot_br, &sport, &dport,
+ MATCH_OPPOSITE_USECONFIG,
+ options.v6inv4asv6);
+
+ if (pkt_result != PACKET_OK)
+ continue;
+
+ unsigned short iplen;
+ switch (pkt.pkt_protocol) {
+ case ETH_P_IP:
+ iplen = ntohs(pkt.iphdr->tot_len);
+ break;
+ case ETH_P_IPV6:
+ iplen = ntohs(pkt.ip6_hdr->ip6_plen) + 40;
+ break;
+ default:
+ /* unknown link protocol */
+ continue;
+ }
+ __u8 ip_protocol = pkt_ip_protocol(&pkt);
+
+ switch (ip_protocol) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ updateportent(&list, ip_protocol, sport,
+ dport, iplen, ports);
+ break;
+ default:
+ /* unknown L4 protocol */
+ continue;
+ }
+ if ((list.barptr == NULL) && (list.head != NULL)) {
+ list.barptr = list.head;
+ list.baridx = 1;
+ print_serv_rates(list.barptr, statwin);
+ }
+ }
+
+err_close:
+ close(fd);
+err:
+ if (logging) {
+ signal(SIGUSR1, SIG_DFL);
+ writeutslog(list.head, time(NULL) - starttime, logfile);
+ writelog(logging, logfile,
+ "******** TCP/UDP service monitor stopped ********");
+ fclose(logfile);
+ }
+ if (options.servnames)
+ endservent();
+
+ if (options.promisc) {
+ promisc_restore_list(&promisc);
+ promisc_destroy(&promisc);
+ }
+
+ del_panel(list.panel);
+ delwin(list.win);
+ del_panel(list.borderpanel);
+ delwin(list.borderwin);
+ del_panel(statpanel);
+ delwin(statwin);
+ update_panels();
+ doupdate();
+ destroyportlist(&list);
+ destroyporttab(ports);
+ pkt_cleanup();
+ strcpy(current_logfile, "");
+}
+
+static void portdlg(in_port_t *port_min, in_port_t *port_max,
+ int *aborted)
+{
+ WINDOW *bw;
+ PANEL *bp;
+ WINDOW *win;
+ PANEL *panel;
+
+ struct FIELDLIST list;
+
+ bw = newwin(14, 50, (LINES - 14) / 2, (COLS - 50) / 2 - 10);
+ bp = new_panel(bw);
+
+ win = newwin(12, 48, (LINES - 14) / 2 + 1, (COLS - 50) / 2 - 9);
+ panel = new_panel(win);
+
+ wattrset(bw, DLGBOXATTR);
+ tx_box(bw, ACS_VLINE, ACS_HLINE);
+
+ wattrset(win, DLGTEXTATTR);
+ tx_colorwin(win);
+ tx_stdwinset(win);
+ wtimeout(win, -1);
+
+ mvwprintw(win, 1, 1, "Port numbers below 1024 are reserved for");
+ mvwprintw(win, 2, 1, "TCP/IP services, and are normally the only");
+ mvwprintw(win, 3, 1, "ones monitored by the TCP/UDP statistics");
+ mvwprintw(win, 4, 1, "module. If you wish to monitor a higher-");
+ mvwprintw(win, 5, 1, "numbered port or range of ports, enter it");
+ mvwprintw(win, 6, 1, "here. Fill just the first field for a");
+ mvwprintw(win, 7, 1, "single port, or both fields for a range.");
+
+ wmove(win, 11, 1);
+ tabkeyhelp(win);
+ stdkeyhelp(win);
+
+ tx_initfields(&list, 1, 20, (LINES - 14) / 2 + 10, (COLS - 50) / 2 - 8,
+ DLGTEXTATTR, FIELDATTR);
+ mvwprintw(list.fieldwin, 0, 6, "to");
+
+ tx_addfield(&list, 5, 0, 0, "");
+ tx_addfield(&list, 5, 0, 9, "");
+
+ int ok;
+ do {
+ unsigned int val;
+ int ret;
+
+ ok = 1;
+ tx_fillfields(&list, aborted);
+
+ if (*aborted)
+ break;
+
+ ret = strtoul_ui(list.list->buf, 10, &val);
+ if (ret == -1 || val > 65535) {
+ tui_error(ANYKEY_MSG, "Invalid port");
+ ok = 0;
+ continue;
+ }
+ *port_min = val;
+
+ if (list.list->nextfield->buf[0] != '\0') {
+ ret = strtoul_ui(list.list->nextfield->buf, 10, &val);
+ if (ret == -1 || val > 65535 || *port_min > val) {
+ tui_error(ANYKEY_MSG, "Invalid port");
+ ok = 0;
+ continue;
+ }
+ *port_max = val;
+ } else
+ *port_max = 0;
+ } while (!ok);
+ del_panel(bp);
+ delwin(bw);
+ del_panel(panel);
+ delwin(win);
+ tx_destroyfields(&list);
+}
+
+static void saveportlist(struct porttab *table)
+{
+ struct porttab *ptmp = table;
+ int fd;
+ int bw;
+
+ fd = open(PORTFILE, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
+
+ if (fd < 0) {
+ tui_error(ANYKEY_MSG, "Unable to open port list file");
+ return;
+ }
+ while (ptmp != NULL) {
+ bw = write(fd, &(ptmp->port_min), sizeof(unsigned int));
+ bw = write(fd, &(ptmp->port_max), sizeof(unsigned int));
+
+ if (bw < 0) {
+ tui_error(ANYKEY_MSG,
+ "Unable to write port/range entry");
+ destroyporttab(table);
+ close(fd);
+ return;
+ }
+ ptmp = ptmp->next_entry;
+ }
+
+ close(fd);
+}
+
+static int dup_portentry(struct porttab *table, unsigned int min,
+ unsigned int max)
+{
+ struct porttab *ptmp = table;
+
+ while (ptmp != NULL) {
+ if ((ptmp->port_min == min) && (ptmp->port_max == max))
+ return 1;
+
+ ptmp = ptmp->next_entry;
+ }
+
+ return 0;
+}
+
+void addmoreports(struct porttab **table)
+{
+ in_port_t port_min = 0, port_max = 0;
+ int aborted;
+ struct porttab *ptmp;
+
+ portdlg(&port_min, &port_max, &aborted);
+
+ if (!aborted) {
+ if (dup_portentry(*table, port_min, port_max))
+ tui_error(ANYKEY_MSG, "Duplicate port/range entry");
+ else {
+ ptmp = xmalloc(sizeof(struct porttab));
+
+ ptmp->port_min = port_min;
+ ptmp->port_max = port_max;
+ ptmp->prev_entry = NULL;
+ ptmp->next_entry = *table;
+
+ if (*table != NULL)
+ (*table)->prev_entry = ptmp;
+
+ *table = ptmp;
+ saveportlist(*table);
+ }
+ }
+ update_panels();
+ doupdate();
+}
+
+void loadaddports(struct porttab **table)
+{
+ int fd;
+ struct porttab *ptemp;
+ struct porttab *tail = NULL;
+ int br;
+
+ *table = NULL;
+
+ fd = open(PORTFILE, O_RDONLY);
+ if (fd < 0)
+ return;
+
+ do {
+ ptemp = xmalloc(sizeof(struct porttab));
+
+ br = read(fd, &(ptemp->port_min), sizeof(unsigned int));
+ br = read(fd, &(ptemp->port_max), sizeof(unsigned int));
+
+ if (br < 0) {
+ tui_error(ANYKEY_MSG, "Error reading port list");
+ close(fd);
+ destroyporttab(*table);
+ return;
+ }
+ if (br > 0) {
+ if (*table == NULL) {
+ *table = ptemp;
+ ptemp->prev_entry = NULL;
+ }
+ if (tail != NULL) {
+ tail->next_entry = ptemp;
+ ptemp->prev_entry = tail;
+ }
+ tail = ptemp;
+ ptemp->next_entry = NULL;
+ } else
+ free(ptemp);
+
+ } while (br > 0);
+
+ close(fd);
+}
+
+static void operate_portselect(struct porttab **table, struct porttab **node,
+ int *aborted)
+{
+ int ch = 0;
+ struct scroll_list list;
+ char listtext[20];
+
+ tx_init_listbox(&list, 25, 22, (COLS - 25) / 2, (LINES - 22) / 2,
+ STDATTR, BOXATTR, BARSTDATTR, HIGHATTR);
+
+ tx_set_listbox_title(&list, "Select Port/Range", 1);
+
+ *node = *table;
+ while (*node != NULL) {
+ snprintf(listtext, 20, "%d to %d", (*node)->port_min,
+ (*node)->port_max);
+ tx_add_list_entry(&list, (char *) *node, listtext);
+ *node = (*node)->next_entry;
+ }
+
+ tx_show_listbox(&list);
+ tx_operate_listbox(&list, &ch, aborted);
+
+ if (!(*aborted))
+ *node = (struct porttab *) list.textptr->nodeptr;
+
+ tx_close_listbox(&list);
+ tx_destroy_list(&list);
+}
+
+static void selectport(struct porttab **table, struct porttab **node,
+ int *aborted)
+{
+ if (*table == NULL) {
+ tui_error(ANYKEY_MSG, "No custom ports");
+ return;
+ }
+
+ operate_portselect(table, node, aborted);
+}
+
+static void delport(struct porttab **table, struct porttab *ptmp)
+{
+ if (ptmp != NULL) {
+ if (ptmp == *table) {
+ *table = (*table)->next_entry;
+ if (*table != NULL)
+ (*table)->prev_entry = NULL;
+ } else {
+ ptmp->prev_entry->next_entry = ptmp->next_entry;
+
+ if (ptmp->next_entry != NULL)
+ ptmp->next_entry->prev_entry = ptmp->prev_entry;
+ }
+
+ free(ptmp);
+ }
+}
+
+void removeaport(struct porttab **table)
+{
+ int aborted;
+ struct porttab *ptmp = NULL;
+
+ selectport(table, &ptmp, &aborted);
+
+ if (!aborted && ptmp) {
+ delport(table, ptmp);
+ saveportlist(*table);
+ }
+}
+
+void destroyporttab(struct porttab *table)
+{
+ struct porttab *ptemp = table;
+ struct porttab *ctemp = NULL;
+
+ if (ptemp != NULL)
+ ctemp = ptemp->next_entry;
+
+ while (ptemp != NULL) {
+ free(ptemp);
+ ptemp = ctemp;
+
+ if (ctemp != NULL)
+ ctemp = ctemp->next_entry;
+ }
+}
diff --git a/src/serv.h b/src/serv.h
new file mode 100644
index 0000000..dde7c3e
--- /dev/null
+++ b/src/serv.h
@@ -0,0 +1,23 @@
+#ifndef IPTRAF_NG_SERV_H
+#define IPTRAF_NG_SERV_H
+
+/***
+
+serv.h - TCP/UDP port statistics header file
+
+***/
+
+struct porttab {
+ in_port_t port_min;
+ in_port_t port_max;
+ struct porttab *prev_entry;
+ struct porttab *next_entry;
+};
+
+void addmoreports(struct porttab **table);
+void loadaddports(struct porttab **table);
+void destroyporttab(struct porttab *table);
+void removeaport(struct porttab **table);
+void servmon(char *iface, time_t facilitytime);
+
+#endif /* IPTRAF_NG_SERV_H */
diff --git a/src/servname.c b/src/servname.c
new file mode 100644
index 0000000..989c395
--- /dev/null
+++ b/src/servname.c
@@ -0,0 +1,34 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+servname.c - lookup module for TCP and UDP service names based on
+ port numbers
+
+***/
+
+#include "iptraf-ng-compat.h"
+#include "options.h"
+
+void servlook(in_port_t port, unsigned int protocol, char *target, int maxlen)
+{
+ static struct servent *sve;
+
+ memset(target, 0, maxlen + 1);
+
+ if (options.servnames) {
+ if (protocol == IPPROTO_TCP)
+ sve = getservbyport(htons(port), "tcp");
+ else
+ sve = getservbyport(htons(port), "udp");
+
+ if (sve != NULL) {
+ strncpy(target, sve->s_name, maxlen);
+ } else {
+ sprintf(target, "%u", port);
+ }
+ } else {
+ sprintf(target, "%u", port);
+ }
+}
diff --git a/src/servname.h b/src/servname.h
new file mode 100644
index 0000000..eae53bb
--- /dev/null
+++ b/src/servname.h
@@ -0,0 +1,12 @@
+#ifndef IPTRAF_NG_SERVNAME_H
+#define IPTRAF_NG_SERVNAME_H
+
+/***
+
+servname.h - function prototype for service lookup
+
+***/
+
+void servlook(in_port_t port, unsigned int protocol, char *target, int maxlen);
+
+#endif /* IPTRAF_NG_SERVNAME_H */
diff --git a/src/sockaddr.c b/src/sockaddr.c
new file mode 100644
index 0000000..f5de68c
--- /dev/null
+++ b/src/sockaddr.c
@@ -0,0 +1,161 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+
+void sockaddr_make_ipv4(struct sockaddr_storage *sockaddr,
+ u_int32_t addr)
+{
+ if (!sockaddr)
+ die("%s(): sockaddr == NULL", __FUNCTION__);
+
+ memset(sockaddr, 0, sizeof(*sockaddr));
+ struct sockaddr_in *sockaddr_in = (struct sockaddr_in *)sockaddr;
+ sockaddr_in->sin_family = AF_INET;
+ sockaddr_in->sin_port = 0;
+ sockaddr_in->sin_addr.s_addr = addr;
+}
+
+void sockaddr_make_ipv6(struct sockaddr_storage *sockaddr,
+ struct in6_addr *addr)
+{
+ if (!sockaddr)
+ die("%s(): sockaddr == NULL", __FUNCTION__);
+ if (!addr)
+ die("%s(): addr == NULL", __FUNCTION__);
+
+ memset(sockaddr, 0, sizeof(*sockaddr));
+ struct sockaddr_in6 *sockaddr_in6 = (struct sockaddr_in6 *)sockaddr;
+ sockaddr_in6->sin6_family = AF_INET6;
+ sockaddr_in6->sin6_port = 0;
+ sockaddr_in6->sin6_addr = *addr;
+ sockaddr_in6->sin6_flowinfo = 0;
+ sockaddr_in6->sin6_scope_id = 0;
+}
+
+in_port_t sockaddr_get_port(struct sockaddr_storage *sockaddr)
+{
+ if (!sockaddr)
+ die("%s(): sockaddr == NULL", __FUNCTION__);
+
+ switch (sockaddr->ss_family) {
+ case AF_INET:
+ return ((struct sockaddr_in *)sockaddr)->sin_port;
+ case AF_INET6:
+ return ((struct sockaddr_in6 *)sockaddr)->sin6_port;
+ default:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+}
+
+void sockaddr_set_port(struct sockaddr_storage *sockaddr, in_port_t port)
+{
+ if (!sockaddr)
+ die("%s(): sockaddr == NULL", __FUNCTION__);
+
+ switch (sockaddr->ss_family) {
+ case AF_INET:
+ ((struct sockaddr_in *)sockaddr)->sin_port = port;
+ break;
+ case AF_INET6:
+ ((struct sockaddr_in6 *)sockaddr)->sin6_port = port;
+ break;
+ default:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+}
+
+int sockaddr_is_equal(struct sockaddr_storage *addr1,
+ struct sockaddr_storage *addr2)
+{
+ if (!addr1)
+ die("%s(): addr1 == NULL", __FUNCTION__);
+ if (!addr2)
+ die("%s(): addr2 == NULL", __FUNCTION__);
+
+ if (addr1->ss_family != addr2->ss_family)
+ return 0;
+
+ switch (addr1->ss_family) {
+ case AF_INET: {
+ struct sockaddr_in *sa1 = (struct sockaddr_in *)addr1;
+ struct sockaddr_in *sa2 = (struct sockaddr_in *)addr2;
+
+ if ((sa1->sin_addr.s_addr == sa2->sin_addr.s_addr)
+ && (sa1->sin_port == sa2->sin_port))
+ return 1;
+ else
+ return 0;
+ }
+ case AF_INET6: {
+ struct sockaddr_in6 *sa1 = (struct sockaddr_in6 *)addr1;
+ struct sockaddr_in6 *sa2 = (struct sockaddr_in6 *)addr2;
+
+ if ((sa1->sin6_port == sa2->sin6_port)
+ && (sa1->sin6_flowinfo == sa2->sin6_flowinfo)
+ && (sa1->sin6_scope_id == sa2->sin6_scope_id)
+ && (memcmp(&sa1->sin6_addr, &sa2->sin6_addr, sizeof(sa1->sin6_addr)) == 0))
+ return 1;
+ else
+ return 0;
+ }
+ default:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+}
+
+void sockaddr_ntop(struct sockaddr_storage *addr, char *buf, size_t buflen)
+{
+ if(!addr)
+ die("%s(): addr == NULL", __FUNCTION__);
+
+ const char *ret;
+ size_t minlen;
+
+ memset(buf, 0, buflen);
+ switch (addr->ss_family) {
+ case AF_INET:
+ minlen = INET_ADDRSTRLEN;
+ ret = inet_ntop(AF_INET, &((struct sockaddr_in *)addr)->sin_addr, buf, buflen - 1);
+ break;
+ case AF_INET6:
+ minlen = INET6_ADDRSTRLEN;
+ ret = inet_ntop(AF_INET6, &((struct sockaddr_in6 *)addr)->sin6_addr, buf, buflen - 1);
+ break;
+ default:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+ if (ret == NULL) {
+ switch (errno) {
+ case ENOSPC:
+ die("%s(): buffer too small (must be at least %zu bytes)", __FUNCTION__, minlen);
+ case EAFNOSUPPORT:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+ }
+}
+
+struct hostent *sockaddr_gethostbyaddr(struct sockaddr_storage *addr)
+{
+ if(!addr)
+ die("%s(): addr == NULL", __FUNCTION__);
+
+ switch (addr->ss_family) {
+ case AF_INET:
+ return gethostbyaddr(&((struct sockaddr_in *)addr)->sin_addr, sizeof(struct in_addr), AF_INET);
+ case AF_INET6:
+ return gethostbyaddr(&((struct sockaddr_in6 *)addr)->sin6_addr, sizeof(struct in6_addr), AF_INET6);
+ default:
+ die("%s(): Unknown address family", __FUNCTION__);
+ }
+}
+
+void sockaddr_copy(struct sockaddr_storage *dest, struct sockaddr_storage *src)
+{
+ if (!src)
+ die("%s(): src == NULL", __FUNCTION__);
+ if (!dest)
+ die("%s(): dest == NULL", __FUNCTION__);
+
+ memcpy(dest, src, sizeof(struct sockaddr_storage));
+}
diff --git a/src/sockaddr.h b/src/sockaddr.h
new file mode 100644
index 0000000..b9727e8
--- /dev/null
+++ b/src/sockaddr.h
@@ -0,0 +1,16 @@
+#ifndef IPTRAF_NG_SOCKADDR_H
+#define IPTRAF_NG_SOCKADDR_H
+
+void sockaddr_make_ipv4(struct sockaddr_storage *sockaddr,
+ u_int32_t addr);
+void sockaddr_make_ipv6(struct sockaddr_storage *sockaddr,
+ struct in6_addr *addr);
+in_port_t sockaddr_get_port(struct sockaddr_storage *sockaddr);
+void sockaddr_set_port(struct sockaddr_storage *sockaddr, in_port_t port);
+int sockaddr_is_equal(struct sockaddr_storage *addr1,
+ struct sockaddr_storage *addr2);
+void sockaddr_ntop(struct sockaddr_storage *addr, char *buf, size_t buflen);
+struct hostent *sockaddr_gethostbyaddr(struct sockaddr_storage *addr);
+void sockaddr_copy(struct sockaddr_storage *dest, struct sockaddr_storage *src);
+
+#endif /* IPTRAF_NG_SOCKADDR_H */
diff --git a/src/tcptable.c b/src/tcptable.c
new file mode 100644
index 0000000..956866c
--- /dev/null
+++ b/src/tcptable.c
@@ -0,0 +1,1186 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+tcptable.c - table manipulation routines for the IP monitor
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "tui/winops.h"
+
+#include "options.h"
+#include "tcptable.h"
+#include "deskman.h"
+#include "attrs.h"
+#include "log.h"
+#include "revname.h"
+#include "rvnamed.h"
+#include "servname.h"
+#include "hostmon.h"
+#include "sockaddr.h"
+
+#define MSGSTRING_MAX 320
+
+unsigned int bmaxy = 0;
+unsigned int imaxy = 0;
+
+static void setlabels(WINDOW *win, int mode)
+{
+ wmove(win, 0, 42 * COLS / 80);
+ whline(win, ACS_HLINE, 23 * COLS / 80);
+
+ if (mode == 0) {
+ wmove(win, 0, 47 * COLS / 80);
+ wprintw(win, " Packets ");
+ wmove(win, 0, 59 * COLS / 80);
+ wprintw(win, " Bytes ");
+ } else if (mode == 1) {
+ mvwprintw(win, 0, 47 * COLS / 80, " Source MAC Addr ");
+ } else if (mode == 2) {
+ wmove(win, 0, 45 * COLS / 80);
+ wprintw(win, " Pkt Size ");
+ wmove(win, 0, 56 * COLS / 80);
+ wprintw(win, " Win Size ");
+ }
+}
+
+/*
+ * The hash function for the TCP hash table
+ */
+
+static unsigned int tcp_hash(struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ char *ifname)
+{
+ size_t i;
+ unsigned int ifsum = 0;
+
+ for (i = 0; i <= strlen(ifname) - 1; i++)
+ ifsum += ifname[i];
+
+ switch (saddr->ss_family) {
+ case AF_INET:
+ ifsum += 4 * ((struct sockaddr_in *)saddr)->sin_addr.s_addr;
+ ifsum += 3 * ((struct sockaddr_in *)saddr)->sin_port;
+ break;
+ case AF_INET6: {
+ unsigned int ip6sum = 0;
+ for (i = 0; i < 4; i++)
+ ip6sum ^= ((struct sockaddr_in6 *)saddr)->sin6_addr.s6_addr32[i];
+ ifsum += 4 * ip6sum;
+ ifsum += 3 * ((struct sockaddr_in6 *)saddr)->sin6_port;
+ break; }
+ default:
+ die("%s(): saddr: unknown address family", __FUNCTION__);
+ }
+ switch (daddr->ss_family) {
+ case AF_INET:
+ ifsum += 2 * ((struct sockaddr_in *)daddr)->sin_addr.s_addr;
+ ifsum += ((struct sockaddr_in *)daddr)->sin_port;
+ break;
+ case AF_INET6: {
+ unsigned int ip6sum = 0;
+ for (i = 0; i < 4; i++)
+ ip6sum ^= ((struct sockaddr_in6 *)daddr)->sin6_addr.s6_addr32[i];
+ ifsum += 2 * ip6sum;
+ ifsum += ((struct sockaddr_in6 *)daddr)->sin6_port;
+ break; }
+ default:
+ die("%s(): daddr: unknown address family", __FUNCTION__);
+ }
+ return (ifsum % ENTRIES_IN_HASH_TABLE);
+}
+
+static void print_tcp_num_entries(struct tcptable *table)
+{
+ mvwprintw(table->borderwin, table->bmaxy - 1, 1, " TCP: %6u entries ",
+ table->count);
+}
+
+void init_tcp_table(struct tcptable *table)
+{
+ int i;
+
+ table->bmaxy = LINES * 0.6; /* 60% of total screen */
+ table->imaxy = table->bmaxy - 2;
+
+ table->borderwin = newwin(table->bmaxy, COLS, 1, 0);
+ table->borderpanel = new_panel(table->borderwin);
+
+ wattrset(table->borderwin, BOXATTR);
+ tx_box(table->borderwin, ACS_VLINE, ACS_HLINE);
+ wmove(table->borderwin, 0, 1);
+ wprintw(table->borderwin, " TCP Connections (Source Host:Port) ");
+
+ setlabels(table->borderwin, 0); /* initially use mode 0 */
+
+ wmove(table->borderwin, 0, 65 * COLS / 80);
+ wprintw(table->borderwin, " Flag ");
+ wmove(table->borderwin, 0, 70 * COLS / 80);
+ wprintw(table->borderwin, " Iface ");
+ update_panels();
+ doupdate();
+ table->ifnamew = COLS - (70 * COLS / 80) - 3;
+ if (table->ifnamew < 7)
+ table->ifnamew = 7;
+ if (table->ifnamew > IFNAMSIZ)
+ table->ifnamew = IFNAMSIZ;
+
+ table->head = table->tail = NULL;
+ table->firstvisible = table->lastvisible = NULL;
+ table->tcpscreen = newwin(table->imaxy, COLS - 2, 2, 1);
+ table->tcppanel = new_panel(table->tcpscreen);
+ table->closedentries = table->closedtail = NULL;
+ wattrset(table->tcpscreen, BOXATTR);
+ tx_colorwin(table->tcpscreen);
+ table->lastpos = 0;
+ table->count = 0;
+
+ wtimeout(table->tcpscreen, -1);
+ tx_stdwinset(table->tcpscreen);
+ print_tcp_num_entries(table);
+
+ /*
+ * Initialize hash table to nulls
+ */
+
+ for (i = 0; i <= ENTRIES_IN_HASH_TABLE - 1; i++) {
+ table->hash_table[i] = NULL;
+ table->hash_tails[i] = NULL;
+ }
+ table->barptr = NULL;
+ table->baridx = 0;
+}
+
+/*
+ * Add a TCP entry to the hash table.
+ */
+
+static void add_tcp_hash_entry(struct tcptable *table, struct tcptableent *entry)
+{
+ unsigned int hp; /* hash position in table */
+ struct tcp_hashentry *ptmp;
+
+ hp = tcp_hash(&entry->saddr, &entry->daddr, entry->ifname);
+ ptmp = xmallocz(sizeof(struct tcp_hashentry));
+ /*
+ * Add backpointer from screen node to hash node for deletion later
+ * (Actually point to its predecessor coz of the header cell).
+ */
+
+ entry->hash_node = ptmp;
+
+ /*
+ * Update hash node and add it to list.
+ */
+
+ ptmp->tcpnode = entry;
+ ptmp->hp = hp;
+
+ if (table->hash_table[hp] == NULL) {
+ ptmp->prev_entry = NULL;
+ table->hash_table[hp] = ptmp;
+ ptmp->index = 1;
+ }
+
+ if (table->hash_tails[hp] != NULL) {
+ table->hash_tails[hp]->next_entry = ptmp;
+ ptmp->prev_entry = table->hash_tails[hp];
+ ptmp->index = ptmp->prev_entry->index + 1;
+ }
+ table->hash_tails[hp] = ptmp;
+ ptmp->next_entry = NULL;
+}
+
+/*
+ * Delete a hash table node
+ */
+
+static void del_tcp_hash_node(struct tcptable *table, struct tcptableent *entry)
+{
+ struct tcp_hashentry *ptmp;
+
+ ptmp = entry->hash_node; /* ptmp now points to the target */
+
+ /*
+ * If the targeted node is the last entry, adjust the corresponding tail
+ * pointer to the preceeding node;
+ */
+
+ if (ptmp->next_entry == NULL)
+ table->hash_tails[ptmp->hp] = ptmp->prev_entry;
+
+ if (ptmp->prev_entry != NULL)
+ ptmp->prev_entry->next_entry = ptmp->next_entry;
+ else
+ table->hash_table[ptmp->hp] = ptmp->next_entry;
+
+ if (ptmp->next_entry != NULL)
+ ptmp->next_entry->prev_entry = ptmp->prev_entry;
+
+ free(ptmp);
+}
+
+/*
+ * Add a new entry to the TCP screen table
+ */
+
+struct tcptableent *addentry(struct tcptable *table,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ int protocol, char *ifname,
+ int *rev_lookup, int rvnfd)
+{
+ struct tcptableent *new_entry;
+ struct closedlist *ctemp;
+
+ /*
+ * Allocate and attach a new node if no closed entries found
+ */
+
+ if (table->closedentries == NULL) {
+ new_entry = xmalloc(sizeof(struct tcptableent));
+ new_entry->oth_connection = xmalloc(sizeof(struct tcptableent));
+
+ new_entry->oth_connection->oth_connection = new_entry;
+
+ if (table->head == NULL) {
+ new_entry->prev_entry = NULL;
+ table->head = new_entry;
+
+ table->firstvisible = new_entry;
+ }
+ if (table->tail != NULL) {
+ table->tail->next_entry = new_entry;
+ new_entry->prev_entry = table->tail;
+ }
+ table->lastpos++;
+ new_entry->index = table->lastpos;
+ table->lastpos++;
+ new_entry->oth_connection->index = table->lastpos;
+
+ table->tail = new_entry->oth_connection;
+ new_entry->next_entry = new_entry->oth_connection;
+ new_entry->next_entry->prev_entry = new_entry;
+ new_entry->next_entry->next_entry = NULL;
+
+
+ if (new_entry->oth_connection->index <=
+ table->firstvisible->index + (table->imaxy - 1))
+ table->lastvisible = new_entry->oth_connection;
+ else if (new_entry->index <=
+ table->firstvisible->index + (table->imaxy - 1))
+ table->lastvisible = new_entry;
+
+ new_entry->reused = new_entry->oth_connection->reused = 0;
+ table->count++;
+
+ rate_alloc(&new_entry->rate, 5);
+ rate_alloc(&new_entry->oth_connection->rate, 5);
+
+ print_tcp_num_entries(table);
+ } else {
+ /*
+ * If we reach this point, we're allocating off the list of closed
+ * entries. In this case, we take the top entry, let the new_entry
+ * variable point to whatever the top is pointing to. The new_entry's
+ * oth_connection also points to the reused entry's oth_connection
+ */
+
+ new_entry = table->closedentries->closedentry;
+ new_entry->oth_connection = table->closedentries->pair;
+
+ ctemp = table->closedentries;
+ table->closedentries = table->closedentries->next_entry;
+ free(ctemp);
+
+ /*
+ * Mark the closed list's tail as NULL if we use the last entry
+ * in the list to prevent a dangling reference.
+ */
+
+ if (table->closedentries == NULL)
+ table->closedtail = NULL;
+
+ new_entry->reused = new_entry->oth_connection->reused = 1;
+
+ /*
+ * Delete the old hash entries for this reallocated node;
+ */
+
+ del_tcp_hash_node(table, new_entry);
+ del_tcp_hash_node(table, new_entry->oth_connection);
+ }
+
+ /*
+ * Fill in address fields with raw IP addresses
+ */
+
+ sockaddr_copy(&new_entry->saddr, saddr);
+ sockaddr_copy(&new_entry->oth_connection->daddr, saddr);
+ sockaddr_copy(&new_entry->daddr, daddr);
+ sockaddr_copy(&new_entry->oth_connection->saddr, daddr);
+ new_entry->protocol = protocol;
+
+ /*
+ * Initialize count fields
+ */
+
+ new_entry->pcount = new_entry->bcount = 0;
+ new_entry->win = new_entry->psize = 0;
+ new_entry->timedout = new_entry->oth_connection->timedout = 0;
+ new_entry->oth_connection->pcount = new_entry->oth_connection->bcount =
+ 0;
+ new_entry->oth_connection->win = new_entry->oth_connection->psize = 0;
+
+ /*
+ * Store interface name
+ */
+
+ strcpy(new_entry->ifname, ifname);
+ strcpy(new_entry->oth_connection->ifname, ifname);
+
+ /*
+ * Zero out MAC address fields
+ */
+
+ memset(new_entry->smacaddr, 0, sizeof(new_entry->smacaddr));
+ memset(new_entry->oth_connection->smacaddr, 0, sizeof(new_entry->oth_connection->smacaddr));
+
+ new_entry->stat = new_entry->oth_connection->stat = 0;
+
+ new_entry->s_fstat =
+ revname(rev_lookup, &new_entry->saddr,
+ new_entry->s_fqdn, sizeof(new_entry->s_fqdn), rvnfd);
+
+ new_entry->d_fstat =
+ revname(rev_lookup, &new_entry->daddr,
+ new_entry->d_fqdn, sizeof(new_entry->d_fqdn), rvnfd);
+
+ /* set port service names (where applicable) */
+ servlook(sockaddr_get_port(saddr), IPPROTO_TCP, new_entry->s_sname, 10);
+ servlook(sockaddr_get_port(daddr), IPPROTO_TCP, new_entry->d_sname, 10);
+
+ strcpy(new_entry->oth_connection->s_sname, new_entry->d_sname);
+ strcpy(new_entry->oth_connection->d_sname, new_entry->s_sname);
+
+ strcpy(new_entry->oth_connection->d_fqdn, new_entry->s_fqdn);
+ strcpy(new_entry->oth_connection->s_fqdn, new_entry->d_fqdn);
+ new_entry->oth_connection->s_fstat = new_entry->d_fstat;
+ new_entry->oth_connection->d_fstat = new_entry->s_fstat;
+
+ if (new_entry->index < new_entry->oth_connection->index) {
+ new_entry->half_bracket = ACS_ULCORNER;
+ new_entry->oth_connection->half_bracket = ACS_LLCORNER;
+ } else {
+ new_entry->half_bracket = ACS_LLCORNER;
+ new_entry->oth_connection->half_bracket = ACS_ULCORNER;
+ }
+
+ new_entry->inclosed = new_entry->oth_connection->inclosed = 0;
+ new_entry->finack = new_entry->oth_connection->finack = 0;
+ new_entry->finsent = new_entry->oth_connection->finsent = 0;
+ new_entry->partial = new_entry->oth_connection->partial = 0;
+ new_entry->spanbr = new_entry->oth_connection->spanbr = 0;
+ new_entry->conn_starttime = new_entry->oth_connection->conn_starttime =
+ time(NULL);
+
+ rate_init(&new_entry->rate);
+ rate_init(&new_entry->oth_connection->rate);
+
+ /*
+ * Mark flow rate start time and byte counter for flow computation
+ * if the highlight bar is on either flow of the new connection.
+ */
+ if (table->barptr == new_entry) {
+ new_entry->starttime = time(NULL);
+ new_entry->spanbr = 0;
+ } else if (table->barptr == new_entry->oth_connection) {
+ new_entry->oth_connection->starttime = time(NULL);
+ new_entry->oth_connection->spanbr = 0;
+ }
+
+ /*
+ * Add entries to hash table
+ */
+
+ add_tcp_hash_entry(table, new_entry);
+ add_tcp_hash_entry(table, new_entry->oth_connection);
+
+ return new_entry;
+}
+
+void addtoclosedlist(struct tcptable *table, struct tcptableent *entry)
+{
+ struct closedlist *ctemp;
+
+ ctemp = xmalloc(sizeof(struct closedlist));
+ /*
+ * Point to closed entries
+ */
+ ctemp->closedentry = entry;
+ ctemp->pair = entry->oth_connection;
+ entry->inclosed = entry->oth_connection->inclosed = 1;
+
+ /*
+ * Add node to closed entry list.
+ */
+
+ if (table->closedtail != NULL)
+ table->closedtail->next_entry = ctemp;
+
+ table->closedtail = ctemp;
+ table->closedtail->next_entry = NULL;
+
+ if (table->closedentries == NULL)
+ table->closedentries = ctemp;
+
+}
+
+static char *tcplog_flowrate_msg(struct tcptableent *entry, char *buf,
+ size_t bufsize)
+{
+ time_t interval = time(NULL) - entry->conn_starttime;
+
+ char rbuf[64];
+ rate_print(entry->bcount / interval, rbuf, sizeof(rbuf));
+
+ snprintf(buf, bufsize - 1, "avg flow rate %s", rbuf);
+ buf[bufsize - 1] = '\0';
+ return buf;
+}
+
+void write_timeout_log(int logging, FILE *logfile, struct tcptableent *tcpnode)
+{
+ char msgstring[MSGSTRING_MAX];
+
+ if (logging) {
+ char flowrate1[64];
+ char flowrate2[64];
+ snprintf(msgstring, MSGSTRING_MAX,
+ "TCP; Connection %s:%s to %s:%s timed out, %lu packets, %lu bytes, %s; opposite direction %lu packets, %lu bytes, %s",
+ tcpnode->s_fqdn, tcpnode->s_sname, tcpnode->d_fqdn,
+ tcpnode->d_sname, tcpnode->pcount, tcpnode->bcount,
+ tcplog_flowrate_msg(tcpnode, flowrate1, sizeof(flowrate1)),
+ tcpnode->oth_connection->pcount,
+ tcpnode->oth_connection->bcount,
+ tcplog_flowrate_msg(tcpnode->oth_connection, flowrate2, sizeof(flowrate2)));
+ writelog(logging, logfile, msgstring);
+ }
+}
+
+struct tcptableent *in_table(struct tcptable *table,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ char *ifname, int logging,
+ FILE *logfile, time_t timeout)
+{
+ struct tcp_hashentry *hashptr;
+ unsigned int hp;
+
+ time_t now;
+
+ if (table->head == NULL) {
+ return 0;
+ }
+ /*
+ * Determine hash table index for this set of addresses and ports
+ */
+
+ hp = tcp_hash(saddr, daddr, ifname);
+ hashptr = table->hash_table[hp];
+
+ while (hashptr != NULL) {
+ if (sockaddr_is_equal(&hashptr->tcpnode->saddr, saddr)
+ && sockaddr_is_equal(&hashptr->tcpnode->daddr, daddr)
+ && (strcmp(hashptr->tcpnode->ifname, ifname) == 0))
+ break;
+
+ now = time(NULL);
+
+ /*
+ * Add the timed out entries to the closed list in case we didn't
+ * find any closed ones.
+ */
+
+ if ((timeout > 0)
+ && ((now - hashptr->tcpnode->lastupdate) / 60 > timeout)
+ && (!(hashptr->tcpnode->inclosed))) {
+ hashptr->tcpnode->timedout = 1;
+ hashptr->tcpnode->oth_connection->timedout = 1;
+ addtoclosedlist(table, hashptr->tcpnode);
+
+ if (logging)
+ write_timeout_log(logging, logfile,
+ hashptr->tcpnode);
+ }
+ hashptr = hashptr->next_entry;
+ }
+
+ if (hashptr != NULL) { /* needed to avoid SIGSEGV */
+ if ((((hashptr->tcpnode->finsent == 2)
+ && (hashptr->tcpnode->oth_connection->finsent == 2)))
+ ||
+ (((hashptr->tcpnode->stat & FLAG_RST)
+ || (hashptr->tcpnode->oth_connection->
+ stat & FLAG_RST)))) {
+ return NULL;
+ } else {
+ return hashptr->tcpnode;
+ }
+ } else {
+ return NULL;
+ }
+}
+
+
+/*
+ * Update the TCP status record should an applicable packet arrive.
+ */
+
+void updateentry(struct tcptable *table, struct tcptableent *tableentry,
+ struct tcphdr *transpacket, char *packet, int linkproto,
+ unsigned long packetlength, unsigned int bcount,
+ unsigned int fragofs, int logging, int *revlook, int rvnfd,
+ FILE *logfile)
+{
+ char msgstring[MSGSTRING_MAX];
+ char newmacaddr[18];
+
+ if (tableentry->s_fstat != RESOLVED) {
+ tableentry->s_fstat =
+ revname(revlook, &tableentry->saddr, tableentry->s_fqdn,
+ sizeof(tableentry->s_fqdn), rvnfd);
+ strcpy(tableentry->oth_connection->d_fqdn, tableentry->s_fqdn);
+ tableentry->oth_connection->d_fstat = tableentry->s_fstat;
+ }
+ if (tableentry->d_fstat != RESOLVED) {
+ tableentry->d_fstat =
+ revname(revlook, &tableentry->daddr, tableentry->d_fqdn,
+ sizeof(tableentry->d_fqdn), rvnfd);
+ strcpy(tableentry->oth_connection->s_fqdn, tableentry->d_fqdn);
+ tableentry->oth_connection->s_fstat = tableentry->d_fstat;
+ }
+ tableentry->pcount++;
+ tableentry->bcount += bcount;
+ tableentry->psize = packetlength;
+ tableentry->spanbr += bcount;
+
+ if (options.mac) {
+ memset(newmacaddr, 0, sizeof(newmacaddr));
+
+
+ /* change updateentry to take struct pkt to remove this */
+ if (linkproto == ARPHRD_ETHER) {
+ convmacaddr((char *) (((struct ethhdr *) packet)->
+ h_source), newmacaddr);
+ } else if (linkproto == ARPHRD_FDDI) {
+ convmacaddr((char *) (((struct fddihdr *) packet)->
+ saddr), newmacaddr);
+ }
+
+ if (tableentry->smacaddr[0] != '\0') {
+ if (strcmp(tableentry->smacaddr, newmacaddr) != 0) {
+ snprintf(msgstring, MSGSTRING_MAX,
+ "TCP; %s; from %s:%s to %s:%s: new source MAC address %s (previously %s)",
+ tableentry->ifname, tableentry->s_fqdn,
+ tableentry->s_sname,
+ tableentry->d_fqdn,
+ tableentry->d_sname, newmacaddr,
+ tableentry->smacaddr);
+ writelog(logging, logfile, msgstring);
+ strcpy(tableentry->smacaddr, newmacaddr);
+ }
+ } else
+ strcpy(tableentry->smacaddr, newmacaddr);
+ }
+
+ /*
+ * If this is not the first TCP fragment, skip interpretation of the
+ * TCP header.
+ */
+
+ if ((ntohs(fragofs) & 0x1fff) != 0) {
+ tableentry->lastupdate =
+ tableentry->oth_connection->lastupdate = time(NULL);
+ return;
+ }
+ /*
+ * At this point, we have a TCP header, and we proceed to process it.
+ */
+
+ if (tableentry->pcount == 1) {
+ if ((transpacket->syn) || (transpacket->rst))
+ tableentry->partial = 0;
+ else
+ tableentry->partial = 1;
+ }
+ tableentry->win = ntohs(transpacket->window);
+
+ tableentry->stat = 0;
+
+ if (transpacket->syn)
+ tableentry->stat |= FLAG_SYN;
+
+ if (transpacket->ack) {
+ tableentry->stat |= FLAG_ACK;
+
+ /*
+ * The following sequences are used when the ACK is in response to
+ * a FIN (see comments for FIN below). If the opposite direction
+ * already has its indicator set to 1 (FIN sent, not ACKed), and
+ * the incoming ACK has the same sequence number as the previously
+ * stored FIN's ack number (i.e. the ACK in response to the opposite
+ * flow's FIN), the opposite direction's state is set to 2 (FIN sent
+ * and ACKed).
+ */
+
+ if ((tableentry->oth_connection->finsent == 1)
+ && (ntohl(transpacket->seq) ==
+ tableentry->oth_connection->finack)) {
+ tableentry->oth_connection->finsent = 2;
+
+ if (logging) {
+ writetcplog(logging, logfile, tableentry,
+ tableentry->psize,
+ "FIN acknowleged");
+ }
+ }
+ }
+ /*
+ * The closing sequence is similar, but not identical to the TCP close
+ * sequence described in the RFC. This sequence is primarily cosmetic.
+ *
+ * When a FIN is sent in a direction, a state indicator is set to 1,
+ * to indicate a FIN sent, but not ACKed yet. For comparison later,
+ * the acknowlegement number is also saved in the entry. See comments
+ * in ACK above.
+ */
+
+ if (transpacket->fin) {
+
+ /*
+ * First, we check if the opposite direction has no counts, in which
+ * case we simply mark the entire connection available for reuse.
+ * This is in case packets from a machine pass an interface, but
+ * on the return, completely bypasses any interface on our machine.
+ *
+ * Q: Could such a situation really happen in practice? I managed to
+ * do it but under *really* ridiculous circumstances.
+ *
+ * A: (as of version 2.5.0, June 2001): Yes this DOES happen in
+ * practice. Unidirectional satellite feeds can send data straight
+ * to a remote network using you as your upstream.
+ */
+
+ if (tableentry->oth_connection->pcount == 0)
+ addtoclosedlist(table, tableentry);
+ else {
+
+ /*
+ * That aside, mark the direction as being done, and make it
+ * ready for a complete close upon receipt of an ACK. We save
+ * the acknowlegement number for identification of the proper
+ * ACK packet when it arrives in the other direction.
+ */
+
+ tableentry->finsent = 1;
+ tableentry->finack = ntohl(transpacket->ack_seq);
+ }
+ if (logging) {
+ char flowrate[64];
+ sprintf(msgstring,
+ "FIN sent; %lu packets, %lu bytes, %s",
+ tableentry->pcount, tableentry->bcount,
+ tcplog_flowrate_msg(tableentry, flowrate, sizeof(flowrate)));
+
+ writetcplog(logging, logfile, tableentry,
+ tableentry->psize, msgstring);
+ }
+ }
+ if (transpacket->rst) {
+ tableentry->stat |= FLAG_RST;
+ if (!(tableentry->inclosed))
+ addtoclosedlist(table, tableentry);
+
+ if (logging) {
+ char flowrate1[64];
+ char flowrate2[64];
+ snprintf(msgstring, MSGSTRING_MAX,
+ "Connection reset; %lu packets, %lu bytes, %s; opposite direction %lu packets, %lu bytes; %s",
+ tableentry->pcount, tableentry->bcount,
+ tcplog_flowrate_msg(tableentry, flowrate1, sizeof(flowrate1)),
+ tableentry->oth_connection->pcount,
+ tableentry->oth_connection->bcount,
+ tcplog_flowrate_msg(tableentry->oth_connection, flowrate2, sizeof(flowrate2)));
+ writetcplog(logging, logfile, tableentry,
+ tableentry->psize, msgstring);
+ }
+ }
+ if (transpacket->psh)
+ tableentry->stat |= FLAG_PSH;
+
+ if (transpacket->urg)
+ tableentry->stat |= FLAG_URG;
+
+ tableentry->lastupdate = tableentry->oth_connection->lastupdate =
+ time(NULL);
+ /*
+ * Shall we add this entry to the closed entry list? If both
+ * directions have their state indicators set to 2, or one direction
+ * is set to 2, and the other 1, that's it.
+ */
+
+ if ((!tableentry->inclosed)
+ &&
+ (((tableentry->finsent == 2)
+ && ((tableentry->oth_connection->finsent == 1)
+ || (tableentry->oth_connection->finsent == 2)))
+ || ((tableentry->oth_connection->finsent == 2)
+ && ((tableentry->finsent == 1)
+ || (tableentry->finsent == 2)))))
+ addtoclosedlist(table, tableentry);
+
+}
+
+/*
+ * Clears out the resolved IP addresses from the window. This prevents
+ * overlapping port numbers (in cases where the resolved DNS name is shorter
+ * than its IP address), that may cause the illusion of large ports. Plus,
+ * such output, while may be interpreted by people with a little know-how,
+ * is just plain wrong.
+ *
+ * Returns immediately if the entry is not visible in the window.
+ */
+
+void clearaddr(struct tcptable *table, struct tcptableent *tableentry,
+ unsigned int screen_idx)
+{
+ unsigned int target_row;
+
+ if ((tableentry->index < screen_idx)
+ || (tableentry->index > screen_idx + (table->imaxy - 1)))
+ return;
+
+ target_row = (tableentry->index) - screen_idx;
+
+ wmove(table->tcpscreen, target_row, 1);
+ wprintw(table->tcpscreen, "%44c", ' ');
+}
+
+/*
+ * Display a TCP connection line. Returns immediately if the entry is
+ * not visible in the window.
+ */
+
+void printentry(struct tcptable *table, struct tcptableent *tableentry,
+ unsigned int screen_idx, int mode)
+{
+ char stat[7] = "";
+ unsigned int target_row;
+ char sp_buf[MSGSTRING_MAX];
+ int normalattr;
+ int highattr;
+
+ /*
+ * Set appropriate attributes for this entry
+ */
+
+ if (table->barptr == tableentry) {
+ normalattr = BARSTDATTR;
+ highattr = BARHIGHATTR;
+ } else {
+ normalattr = STDATTR;
+ highattr = HIGHATTR;
+ }
+
+ if ((tableentry->index < screen_idx)
+ || (tableentry->index > screen_idx + (table->imaxy - 1)))
+ return;
+
+ target_row = (tableentry->index) - screen_idx;
+
+ /* clear the data if it's a reused entry */
+
+ wattrset(table->tcpscreen, PTRATTR);
+ wmove(table->tcpscreen, target_row, 2);
+ if (tableentry->reused) {
+ scrollok(table->tcpscreen, 0);
+ sprintf(sp_buf, "%%%dc", COLS - 4);
+ wprintw(table->tcpscreen, sp_buf, ' ');
+ scrollok(table->tcpscreen, 1);
+ tableentry->reused = 0;
+ wmove(table->tcpscreen, target_row, 1);
+ }
+ /* print half of connection indicator bracket */
+
+ wmove(table->tcpscreen, target_row, 0);
+ waddch(table->tcpscreen, tableentry->half_bracket);
+
+ /* proceed with the actual entry */
+
+ wattrset(table->tcpscreen, normalattr);
+ sprintf(sp_buf, "%%%dc", COLS - 5);
+ mvwprintw(table->tcpscreen, target_row, 2, sp_buf, ' ');
+
+ sprintf(sp_buf, "%%.%ds:%%.%ds", 32 * COLS / 80, 10);
+
+ wmove(table->tcpscreen, target_row, 1);
+ wprintw(table->tcpscreen, sp_buf, tableentry->s_fqdn,
+ tableentry->s_sname);
+
+ wattrset(table->tcpscreen, highattr);
+
+ /*
+ * Print packet and byte counts or window size and packet size, depending
+ * on the value of mode.
+ */
+
+ switch (mode) {
+ case 0:
+ wmove(table->tcpscreen, target_row, 47 * COLS / 80 - 2);
+ if (tableentry->partial)
+ wprintw(table->tcpscreen, ">");
+ else
+ wprintw(table->tcpscreen, "=");
+ wprintw(table->tcpscreen, "%8u ", tableentry->pcount);
+ wmove(table->tcpscreen, target_row, 59 * COLS / 80 - 4);
+ wprintw(table->tcpscreen, "%9u ", tableentry->bcount);
+ break;
+ case 1:
+ wmove(table->tcpscreen, target_row, 50 * COLS / 80);
+ if (tableentry->smacaddr[0] == '\0')
+ wprintw(table->tcpscreen, " N/A ");
+ else
+ wprintw(table->tcpscreen, "%s", tableentry->smacaddr);
+ break;
+ case 2:
+ wmove(table->tcpscreen, target_row, 45 * COLS / 80 + 3);
+ wprintw(table->tcpscreen, "%5u ", tableentry->psize);
+ wmove(table->tcpscreen, target_row, 56 * COLS / 80 - 1);
+ wprintw(table->tcpscreen, "%9u ", tableentry->win);
+ }
+
+ wattrset(table->tcpscreen, normalattr);
+
+ if (tableentry->finsent == 1)
+ strcpy(stat, "DONE");
+ else if (tableentry->finsent == 2)
+ strcpy(stat, "CLOS");
+ else if (tableentry->stat & FLAG_RST)
+ strcpy(stat, "RSET");
+ else {
+ strcat(stat, (tableentry->stat & FLAG_SYN) ? "S" : "-");
+ strcat(stat, (tableentry->stat & FLAG_PSH) ? "P" : "-");
+ strcat(stat, (tableentry->stat & FLAG_ACK) ? "A" : "-");
+ strcat(stat, (tableentry->stat & FLAG_URG) ? "U" : "-");
+ }
+
+ wmove(table->tcpscreen, target_row, 65 * COLS / 80);
+ wprintw(table->tcpscreen, "%4.4s", stat);
+ wmove(table->tcpscreen, target_row, 70 * COLS / 80);
+ wprintw(table->tcpscreen, "%-*.*s", table->ifnamew, table->ifnamew,
+ tableentry->ifname);
+}
+
+/*
+ * Redraw the TCP window
+ */
+
+void refreshtcpwin(struct tcptable *table, unsigned int idx, int mode)
+{
+ struct tcptableent *ptmp;
+
+ setlabels(table->borderwin, mode);
+ wattrset(table->tcpscreen, STDATTR);
+ tx_colorwin(table->tcpscreen);
+ ptmp = table->firstvisible;
+
+ while ((ptmp != NULL) && (ptmp->prev_entry != table->lastvisible)) {
+ printentry(table, ptmp, idx, mode);
+ ptmp = ptmp->next_entry;
+ }
+
+ wmove(table->borderwin, table->bmaxy - 1, 1);
+
+ print_tcp_num_entries(table);
+
+ update_panels();
+ doupdate();
+}
+
+static void destroy_closed_entries(struct tcptable *table)
+{
+ struct closedlist *closedtemp;
+ struct closedlist *closedtemp_next;
+
+ if (table->closedentries != NULL) {
+ closedtemp = table->closedentries;
+ closedtemp_next = table->closedentries->next_entry;
+
+ while (closedtemp != NULL) {
+ free(closedtemp);
+ closedtemp = closedtemp_next;
+ if (closedtemp_next != NULL)
+ closedtemp_next = closedtemp_next->next_entry;
+ }
+
+ table->closedentries = NULL;
+ table->closedtail = NULL;
+ }
+}
+
+/*
+ * Kill the entire TCP table
+ */
+void destroytcptable(struct tcptable *table)
+{
+ struct tcptableent *ctemp;
+ struct tcptableent *c_next_entry;
+ struct tcp_hashentry *hashtemp;
+ struct tcp_hashentry *hashtemp_next;
+
+ unsigned int i;
+
+ /*
+ * Destroy main TCP table
+ */
+
+ if (table->head != NULL) {
+ ctemp = table->head;
+ c_next_entry = table->head->next_entry;
+
+ while (ctemp != NULL) {
+ rate_destroy(&ctemp->rate);
+ free(ctemp);
+ ctemp = c_next_entry;
+
+ if (c_next_entry != NULL)
+ c_next_entry = c_next_entry->next_entry;
+ }
+ }
+ /*
+ * Destroy list of closed entries
+ */
+
+ destroy_closed_entries(table);
+
+ /*
+ * Destroy hash table
+ */
+
+ for (i = 0; i <= ENTRIES_IN_HASH_TABLE - 1; i++) {
+ if (table->hash_table[i] != NULL) {
+ hashtemp = table->hash_table[i];
+ hashtemp_next = table->hash_table[i]->next_entry;
+
+ while (hashtemp != NULL) {
+ free(hashtemp);
+ hashtemp = hashtemp_next;
+
+ if (hashtemp_next != NULL)
+ hashtemp_next =
+ hashtemp_next->next_entry;
+ }
+ }
+ }
+}
+
+/*
+ * Kill an entry from the TCP table
+ */
+
+static void destroy_tcp_entry(struct tcptable *table, struct tcptableent *ptmp)
+{
+ if (ptmp->prev_entry != NULL)
+ ptmp->prev_entry->next_entry = ptmp->next_entry;
+ else
+ table->head = ptmp->next_entry;
+
+ if (ptmp->next_entry != NULL)
+ ptmp->next_entry->prev_entry = ptmp->prev_entry;
+ else
+ table->tail = ptmp->prev_entry;
+
+ rate_destroy(&ptmp->rate);
+ free(ptmp);
+
+ if (table->head == NULL) {
+ table->firstvisible = NULL;
+ table->lastvisible = NULL;
+ }
+}
+
+/*
+ * Kill all closed entries from the table, and clear the list of closed
+ * entries.
+ */
+
+void flushclosedentries(struct tcptable *table, unsigned long *screen_idx,
+ int logging, FILE *logfile)
+{
+ struct tcptableent *ptmp = table->head;
+ struct tcptableent *ctmp = NULL;
+ unsigned long idx = 1;
+ time_t now;
+ time_t lastupdated = 0;
+
+ while (ptmp != NULL) {
+ now = time(NULL);
+ lastupdated = (now - ptmp->lastupdate) / 60;
+
+ if ((ptmp->inclosed) || (lastupdated > options.timeout)) {
+ ctmp = ptmp;
+ /*
+ * Mark and flush timed out TCP entries.
+ */
+ if (lastupdated > options.timeout) {
+ if ((!(ptmp->timedout)) && (!(ptmp->inclosed))) {
+ write_timeout_log(logging, logfile,
+ ptmp);
+ ptmp->timedout =
+ ptmp->oth_connection->timedout = 1;
+ }
+ }
+
+ /*
+ * Advance to next entry and destroy target entry.
+ */
+ ptmp = ptmp->next_entry;
+
+ /*
+ * If the targeted entry is highlighted, and the next entry is
+ * not NULL (we're still in the list) we move the bar pointer to
+ * the next entry otherwise we move it to the previous entry.
+ */
+ if (ptmp != NULL) {
+ if (table->barptr == ctmp) {
+ table->barptr = ptmp;
+ }
+ } else {
+ if (table->barptr == ctmp) {
+ table->barptr =
+ table->barptr->prev_entry;
+ }
+ }
+
+ /*
+ * Do the dirty deed
+ */
+ del_tcp_hash_node(table, ctmp);
+ destroy_tcp_entry(table, ctmp);
+
+ /*
+ * Adjust screen index if the deleted entry was "above"
+ * the screen.
+ */
+ if (idx < *screen_idx)
+ (*screen_idx)--;
+ } else {
+ /*
+ * Set the first visible pointer once the index matches
+ * the screen index.
+ */
+ if (idx == *screen_idx)
+ table->firstvisible = ptmp;
+
+ /*
+ * Keep setting the last visible pointer until the scan
+ * index "leaves" the screen
+ */
+ if (idx <= (*screen_idx) + (table->imaxy - 1))
+ table->lastvisible = ptmp;
+
+ ptmp->index = idx;
+ idx++;
+ ptmp = ptmp->next_entry;
+ }
+ }
+
+ table->lastpos = idx - 1;
+ table->count = table->lastpos / 2;
+ destroy_closed_entries(table);
+
+ /*
+ * Shift entries down if the deletion causes the last entry to
+ * occupy anywhere other than the last line of the TCP display
+ * window.
+ */
+
+ if (table->head != NULL) {
+ /*
+ * Point screen index to the last table entry if the tail entry is
+ * "above" the screen index. Set the firstvisible pointer to that
+ * as well.
+ */
+ if (table->tail->index < *screen_idx) {
+ *screen_idx = table->tail->index;
+ table->firstvisible = table->tail;
+ }
+
+ /*
+ * Move the screen index and firstvisible entry up until the tail
+ * hits the bottom of the window (tail is at screen index plus
+ * screen length minus 1) or the firstvisible pointer hits the
+ * head of the table. The highlight bar should "go along" with
+ * the shifting.
+ */
+ while ((table->tail->index < *screen_idx + table->imaxy - 1)
+ && (table->firstvisible->prev_entry != NULL)) {
+ table->firstvisible = table->firstvisible->prev_entry;
+ (*screen_idx)--;
+ }
+
+ /*
+ * Set the bar position index once everything's done.
+ */
+ table->baridx = table->barptr->index - *screen_idx + 1;
+ }
+}
+
+void writetcplog(int logging, FILE *fd, struct tcptableent *entry,
+ unsigned int pktlen, char *message)
+{
+ char msgbuf[MSGSTRING_MAX];
+
+ if (logging) {
+ if (options.mac) {
+ snprintf(msgbuf, MSGSTRING_MAX,
+ "TCP; %s; %u bytes; from %s:%s to %s:%s (source MAC addr %s); %s",
+ entry->ifname, pktlen, entry->s_fqdn,
+ entry->s_sname, entry->d_fqdn, entry->d_sname,
+ entry->smacaddr, message);
+ } else {
+ snprintf(msgbuf, MSGSTRING_MAX,
+ "TCP; %s; %u bytes; from %s:%s to %s:%s; %s",
+ entry->ifname, pktlen, entry->s_fqdn,
+ entry->s_sname, entry->d_fqdn, entry->d_sname,
+ message);
+ }
+
+ writelog(logging, fd, msgbuf);
+ }
+}
+
+void write_tcp_unclosed(int logging, FILE *fd, struct tcptable *table)
+{
+ char msgbuf[MSGSTRING_MAX];
+
+ struct tcptableent *entry = table->head;
+
+ while (entry != NULL) {
+ if ((entry->finsent == 0) && ((entry->stat & FLAG_RST) == 0)
+ && (!(entry->inclosed))) {
+ sprintf(msgbuf,
+ "TCP; %s; active; from %s:%s to %s:%s; %lu packets, %lu bytes",
+ entry->ifname, entry->s_fqdn, entry->s_sname,
+ entry->d_fqdn, entry->d_sname, entry->pcount,
+ entry->bcount);
+ writelog(logging, fd, msgbuf);
+ }
+ entry = entry->next_entry;
+ }
+}
diff --git a/src/tcptable.h b/src/tcptable.h
new file mode 100644
index 0000000..ec1711a
--- /dev/null
+++ b/src/tcptable.h
@@ -0,0 +1,147 @@
+#ifndef IPTRAF_NG_TCPTABLE_H
+#define IPTRAF_NG_TCPTABLE_H
+
+/***
+
+ tcptable.h -- table manipulation for the statistics display.
+
+***/
+
+#include "rate.h"
+
+/*
+ * max() macros that also do
+ * strict type-checking.. See the
+ * "unnecessary" pointer comparison.
+ */
+#define max(x, y) ({ \
+ typeof(x) _max1 = (x); \
+ typeof(y) _max2 = (y); \
+ (void) (&_max1 == &_max2); \
+ _max1 > _max2 ? _max1 : _max2; })
+
+#define FLAG_SYN 1
+#define FLAG_RST 2
+#define FLAG_PSH 4
+#define FLAG_ACK 8
+#define FLAG_URG 16
+
+#define CLOSED 64
+
+#define ENTRIES_IN_HASH_TABLE 1543
+
+struct tcptableent {
+ struct sockaddr_storage saddr;
+ struct sockaddr_storage daddr;
+ char s_fqdn[45]; /* fully-qualified domain names */
+ char d_fqdn[45];
+ int s_fstat;
+ int d_fstat;
+ char smacaddr[18];
+ char s_sname[11]; /* Service names, maxlen=10 */
+ char d_sname[11];
+ unsigned int protocol;
+ unsigned long pcount; /* packet count */
+ unsigned long bcount; /* byte count */
+ unsigned int stat; /* TCP flags */
+ unsigned int win;
+ unsigned int psize;
+ unsigned long finack;
+ int partial;
+ int finsent;
+ char ifname[IFNAMSIZ];
+ unsigned int index;
+ int reused;
+ int timedout;
+ int inclosed;
+ int half_bracket;
+ unsigned long spanbr;
+ struct rate rate;
+ time_t lastupdate;
+ time_t starttime;
+ time_t conn_starttime;
+ struct tcp_hashentry *hash_node;
+ struct tcptableent *oth_connection; /* the other half of the connection */
+ struct tcptableent *prev_entry;
+ struct tcptableent *next_entry;
+};
+
+struct closedlist {
+ struct tcptableent *closedentry;
+ struct tcptableent *pair;
+ struct closedlist *next_entry;
+};
+
+struct tcp_hashentry {
+ unsigned int index;
+ unsigned int hp; /* index position in bucket array */
+ struct tcptableent *tcpnode;
+ struct tcp_hashentry *prev_entry;
+ struct tcp_hashentry *next_entry;
+};
+
+struct tcptable {
+ struct tcp_hashentry *hash_table[ENTRIES_IN_HASH_TABLE];
+ struct tcp_hashentry *hash_tails[ENTRIES_IN_HASH_TABLE];
+ struct tcptableent *head;
+ struct tcptableent *tail;
+ struct closedlist *closedentries;
+ struct closedlist *closedtail;
+ struct tcptableent *firstvisible;
+ struct tcptableent *lastvisible;
+ struct tcptableent *barptr;
+ unsigned int baridx;
+ unsigned int lastpos;
+ unsigned int count;
+ unsigned int bmaxy; /* number of lines of the border window */
+ unsigned int imaxy; /* number of lines inside the border */
+ int ifnamew; /* interface name width to display */
+ WINDOW *tcpscreen;
+ PANEL *tcppanel;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+};
+
+void init_tcp_table(struct tcptable *table);
+
+struct tcptableent *addentry(struct tcptable *table,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ int protocol, char *ifname,
+ int *rev_lookup, int rvnamedon);
+
+struct tcptableent *in_table(struct tcptable *table,
+ struct sockaddr_storage *saddr,
+ struct sockaddr_storage *daddr,
+ char *ifname, int logging,
+ FILE *logfile, time_t timeout);
+
+void updateentry(struct tcptable *table, struct tcptableent *tableentry,
+ struct tcphdr *transpacket, char *packet, int linkproto,
+ unsigned long packetlength, unsigned int bcount,
+ unsigned int fragofs, int logging, int *revlook, int rvnfd,
+ FILE *logfile);
+
+void addtoclosedlist(struct tcptable *table, struct tcptableent *tableentry);
+
+void clearaddr(struct tcptable *table, struct tcptableent *tableentry,
+ unsigned int screen_idx);
+
+void printentry(struct tcptable *table, struct tcptableent *tableentry,
+ unsigned int screen_idx, int mode);
+
+void refreshtcpwin(struct tcptable *table, unsigned int idx, int mode);
+
+void destroytcptable(struct tcptable *table);
+
+void flushclosedentries(struct tcptable *table, unsigned long *screen_idx,
+ int logging, FILE *logfile);
+
+void write_timeout_log(int logging, FILE *logfile, struct tcptableent *tcpnode);
+
+void writetcplog(int logging, FILE *fd, struct tcptableent *entry,
+ unsigned int pktlen, char *message);
+
+void write_tcp_unclosed(int logging, FILE *fd, struct tcptable *table);
+
+#endif /* IPTRAF_NG_TCPTABLE_H */
diff --git a/src/timer.c b/src/timer.c
new file mode 100644
index 0000000..64bef53
--- /dev/null
+++ b/src/timer.c
@@ -0,0 +1,26 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+timer.c - module to display the elapsed time since a facility
+ was started
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+void printelapsedtime(time_t start, time_t now, int y, int x, WINDOW * win)
+{
+ time_t elapsed;
+ unsigned int hours;
+ unsigned int mins;
+
+ elapsed = now - start;
+
+ hours = elapsed / 3600;
+ mins = (elapsed % 3600) / 60;
+
+ wmove(win, y, x);
+ wprintw(win, " Elapsed time: %3u:%02u ", hours, mins);
+}
diff --git a/src/timer.h b/src/timer.h
new file mode 100644
index 0000000..24bbf9d
--- /dev/null
+++ b/src/timer.h
@@ -0,0 +1,6 @@
+#ifndef IPTRAF_NG_TIMER_H
+#define IPTRAF_NG_TIMER_H
+
+void printelapsedtime(time_t start, time_t now, int y, int x, WINDOW * win);
+
+#endif /* IPTRAF_NG_TIMER_H */
diff --git a/src/tui/README b/src/tui/README
new file mode 100644
index 0000000..7087213
--- /dev/null
+++ b/src/tui/README
@@ -0,0 +1,25 @@
+=========================================================================
+IPTraf User Interface Support Library README
+-------------------------------------------------------------------------
+
+Some of the more reusable user-interface functions originally part of the
+IPTraf source tree have been recoded and moved to this directory as a
+support library. This way it would be easier for interested developers to
+use these functions in other programs.
+
+Full programming information will be provided in an upcoming separate
+release of this library although documentation may be provided via mail
+should there be any requests for it.
+
+Then again, there's always the IPTraf source code.
+
+RELEASE INFORMATION
+
+This is currently code derived from IPTraf, and is for now released under
+the GNU General Public License version 2 or any later version. I may
+release it as a separate package soon under a less restrictive
+license. Should you be interested in this little library, and you have a
+concern regarding the GPL, I can still be reached privately via
+<riker@seul.org>.
+
+Gerard
diff --git a/src/tui/input.c b/src/tui/input.c
new file mode 100644
index 0000000..b0742c3
--- /dev/null
+++ b/src/tui/input.c
@@ -0,0 +1,192 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+input.c - a custom keyboard input module
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "input.h"
+
+void tx_initfields(struct FIELDLIST *list, int leny, int lenx, int begy,
+ int begx, int dlgtextattr, int fieldattr)
+{
+ list->list = NULL;
+ list->fieldwin = newwin(leny, lenx, begy, begx);
+ list->fieldpanel = new_panel(list->fieldwin);
+ tx_stdwinset(list->fieldwin);
+ wtimeout(list->fieldwin, -1);
+ wattrset(list->fieldwin, dlgtextattr);
+ tx_colorwin(list->fieldwin);
+ update_panels();
+ doupdate();
+
+ list->dlgtextattr = dlgtextattr;
+ list->fieldattr = fieldattr;
+}
+
+void tx_addfield(struct FIELDLIST *list, unsigned int len, unsigned int y,
+ unsigned int x, const char *initstr)
+{
+ struct FIELD *newfield;
+ unsigned int i;
+
+ newfield = xmalloc(sizeof(struct FIELD));
+
+ if (list->list == NULL) {
+ list->list = newfield;
+ newfield->prevfield = newfield;
+ newfield->nextfield = newfield;
+ } else {
+ newfield->prevfield = list->list->prevfield;
+ list->list->prevfield->nextfield = newfield;
+ list->list->prevfield = newfield;
+ newfield->nextfield = list->list;
+ }
+
+ newfield->xpos = x;
+ newfield->ypos = y;
+ newfield->len = len;
+ newfield->tlen = strlen(initstr);
+ newfield->buf = xmallocz(len + 1);
+ strncpy(newfield->buf, initstr, len);
+
+ if (newfield->tlen > (len))
+ newfield->tlen = len;
+
+ wattrset(list->fieldwin, list->fieldattr);
+ wmove(list->fieldwin, y, x);
+ for (i = 1; i <= len; i++)
+ wprintw(list->fieldwin, " ");
+
+ wmove(list->fieldwin, y, x);
+ wprintw(list->fieldwin, "%s", newfield->buf);
+
+ update_panels();
+ doupdate();
+}
+
+void tx_getinput(struct FIELDLIST *list, struct FIELD *field, int *exitkey)
+{
+ int ch;
+ int y, x;
+ int endloop = 0;
+
+ wmove(list->fieldwin, field->ypos, field->xpos);
+ wattrset(list->fieldwin, list->fieldattr);
+ wprintw(list->fieldwin, "%s", field->buf);
+ update_panels();
+ doupdate();
+
+ do {
+ ch = wgetch(list->fieldwin);
+ switch (ch) {
+ case KEY_BACKSPACE:
+ case 7:
+ case 8:
+ case KEY_DC:
+ case KEY_LEFT:
+ case 127:
+ if (field->tlen > 0) {
+ getyx(list->fieldwin, y, x);
+ x--;
+ wmove(list->fieldwin, y, x);
+ wprintw(list->fieldwin, " ");
+ wmove(list->fieldwin, y, x);
+ field->tlen--;
+ field->buf[field->tlen] = '\0';
+ }
+ break;
+ case 9:
+ case 27:
+ case 24:
+ case 13:
+ case 10:
+ case KEY_UP:
+ case KEY_DOWN:
+ endloop = 1;
+ *exitkey = ch;
+
+ break;
+ case 12:
+ tx_refresh_screen();
+ break;
+ default:
+ if ((field->tlen < field->len)
+ && ((ch >= 32) && (ch <= 127))) {
+ wprintw(list->fieldwin, "%c", ch);
+ if (ch == ' ') {
+ getyx(list->fieldwin, y, x);
+ wmove(list->fieldwin, y, x);
+ }
+ field->buf[field->tlen + 1] = '\0';
+ field->buf[field->tlen] = ch;
+ field->tlen++;
+ }
+ break;
+ }
+
+ doupdate();
+ } while (!endloop);
+}
+
+void tx_fillfields(struct FIELDLIST *list, int *aborted)
+{
+ struct FIELD *field;
+ int exitkey;
+ int endloop = 0;
+
+ field = list->list;
+
+ curs_set(1);
+ do {
+ tx_getinput(list, field, &exitkey);
+
+ switch (exitkey) {
+ case 9:
+ case KEY_DOWN:
+ field = field->nextfield;
+ break;
+ case KEY_UP:
+ field = field->prevfield;
+ break;
+ case 13:
+ case 10:
+ *aborted = 0;
+ endloop = 1;
+ break;
+ case 27:
+ case 24:
+ *aborted = 1;
+ endloop = 1;
+ break;
+ }
+ } while (!endloop);
+
+ curs_set(0);
+}
+
+void tx_destroyfields(struct FIELDLIST *list)
+{
+ struct FIELD *ptmp;
+ struct FIELD *pnext;
+
+ list->list->prevfield->nextfield = NULL;
+ ptmp = list->list;
+ pnext = list->list->nextfield;
+
+ do {
+ free(ptmp);
+
+ ptmp = pnext;
+ if (pnext != NULL) {
+ pnext = pnext->nextfield;
+ }
+ } while (ptmp != NULL);
+
+ del_panel(list->fieldpanel);
+ delwin(list->fieldwin);
+}
diff --git a/src/tui/input.h b/src/tui/input.h
new file mode 100644
index 0000000..f8a78b5
--- /dev/null
+++ b/src/tui/input.h
@@ -0,0 +1,40 @@
+#ifndef IPTRAF_NG_TUI_INPUT_H
+#define IPTRAF_NG_TUI_INPUT_H
+
+/***
+
+input.h - structure declarations and function prototypes for input.c
+
+***/
+
+#include "winops.h"
+
+#define CTRL_X 24
+
+struct FIELD {
+ char *buf;
+ unsigned int len;
+ unsigned int tlen;
+ unsigned int xpos;
+ unsigned int ypos;
+ struct FIELD *prevfield;
+ struct FIELD *nextfield;
+};
+
+struct FIELDLIST {
+ struct FIELD *list;
+ WINDOW *fieldwin;
+ PANEL *fieldpanel;
+ int dlgtextattr;
+ int fieldattr;
+};
+
+void tx_initfields(struct FIELDLIST *list, int leny, int lenx, int begy,
+ int begx, int dlgtextattr, int dlgfieldattr);
+void tx_addfield(struct FIELDLIST *list, unsigned int len, unsigned int y,
+ unsigned int x, const char *initstr);
+void tx_getinput(struct FIELDLIST *list, struct FIELD *field, int *exitkey);
+void tx_fillfields(struct FIELDLIST *list, int *aborted);
+void tx_destroyfields(struct FIELDLIST *list);
+
+#endif /* IPTRAF_NG_TUI_INPUT_H */
diff --git a/src/tui/labels.c b/src/tui/labels.c
new file mode 100644
index 0000000..e4e11fb
--- /dev/null
+++ b/src/tui/labels.c
@@ -0,0 +1,39 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/*
+ * labels.c - some common keyhelp printing routines for the iptraf
+ * user interface library
+ */
+
+#include "iptraf-ng-compat.h"
+
+#include "winops.h"
+
+void tx_printkeyhelp(char *keytext, char *desc, WINDOW * win, int highattr,
+ int textattr)
+{
+ wattrset(win, highattr);
+ wprintw(win, "%s", keytext);
+ wattrset(win, textattr);
+ wprintw(win, "%s", desc);
+}
+
+void tx_menukeyhelp(int textattr, int highattr)
+{
+ move(LINES - 1, 1);
+ tx_printkeyhelp("Up/Down", "-Move selector ", stdscr, highattr,
+ textattr);
+ tx_printkeyhelp("Enter", "-execute", stdscr, highattr, textattr);
+ tx_coloreol();
+}
+
+void tx_listkeyhelp(int textattr, int highattr)
+{
+ move(LINES - 1, 1);
+ tx_printkeyhelp("Up/Down", "-move pointer ", stdscr, highattr,
+ textattr);
+ tx_printkeyhelp("Enter", "-select ", stdscr, highattr, textattr);
+ tx_printkeyhelp("X/Ctrl+X", "-close list", stdscr, highattr, textattr);
+ tx_coloreol();
+}
diff --git a/src/tui/labels.h b/src/tui/labels.h
new file mode 100644
index 0000000..4be8232
--- /dev/null
+++ b/src/tui/labels.h
@@ -0,0 +1,9 @@
+#ifndef IPTRAF_NG_TUI_LABELS_H
+#define IPTRAF_NG_TUI_LABELS_H
+
+void tx_printkeyhelp(char *keytext, char *desc, WINDOW * win, int highattr,
+ int textattr);
+void tx_menukeyhelp(int textattr, int highattr);
+void tx_listkeyhelp(int textattr, int highattr);
+
+#endif /* IPTRAF_NG_TUI_LABELS_H */
diff --git a/src/tui/listbox.c b/src/tui/listbox.c
new file mode 100644
index 0000000..a9d528c
--- /dev/null
+++ b/src/tui/listbox.c
@@ -0,0 +1,209 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/*
+ * listbox.c - scrollable listbox management module
+ */
+
+#include "iptraf-ng-compat.h"
+
+#include "winops.h"
+#include "labels.h"
+#include "listbox.h"
+#include "msgboxes.h"
+
+void tx_init_listbox(struct scroll_list *list, int width, int height,
+ int startx, int starty, int mainattr, int borderattr,
+ int selectattr, int keyattr)
+{
+ memset(list, 0, sizeof(struct scroll_list));
+ list->borderwin = newwin(height, width, starty, startx);
+ list->borderpanel = new_panel(list->borderwin);
+ wattrset(list->borderwin, borderattr);
+ tx_box(list->borderwin, ACS_VLINE, ACS_HLINE);
+
+ list->win = newwin(height - 2, width - 2, starty + 1, startx + 1);
+ list->panel = new_panel(list->win);
+ wattrset(list->win, mainattr);
+ tx_colorwin(list->win);
+
+ list->mainattr = mainattr;
+ list->selectattr = selectattr;
+ list->height = height;
+ list->width = width;
+ list->keyattr = keyattr;
+
+ tx_stdwinset(list->win);
+ scrollok(list->win, 0);
+}
+
+void tx_set_listbox_title(struct scroll_list *list, char *text, int x)
+{
+ mvwprintw(list->borderwin, 0, x, " %s ", text);
+}
+
+void tx_add_list_entry(struct scroll_list *list, char *node, char *text)
+{
+ struct textlisttype *ptmp;
+
+ ptmp = xmallocz(sizeof(struct textlisttype));
+
+ strncpy(ptmp->text, text, MAX_TEXT_LENGTH);
+ ptmp->nodeptr = node;
+
+ if (list->textlist == NULL) {
+ list->textlist = ptmp;
+ ptmp->prev_entry = NULL;
+ } else {
+ list->texttail->next_entry = ptmp;
+ ptmp->prev_entry = list->texttail;
+ }
+
+ list->texttail = ptmp;
+ ptmp->next_entry = NULL;
+}
+
+void tx_show_listbox(struct scroll_list *list)
+{
+ int i = 0;
+ struct textlisttype *tptr = list->textlist;
+
+ while ((i <= list->height - 3) && (tptr != NULL)) {
+ mvwprintw(list->win, i, 1, tptr->text);
+ tptr = tptr->next_entry;
+ i++;
+ }
+
+ update_panels();
+ doupdate();
+}
+
+void tx_operate_listbox(struct scroll_list *list, int *keystroke, int *aborted)
+{
+ int ch;
+ int endloop = 0;
+ int row = 0;
+ char padding[MAX_TEXT_LENGTH];
+ char sp_buf[10];
+
+ if (list->textlist == NULL) {
+ tui_error(ANYKEY_MSG, "No list entries");
+ *aborted = 1;
+ return;
+ }
+
+ list->textptr = list->textlist;
+
+ tx_listkeyhelp(list->mainattr, list->keyattr);
+ update_panels();
+ doupdate();
+
+ while (!endloop) {
+ snprintf(sp_buf, 9, "%%%zuc",
+ list->width - strlen(list->textptr->text) - 3);
+ snprintf(padding, MAX_TEXT_LENGTH - 1, sp_buf, ' ');
+ wattrset(list->win, list->selectattr);
+ mvwprintw(list->win, row, 0, " %s%s", list->textptr->text,
+ padding);
+
+ ch = wgetch(list->win);
+
+ wattrset(list->win, list->mainattr);
+ mvwprintw(list->win, row, 0, " %s%s", list->textptr->text,
+ padding);
+
+ switch (ch) {
+ case KEY_UP:
+ if (list->textptr == NULL)
+ continue;
+
+ if (list->textptr->prev_entry != NULL) {
+ if (row == 0) {
+ scrollok(list->win, 1);
+ wscrl(list->win, -1);
+ scrollok(list->win, 0);
+ } else
+ row--;
+
+ list->textptr = list->textptr->prev_entry;
+ }
+ break;
+ case KEY_DOWN:
+ if (list->textptr == NULL)
+ continue;
+
+ if (list->textptr->next_entry != NULL) {
+ if (row == list->height - 3) {
+ scrollok(list->win, 1);
+ wscrl(list->win, 1);
+ scrollok(list->win, 0);
+ } else
+ row++;
+
+ list->textptr = list->textptr->next_entry;
+ }
+ break;
+ case 13:
+ *aborted = 0;
+ endloop = 1;
+ break;
+ case 27:
+ case 'x':
+ case 'X':
+ case 24:
+ *aborted = 1;
+ endloop = 1;
+ case 12:
+ case 'l':
+ case 'L':
+ tx_refresh_screen();
+ break;
+ }
+ }
+ *keystroke = ch;
+}
+
+void tx_hide_listbox(struct scroll_list *list)
+{
+ hide_panel(list->panel);
+ hide_panel(list->borderpanel);
+ update_panels();
+ doupdate();
+}
+
+void tx_unhide_listbox(struct scroll_list *list)
+{
+ show_panel(list->panel);
+ show_panel(list->panel);
+ update_panels();
+ doupdate();
+}
+
+void tx_close_listbox(struct scroll_list *list)
+{
+ del_panel(list->panel);
+ del_panel(list->borderpanel);
+ delwin(list->win);
+ delwin(list->borderwin);
+
+ update_panels();
+ doupdate();
+}
+
+void tx_destroy_list(struct scroll_list *list)
+{
+ struct textlisttype *ttmp = list->textlist;
+ struct textlisttype *ctmp;
+
+ if (ttmp != NULL) {
+ ctmp = ttmp->next_entry;
+
+ while (ttmp != NULL) {
+ free(ttmp);
+ ttmp = ctmp;
+
+ if (ctmp != NULL)
+ ctmp = ctmp->next_entry;
+ }
+ }
+}
diff --git a/src/tui/listbox.h b/src/tui/listbox.h
new file mode 100644
index 0000000..75637ff
--- /dev/null
+++ b/src/tui/listbox.h
@@ -0,0 +1,47 @@
+#ifndef IPTRAF_NG_TUI_LISTBOX_H
+#define IPTRAF_NG_TUI_LISTBOX_H
+
+#define MAX_TEXT_LENGTH 240
+
+struct textlisttype {
+ char text[MAX_TEXT_LENGTH];
+ int cellwidth[10]; /* up to 10 cells per line */
+ char *nodeptr; /* generic pointer, cast to appropriate type */
+ struct textlisttype *next_entry;
+ struct textlisttype *prev_entry;
+};
+
+struct scroll_list {
+ char *mainlist; /* generic pointer, cast to appropriate type */
+ char *mlistptr; /* generic pointer, cast to appropriate type */
+ struct textlisttype *textlist; /* list of raw text entries */
+ struct textlisttype *texttail;
+ struct textlisttype *textptr;
+ int height;
+ int width;
+ int mainattr;
+ int selectattr;
+ int keyattr;
+ char *exitkeys;
+
+ WINDOW *win;
+ PANEL *panel;
+ WINDOW *borderwin;
+ PANEL *borderpanel;
+
+};
+void tx_init_listbox(struct scroll_list *list, int width, int height,
+ int startx, int starty, int mainattr, int borderattr,
+ int selectattr, int keyattr);
+void tx_set_listbox_title(struct scroll_list *list, char *text, int x);
+void tx_add_list_entry(struct scroll_list *list, char *node, char *text);
+void tx_show_listbox(struct scroll_list *list);
+void tx_operate_listbox(struct scroll_list *list, int *keystroke, int *aborted);
+void tx_hide_listbox(struct scroll_list *list);
+void tx_unhide_listbox(struct scroll_list *list);
+void tx_close_listbox(struct scroll_list *list);
+void tx_destroy_list(struct scroll_list *list);
+
+#define tx_destroy_listbox tx_destroy_list
+
+#endif /* IPTRAF_NG_TUI_LISTBOX_H */
diff --git a/src/tui/menurt.c b/src/tui/menurt.c
new file mode 100644
index 0000000..265e297
--- /dev/null
+++ b/src/tui/menurt.c
@@ -0,0 +1,289 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+menurt.c - ncurses-based menu definition module
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+#include "menurt.h"
+#include "winops.h"
+#include "labels.h"
+
+/* initialize menu system */
+
+void tx_initmenu(struct MENU *menu, int y1, int x1, int y2, int x2,
+ int borderattr, int normalattr, int highattr,
+ int barnormalattr, int barhighattr, int descattr)
+{
+ menu->itemlist = NULL;
+ menu->itemcount = 0;
+ strcpy(menu->shortcuts, "");
+ menu->x1 = x1;
+ menu->y1 = y1;
+ menu->x2 = x2;
+ menu->y2 = y2;
+ menu->menuwin = newwin(y1, x1, y2, x2);
+ menu->menupanel = new_panel(menu->menuwin);
+ menu->menu_maxx = x1 - 2;
+
+ keypad(menu->menuwin, 1);
+ meta(menu->menuwin, 1);
+ noecho();
+ wtimeout(menu->menuwin, -1); /* block until input */
+ notimeout(menu->menuwin, 0); /* disable Esc timer */
+ nonl();
+ cbreak();
+
+ menu->borderattr = borderattr;
+ menu->normalattr = normalattr;
+ menu->highattr = highattr;
+ menu->barnormalattr = barnormalattr;
+ menu->barhighattr = barhighattr;
+ menu->descriptionattr = descattr;
+}
+
+/* add menu item */
+
+void tx_additem(struct MENU *menu, char *item, char *desc)
+{
+ struct ITEM *tnode;
+ char cur_option[OPTIONSTRLEN_MAX];
+ char thekey[2];
+
+ if (menu->itemcount >= 25)
+ return;
+
+ tnode = xmalloc(sizeof(struct ITEM));
+
+ if (item != NULL) {
+ strcpy(tnode->option, item);
+ strcpy(tnode->desc, desc);
+ tnode->itemtype = REGULARITEM;
+
+ strcpy(cur_option, item);
+ strtok(cur_option, "^");
+ strcpy(thekey, strtok(NULL, "^"));
+ thekey[0] = toupper(thekey[0]);
+ strcat(menu->shortcuts, thekey);
+ } else {
+ tnode->itemtype = SEPARATOR;
+ strcat(menu->shortcuts, "^"); /* mark shortcut position for seps */
+ }
+
+ if (menu->itemlist == NULL) {
+ menu->itemlist = tnode;
+ } else {
+ menu->lastitem->next = tnode;
+ tnode->prev = menu->lastitem;
+ }
+
+ menu->itemlist->prev = tnode;
+ menu->lastitem = tnode;
+ tnode->next = menu->itemlist;
+ menu->itemcount++;
+}
+
+/* show each individual item */
+
+void tx_showitem(struct MENU *menu, struct ITEM *itemptr, int selected)
+{
+ int hiattr = 0;
+ int loattr = 0;
+ int ctr;
+ char curoption[OPTIONSTRLEN_MAX];
+ char padding[OPTIONSTRLEN_MAX];
+
+ if (itemptr->itemtype == REGULARITEM) {
+ switch (selected) {
+ case NOTSELECTED:
+ hiattr = menu->highattr;
+ loattr = menu->normalattr;
+ break;
+ case SELECTED:
+ hiattr = menu->barhighattr;
+ loattr = menu->barnormalattr;
+ break;
+ }
+
+ strcpy(curoption, itemptr->option);
+
+ wattrset(menu->menuwin, loattr);
+ wprintw(menu->menuwin, "%s", strtok(curoption, "^"));
+ wattrset(menu->menuwin, hiattr);
+ wprintw(menu->menuwin, "%s", strtok(NULL, "^"));
+ wattrset(menu->menuwin, loattr);
+ wprintw(menu->menuwin, "%s", strtok(NULL, "^"));
+
+ strcpy(padding, "");
+
+ for (ctr = strlen(itemptr->option); ctr <= menu->x1 - 1; ctr++)
+ strcat(padding, " ");
+
+ wprintw(menu->menuwin, "%s", padding);
+ } else {
+ wattrset(menu->menuwin, menu->borderattr);
+ whline(menu->menuwin, ACS_HLINE, menu->menu_maxx);
+ }
+
+ update_panels();
+ doupdate();
+}
+
+/* repeatedly calls tx_showitem to display individual items */
+
+void tx_showmenu(struct MENU *menu)
+{
+ struct ITEM *itemptr; /* points to each item in turn */
+ int ctr = 1; /* counts each item */
+
+ wattrset(menu->menuwin, menu->borderattr); /* set to bg+/b */
+ tx_colorwin(menu->menuwin); /* color window */
+ tx_box(menu->menuwin, ACS_VLINE, ACS_HLINE); /* draw border */
+
+ itemptr = menu->itemlist; /* point to start */
+
+ wattrset(menu->menuwin, menu->normalattr);
+
+ do { /* display items */
+ wmove(menu->menuwin, ctr, 1);
+ tx_showitem(menu, itemptr, NOTSELECTED); /* show items, initially unselected */
+ ctr++;
+ itemptr = itemptr->next;
+ } while (ctr <= menu->itemcount);
+
+ update_panels();
+ doupdate();
+}
+
+void menumoveto(struct MENU *menu, struct ITEM **itemptr, unsigned int row)
+{
+ struct ITEM *tnode;
+ unsigned int i;
+
+ tnode = menu->itemlist;
+ for (i = 1; i < row; i++)
+ tnode = tnode->next;
+
+ *itemptr = tnode;
+}
+
+/*
+ * Actually do the menu operation after all the initialization
+ */
+
+void tx_operatemenu(struct MENU *menu, int *position, int *aborted)
+{
+ struct ITEM *itemptr;
+ int row = *position;
+ int endloop = 0;
+ int ch;
+ char *keyptr;
+
+ tx_menukeyhelp(menu->normalattr, menu->highattr);
+ *aborted = 0;
+ menumoveto(menu, &itemptr, row);
+
+ menu->descwin = newwin(1, COLS, LINES - 2, 0);
+ menu->descpanel = new_panel(menu->descwin);
+
+ do {
+ wmove(menu->menuwin, row, 1);
+ tx_showitem(menu, itemptr, SELECTED);
+
+ /*
+ * Print item description
+ */
+
+ wattrset(menu->descwin, menu->descriptionattr);
+ tx_colorwin(menu->descwin);
+ wmove(menu->descwin, 0, 0);
+ wprintw(menu->descwin, " %s", itemptr->desc);
+ update_panels();
+ doupdate();
+
+ wmove(menu->menuwin, row, 2);
+ ch = wgetch(menu->menuwin);
+ wmove(menu->menuwin, row, 1);
+ tx_showitem(menu, itemptr, NOTSELECTED);
+
+ switch (ch) {
+ case KEY_UP:
+ if (row == 1)
+ row = menu->itemcount;
+ else
+ row--;
+
+ itemptr = itemptr->prev;
+
+ if (itemptr->itemtype == SEPARATOR) {
+ row--;
+ itemptr = itemptr->prev;
+ }
+ break;
+ case KEY_DOWN:
+ if (row == menu->itemcount)
+ row = 1;
+ else
+ row++;
+
+ itemptr = itemptr->next;
+ if (itemptr->itemtype == SEPARATOR) {
+ row++;
+ itemptr = itemptr->next;
+ }
+ break;
+ case 12:
+ tx_refresh_screen();
+ break;
+ case 13:
+ endloop = 1;
+ break;
+ /* case 27: endloop = 1;*aborted = 1;row=menu->itemcount;break; */
+ case '^':
+ break; /* ignore caret key */
+ default:
+ keyptr = strchr(menu->shortcuts, toupper(ch));
+ if ((keyptr != NULL)
+ && keyptr - menu->shortcuts < menu->itemcount) {
+ row = keyptr - menu->shortcuts + 1;
+ endloop = 1;
+ }
+ }
+ } while (!endloop);
+
+ *position = row; /* position of executed option is in *position */
+ del_panel(menu->descpanel);
+ delwin(menu->descwin);
+ update_panels();
+ doupdate();
+}
+
+
+void tx_destroymenu(struct MENU *menu)
+{
+ struct ITEM *tnode;
+ struct ITEM *tnextnode;
+
+ if (menu->itemlist != NULL) {
+ tnode = menu->itemlist;
+ tnextnode = menu->itemlist->next;
+
+ tnode->prev->next = NULL;
+
+ while (tnode != NULL) {
+ free(tnode);
+ tnode = tnextnode;
+
+ if (tnextnode != NULL)
+ tnextnode = tnextnode->next;
+ }
+ }
+ del_panel(menu->menupanel);
+ delwin(menu->menuwin);
+ update_panels();
+ doupdate();
+}
diff --git a/src/tui/menurt.h b/src/tui/menurt.h
new file mode 100644
index 0000000..03c8b5a
--- /dev/null
+++ b/src/tui/menurt.h
@@ -0,0 +1,57 @@
+#ifndef IPTRAF_NG_TUI_MENURT_H
+#define IPTRAF_NG_TUI_MENURT_H
+
+/***
+ menu.h - declaration file for my menu library
+***/
+
+#define SELECTED 1
+#define NOTSELECTED 0
+
+#define SEPARATOR 0
+#define REGULARITEM 1
+
+#define OPTIONSTRLEN_MAX 50
+#define DESCSTRLEN_MAX 81
+#define SHORTCUTSTRLEN_MAX 25
+
+struct ITEM {
+ char option[OPTIONSTRLEN_MAX];
+ char desc[DESCSTRLEN_MAX];
+ unsigned int itemtype;
+ struct ITEM *prev;
+ struct ITEM *next;
+};
+
+struct MENU {
+ struct ITEM *itemlist;
+ struct ITEM *selecteditem;
+ struct ITEM *lastitem;
+ int itemcount;
+ int postn;
+ int x1, y1;
+ int x2, y2;
+ unsigned int menu_maxx;
+ WINDOW *menuwin;
+ PANEL *menupanel;
+ WINDOW *descwin;
+ PANEL *descpanel;
+ int borderattr;
+ int normalattr;
+ int highattr;
+ int barnormalattr;
+ int barhighattr;
+ int descriptionattr;
+ char shortcuts[SHORTCUTSTRLEN_MAX];
+};
+
+void tx_initmenu(struct MENU *menu, int y1, int x1, int y2, int x2,
+ int borderattr, int normalattr, int highattr,
+ int barnormalattr, int barhighattr, int descattr);
+void tx_additem(struct MENU *menu, char *item, char *desc);
+void tx_showitem(struct MENU *menu, struct ITEM *itemptr, int selected);
+void tx_showmenu(struct MENU *menu);
+void tx_operatemenu(struct MENU *menu, int *row, int *aborted);
+void tx_destroymenu(struct MENU *menu);
+
+#endif /* IPTRAF_NG_TUI_MENURT_H */
diff --git a/src/tui/msgboxes.c b/src/tui/msgboxes.c
new file mode 100644
index 0000000..ee7ebdf
--- /dev/null
+++ b/src/tui/msgboxes.c
@@ -0,0 +1,106 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/*
+ * msgboxes.c - message and error box display functions
+ */
+
+#include "iptraf-ng-compat.h"
+
+#include "winops.h"
+
+int ERR_BORDER_ATTR;
+int ERR_TEXT_ATTR;
+int ERR_PROMPT_ATTR;
+
+int INFO_BORDER_ATTR;
+int INFO_TEXT_ATTR;
+int INFO_PROMPT_ATTR;
+
+void tx_init_error_attrs(int border, int text, int prompt)
+{
+ ERR_BORDER_ATTR = border;
+ ERR_TEXT_ATTR = text;
+ ERR_PROMPT_ATTR = prompt;
+}
+
+void tx_init_info_attrs(int border, int text, int prompt)
+{
+ INFO_BORDER_ATTR = border;
+ INFO_TEXT_ATTR = text;
+ INFO_PROMPT_ATTR = prompt;
+}
+
+void tui_error_va(const char *prompt, const char *err, va_list vararg)
+{
+ WINDOW *win = newwin(4, 70, (LINES - 4) / 2, (COLS - 70) / 2);
+ PANEL *panel = new_panel(win);
+
+ wattrset(win, ERR_BORDER_ATTR);
+ tx_colorwin(win);
+ tx_box(win, ACS_VLINE, ACS_HLINE);
+ wmove(win, 2, 2);
+ wattrset(win, ERR_PROMPT_ATTR);
+ wprintw(win, "%s", prompt);
+
+ wattrset(win, ERR_TEXT_ATTR);
+ wmove(win, 1, 2);
+
+ vw_printw(win, err, vararg);
+
+ update_panels();
+ doupdate();
+
+ int response;
+
+ do {
+ response = wgetch(win);
+ if (response == 12)
+ tx_refresh_screen();
+ } while (response == 12);
+
+ del_panel(panel);
+ delwin(win);
+ update_panels();
+ doupdate();
+}
+
+void tui_error(const char *prompt, const char *err, ...)
+{
+ va_list params;
+
+ va_start(params, err);
+ tui_error_va(prompt, err, params);
+ va_end(params);
+}
+
+void tx_infobox(char *text, char *prompt)
+{
+ WINDOW *win;
+ PANEL *panel;
+ int ch;
+
+ win = newwin(4, 50, (LINES - 4) / 2, (COLS - 50) / 2);
+ panel = new_panel(win);
+ wattrset(win, INFO_BORDER_ATTR);
+ tx_colorwin(win);
+ tx_box(win, ACS_VLINE, ACS_HLINE);
+ wattrset(win, INFO_TEXT_ATTR);
+ mvwprintw(win, 1, 2, text);
+ wattrset(win, INFO_PROMPT_ATTR);
+ mvwprintw(win, 2, 2, prompt);
+ update_panels();
+ doupdate();
+
+ do {
+ ch = wgetch(win);
+ if (ch == 12)
+ tx_refresh_screen();
+ } while (ch == 12);
+
+ del_panel(panel);
+ delwin(win);
+
+ update_panels();
+ doupdate();
+}
diff --git a/src/tui/msgboxes.h b/src/tui/msgboxes.h
new file mode 100644
index 0000000..69336fe
--- /dev/null
+++ b/src/tui/msgboxes.h
@@ -0,0 +1,12 @@
+#ifndef IPTRAF_NG_TUI_MSGBOXES_H
+#define IPTRAF_NG_TUI_MSGBOXES_H
+
+#define ANYKEY_MSG "Press a key to continue"
+
+void tx_init_error_attrs(int border, int text, int prompt);
+void tx_init_info_attrs(int border, int text, int prompt);
+void tx_infobox(char *text, char *prompt);
+void tui_error(const char *prompt, const char *err, ...) __printf(2,3);
+void tui_error_va(const char *prompt, const char *err, va_list vararg);
+
+#endif /* IPTRAF_NG_TUI_MSGBOXES_H */
diff --git a/src/tui/winops.c b/src/tui/winops.c
new file mode 100644
index 0000000..73a3899
--- /dev/null
+++ b/src/tui/winops.c
@@ -0,0 +1,93 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+/***
+
+winops.c - screen configuration and setup functions
+
+***/
+
+#include "iptraf-ng-compat.h"
+
+void tx_stdwinset(WINDOW * win)
+{
+ meta(win, TRUE);
+ keypad(win, TRUE);
+ notimeout(win, 0);
+ scrollok(win, 1);
+}
+
+void tx_refresh_screen(void)
+{
+ endwin();
+ doupdate();
+ curs_set(0);
+}
+
+void tx_colorwin(WINDOW * win)
+{
+ int ctr;
+ char *blankpad;
+ blankpad = (char *) xmalloc(sizeof(char) * (getmaxx(win) + 1));
+
+ strcpy(blankpad, "");
+
+ for (ctr = 0; ctr < getmaxx(win); ctr++) {
+ strcat(blankpad, " ");
+ }
+
+ scrollok(win, 0);
+ for (ctr = 0; ctr < getmaxy(win); ctr++) {
+ wmove(win, ctr, 0);
+ wprintw(win, "%s", blankpad);
+ }
+ scrollok(win, 1);
+ free(blankpad);
+}
+
+void tx_wcoloreol(WINDOW * win)
+{
+ int x, curx;
+ int y __unused;
+ int cury __unused;
+ char sp_buf[10];
+
+ getyx(win, cury, curx);
+ getmaxyx(win, y, x);
+ sprintf(sp_buf, "%%%dc", x - curx - 1);
+ scrollok(win, 0);
+ wprintw(win, sp_buf, ' ');
+}
+
+/*
+ * This function is written to address a strange symptom in ncurses 5.2, at
+ * least on RedHat 7.3. The border drawn by the box() macro (actually an alias
+ * for a call to wborder()) no longer uses the color attributes set by
+ * wattrset(). However, the addch() and wvline() functions still do.
+ *
+ * The tx_box function is a drop-in replacement for box().
+ */
+void tx_box(WINDOW *win, int vline, int hline)
+{
+ int winwidth;
+ int winheight;
+ int i;
+
+ scrollok(win, 0);
+ getmaxyx(win, winheight, winwidth);
+ winheight--;
+ winwidth--;
+
+ mvwaddch(win, 0, 0, ACS_ULCORNER);
+ mvwhline(win, 0, 1, hline, winwidth - 1);
+ mvwaddch(win, 0, winwidth, ACS_URCORNER);
+
+ for (i = 1; i < winheight; i++) {
+ mvwaddch(win, i, 0, vline);
+ mvwaddch(win, i, winwidth, vline);
+ }
+
+ mvwaddch(win, winheight, 0, ACS_LLCORNER);
+ mvwhline(win, winheight, 1, hline, winwidth - 1);
+ mvwaddch(win, winheight, winwidth, ACS_LRCORNER);
+}
diff --git a/src/tui/winops.h b/src/tui/winops.h
new file mode 100644
index 0000000..9036d6b
--- /dev/null
+++ b/src/tui/winops.h
@@ -0,0 +1,19 @@
+#ifndef IPTRAF_NG_TUI_WINOPS_H
+#define IPTRAF_NG_TUI_WINOPS_H
+
+/***
+
+stdwinset.h - prototype declaration for setting the standard window settings
+for IPTraf
+
+***/
+
+#define tx_coloreol() tx_wcoloreol(stdscr)
+
+void tx_stdwinset(WINDOW * win);
+void tx_refresh_screen(void);
+void tx_colorwin(WINDOW * win);
+void tx_wcoloreol(WINDOW * win);
+void tx_box(WINDOW * win, int vline, int hline);
+
+#endif /* IPTRAF_NG_TUI_WINOPS_H */
diff --git a/src/usage.c b/src/usage.c
new file mode 100644
index 0000000..9c32cbc
--- /dev/null
+++ b/src/usage.c
@@ -0,0 +1,69 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+
+static void vreportf(const char *prefix, const char *err, va_list params)
+{
+ char msg[4096];
+
+ vsnprintf(msg, sizeof(msg), err, params);
+ fprintf(stderr, "%s%s\n", prefix, msg);
+}
+
+static __noreturn void die_builtin(const char *err, va_list params)
+{
+ vreportf("fatal: ", err, params);
+ exit(129);
+}
+
+static void error_builtin(const char *err, va_list params)
+{
+ vreportf("error: ", err, params);
+}
+
+void die(const char *err, ...)
+{
+ va_list params;
+
+ va_start(params, err);
+ die_builtin(err, params);
+ va_end(params);
+}
+
+void error(const char *err, ...)
+{
+ va_list params;
+
+ va_start(params, err);
+ error_builtin(err, params);
+ va_end(params);
+}
+
+void die_errno(const char *fmt, ...)
+{
+ va_list params;
+ char fmt_with_err[1024];
+ char str_error[256], *err;
+ size_t i, j;
+
+ err = strerror(errno);
+ for (i = j = 0; err[i] && j < sizeof(str_error) - 1; ) {
+ if ((str_error[j++] = err[i++]) != '%')
+ continue;
+ if (j < sizeof(str_error) - 1) {
+ str_error[j++] = '%';
+ } else {
+ /* No room to double the '%', so we overwrite it with
+ * '\0' below */
+ j--;
+ break;
+ }
+ }
+ str_error[j] = 0;
+ snprintf(fmt_with_err, sizeof(fmt_with_err), "%s: %s", fmt, str_error);
+
+ va_start(params, fmt);
+ die_builtin(fmt_with_err, params);
+ va_end(params);
+}
diff --git a/src/wrapper.c b/src/wrapper.c
new file mode 100644
index 0000000..2eb3b59
--- /dev/null
+++ b/src/wrapper.c
@@ -0,0 +1,80 @@
+/* For terms of usage/redistribution/modification see the LICENSE file */
+/* For authors and contributors see the AUTHORS file */
+
+#include "iptraf-ng-compat.h"
+
+// Die if we can't allocate size bytes of memory.
+void *xmalloc(size_t size)
+{
+ void *ptr = malloc(size);
+
+ if (ptr == NULL && size != 0)
+ die("Out of memory, xmalloc failed");
+ return ptr;
+}
+
+void *xmallocz(size_t size)
+{
+ void *ptr = xmalloc(size);
+
+ memset(ptr, 0, size);
+ return ptr;
+}
+
+void *xcalloc(size_t nmemb, size_t size)
+{
+ void *ptr = calloc(nmemb, size);
+
+ if (!ptr && (!nmemb || !size))
+ die("Out of memory, xcalloc failed");
+ return ptr;
+}
+
+void *xrealloc(void *ptr, size_t size)
+{
+ void *ret = realloc(ptr, size);
+
+ if (!ret && !size)
+ die("Out of memory, xrealloc failed");
+ return ret;
+}
+
+// Die if we can't copy a string to freshly allocated memory.
+char *xstrdup(const char *s)
+{
+ if (!s)
+ return NULL;
+
+ char *t = strdup(s);
+
+ if (!t)
+ die("Out of memory, %s failed", __func__);
+
+ return t;
+}
+
+int strtoul_ui(char const *s, int base, unsigned int *result)
+{
+ unsigned long ul;
+ char *p;
+
+ errno = 0;
+ ul = strtoul(s, &p, base);
+ if (errno || *p || p == s || (unsigned int) ul != ul)
+ return -1;
+ *result = ul;
+ return 0;
+}
+
+int strtol_i(char const *s, int base, int *result)
+{
+ long ul;
+ char *p;
+
+ errno = 0;
+ ul = strtol(s, &p, base);
+ if (errno || *p || p == s || (int) ul != ul)
+ return -1;
+ *result = ul;
+ return 0;
+}