Geneos

X Traffic Plug-in

Introduction

The Geneos X Traffic plug-in monitors user-defined TCP/IP conversations and displays the data send and receive rates and connection state. When a connection is terminated, the plug-in can also detect which side of the connection initiated termination.

The Netprobe must run in a location that it can "listen" to TCP/IP traffic. This typically means it must run on a host which is participating in the TCP/IP conversation which you wish to monitor.

Views

View

The X Traffic plug-in produces a single view, which is described below. Depending upon the plug-in mode selected, the view may display summary rows, details rows or a combination of the two.

Summary rows display a summary of statistics for all conversations matching that plug-in configuration item, whereas detail rows show details for a particular TCP/IP conversation. This distinction is particularly relevant when configuring conversations that only partially specify an end-point.

Headline Legend

The headlines produced by this plug-in are only available in details mode.

Name Description
pktSendRate Total packet send rate in packets per second.
pktRecvRate Total packet receive rate in packets per second.
dataSendRate Total data send rate in kilobytes/s.
dataRecvRate Total data receive rate in kilobytes/s.

Table Legend

Name Description
name The session (or conversation) name, as configured by the user.
state The connection state, either "connected" or "disconnected" followed by the time at which this state occurred.
connectionCount The number of connections for this session. This field is only populated for summary rows.
pktSendRate Packets sent per second, averaged over the sample interval.
pktRecvRate Packets received per second, averaged over the sample interval.
dataSendRate Data sent in kilobytes/s, averaged over the sample interval.
dataRecvRate Data received in kilobytes/s, averaged over the sample interval.
tmSinceLastPacket Number of seconds elapsed since the last packet sent or received.
localAddress The IP address of the local side of the connection.
localPort The port number of the local side of the connection.
remoteAddress The IP address of the remote side of the connection.
remotePort The port number of the remote side of the connection.

Plug-in Configuration

The X Traffic plug-in listens to all TCP/IP data received by a host, and matches the local/remote host and ports as configured by the user.

Plug-in configuration is placed in the x-traffic configuration section.

var-recvInterfaces

Specifies a comma-separated list of network interface names used to monitor incoming TCP/IP data.

On UNIX machines, interface names can be found using the command "ifconfig -a". Example names are "eth0" or "ce0".

On Windows machines, interface names can be listed by running Netprobe using the "-ifconfig" command-line option. A Windows interface name will look similar to the following:

\\Device\\NPF\_{BDFE3EAC-0275-440A-923C-C9C4CE3B37F2}

Mandatory: Yes

sendInterface

The name of the network interface to be used to send packets (e.g. hme0). Usually the same as recvInterface parameter, but can be set to a different value in certain network configurations.

Mandatory: Yes

sessions

Specifies the list of (at least one) TCP/IP sessions that this plug-in will monitor. Sessions specify the source and destination host and ports of the TCP/IP connection, and each host or port may be configured as a wildcard. Connections matching this session will then be monitored.

Note

It is an invalid configuration to specify all parts of a connection configuration as a wildcard - you must specify at least one host or port.

Mandatory: Yes

sessions > session > var-name

The name of the session (or conversation) - this is the name which will be displayed in the view (as the row name). Session names should be unique within each plug-in instance.

Mandatory: Yes

sessions > session > src

Specifies the source host/IP address and port for the session. The host/IP or port may be set to a wildcard (*) to indicate a match against any host or port.

Mandatory: Yes

sessions > session > dst

Specifies the remote host/IP address and port and port for the session. The host/IP or port may be set to a wildcard (*) to indicate a match against any host or port.

Mandatory: Yes

displayMode

Specifies the display mode for this plug-in. Possible values are SUMMARY, DETAILS or SUMMARY+DETAILS.

Summary mode only shows the top-level summaries for the configured sessions. Details mode shows only the details (i.e. the individual connections that match the configured sessions) while summary and details mode shows both. See the view section for an example.

Mandatory: No
Default: SUMMARY+DETAILS

var-cleanUpTime

The length of time for which a disconnected TCP/IP connection will be displayed before it is removed from the view. This setting takes a positive integer (at least 1) which specifies the number of seconds before a connection is cleared.

Mandatory: No
Default: 60 (seconds)

Note: X-Traffic periodically checks idle connection that does not have packet exchange for more than 60 seconds against the OS tcp table to verify if it still connected or not.

checkTargetHostHasChangedIp

Forces X-Route to detect if the underlying IP address of a host name has +changed. This will restart the packet capture engine so X-Route will +continue to check the correct host. In between restarts there is a +potential for losing packets.

Note: Restarting the packet capture engine will affect all X-Set plug-ins as they too might miss packets

Mandatory: No
Default: False.

Permissions

The plug-in requires the netprobe to be run with root permissions (on Unix operating systems) or as a local Administrator on Windows, as it needs to open network devices.

On Linux kernel versions 2.6.24 and up, an alternative to running the netprobe as root is available: Set the CAP_NET_RAW and CAP_NET_ADMIN Linux capability on the Netprobe binary with the command "setcap cap_net_raw,cap_net_admin+eip <netprobe binary>" replacing <netprobe binary> with the appropriate Netprobe binary file such as 'netprobe.linux_64'.

When running the Netprobe with set capabilities, the lib64 folder in the netprobe directory should be put in the ld.so trusted paths. Otherwise, the runtime libraries will not be loaded properly. For guidance, see Run Netprobe under elevated privileges in Linux in .

On Solaris an alternative is to run the netprobeGXL program available from ITRS Support. This program is an auditable utility which runs as setuid root. The purpose of this program is to open the network device which is then passed to Netprobe, so that Netprobe does not need to run with root privileges.

To use netprobeGXL, it should be placed in the same directory as Netprobe. To make netprobeGXL setuid root, run the following commands as root:

chown root netprobeGXL
chmod u+xs netprobeGXL
chmod o+x netprobeGXL

Third Party Libraries

Windows: The Winpcap packet capture library (http://www.winpcap.org/install/default.htm) needs to be installed on the host. Version 4.0.2 is required for Windows Vista/Server 2003 support.

Unix: The shared library libpcap.so (version 1.0.0 or later is recommended) needs to be in the netprobe lib64 directory.

Note: As the netprobe needs to be run as root, the LD_LIBRARY_PATH is ignored for security reasons.