[X-Unix] Displaying data traffic

William H. Magill magill at mcgillsociety.org
Mon Oct 25 07:24:18 PDT 2004 

On 25 Oct, 2004, at 08:49, Brent Baisley wrote:
> Netstat has a bunch of options for looking at network stuff. Just type 
> "man netstat" and start reading. For basic interval monitoring, type 
> "netstat -w 1", which will give you network stats at 1 second 
> intervals.
>
> On Oct 22, 2004, at 10:31 PM, Mark Philip wrote:
>
>> Hi all,
>> How do I display a list of data traffic (either moving via Ethernet 
>> port or Airport adapter) in the terminal? Is it possible to display 
>> rates (ie. speed)?
>>
>> Please excuse me if the question is rather trivial, but I'm trying to 
>> pick up the command line.

The main thing to know about Unix statistics is that they present you 
with raw data.

That is to say, they are either dumping instantaneous information 
(snapshots), or cumulative from some point in time, typically from the 
last boot, but maybe from when the monitoring tool was launched.

You are expected to either know what it means usefully (especially for 
I/O); or proceed to dump that data into some other program for 
analysis.

Apple's AMU -- Airport Management Utility (download from the Airport 
support site at Apple)
will display things like signal strength and noise as well as total 
packets transmitted and received as well as errors.

"Speed" is a relative term in Networking.

Or put another way -- if you have a 10 megabit Ethernet interface, the 
"wire speed" is ALWAYS 10 megabits per second. That's the clock rate on 
the interface and it must operate at that speed if it operates at all. 
Any data transferred will always transfer at a rate of 10 megabits per 
second. However, the amount of data transfered will vary depending upon 
things like the amount of collisions and retransmissions, capability of 
the CPU and I/O system to feed data to the NIC "at speed," etc.

Measuring "speed," in terms of the throughput of data, requires 
integrating the actual packet counts over time.

In the end, this "throughput speed" is itself a relative thing -- 
everything, end-to-end, in the link effects the value, not just your 
box. This is why most Unix tools give you the data and expect you to 
know exactly what it is you are trying to determine.  They don't 
present you with a "simple answer" because the answer is not simple.

The classic misunderstood tool is "ping." Ping was developed as a tool 
to determine if it was even possible to get from point A to point B on 
the net. However, many, gamers especially, talk about ping times as if 
they were absolute measures of network speed. In reality, they only 
show that a particular type of packet can make it from point A to point 
B and back in a particular time. However, ICMP packets are particular 
special purpose critters known to the TCP/IP stack and treated with 
special handling; frequently only in hardware and never by the stack 
itself. Frequently, many parts of the network (i.e. routers) simply 
ignore, drop or block them, especially if the network is busy, 
producing unpredictable or non-reproducible results.

As for looking at "data traffic" visible to a network interface, the 
question becomes -- are you looking to look at ALL data traffic seen by 
the interface, or only data traffic ADDRESSED to that interface?

Normally, a network interface will only pass "up the stack" that data 
which is addressed to the particular machine (MAC address). This means 
that you are only looking at the packets addressed to you, not all the 
packets on that network segment. However, a tool which switches the 
interface into "promiscuous mode" will display ALL traffic on that 
segment. [Yes that is exactly what security folks worry about all the 
time.] Generally speaking, one uses SNMP and a switch or router to look 
at all the traffic on a give segment, but that is another extensive 
topic.

So in the end, the answer is -- your question is not trivial, but is in 
fact quite complex.
It is also not really related to learning the command line.  There are 
a couple of basic Unix texts floating around from O'Reilly that will 
get you started -- look at the ones for FreeBSD as they are closest to 
OS X of all the various Unix variants out there.

And remember, as Linus Torvalds constantly says -- "Linux is NOT Unix!"

T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
# XP1000  [Alpha EV6]
magill at mcgillsociety.org
magill at acm.org
magill at mac.com
whmagill at gmail.com

More information about the X-Unix mailing list