The netstat module is designed to gather and report on various network statistics (such as bytes in/out, packet types received, etc). This information can be very useful in determining peek network usage, or to spot Denial of Service attacks as soon as they start. Netstat collects both global information for the system related to TCP, IP, ICMP and UDP protocols as well as interface specific information such as packets in and out over the device.
Netstat can report on many different statistics. Some are reported by the system as averages, some as total values over the uptime of the computer. For uniformity sake, for each statistic netstat will return the average value per second since the last update. For example, say the poll time for netstat is 60 seconds. For each stat it is configured to collect, netstat will record the total number of times that stat occurs in the system over the 60 second interval, divide by 60, and return that value. This way, as netstat updates over time you can be sure that you are seeing current information, as opposed to averages over the running time of the machine.
In order for netstat to collect information, it must be able to retrieve the network statistics data from the system. On Linux systems, netstat requires the following files be available to this module:
/proc/net/dev (for network device information)
/proc/net/snmp (for packet statistics)
Under Solaris systems, this information is gathered using the kstat interface, as well as the ARP stream device /dev/arp (should exist by default on most systems.
On Windows 2000/XP/2003, netstat uses the Performance Data Helper to gather statistics. Unfortunately netstat is not available on older Windows platforms as such information is not available.
There are many possible pieces of network related information which can be gathered. Netstat needs to be told which statistics should be gathered, and for some, on which network interface.
All of the interfaces on a machine may not be readily apparent. Netstat can display a list of all interfaces by running it independently of RSPD. Simply execute the module with the "-l" or "--list" option, and a list of all possible interfaces will be printed to standard output. Although possible in Windows, executing with "-l" should not be necessary as all devices will appear a list within the Configuration tab of NetStat, inside the configuration window of RSPD (see Chapter 2 for more information).
Windows users may select each statistic they want from checkboxes. Editting of the config file is not neccesary but maybe be done anyway.
Netstat is configured in rspd.conf by listing each requested statistic. Interface specific statistics must be given with the corresponding device in parentheses. The following example should help make this clear.
# Example configuration for netstat config { # The following are global stats ipInReceives = 1 ipOutRequests = 1 tcpActiveOpens = 1 tcpPassiveOpens = 1 # Interface specific stats inPackets(eth0) = 1 outPackets(eth0) = 1 } |
Each stat is treated as a boolean variable. Setting it to "1" or "yes" or "true" tells netstat to check the given stat for the given device. If a statistic is not listed, or if it is set to "0" or "no" or "false", then it is not checked. Therefore it should only be necessary to set the statistics that you want checked.
Most stats are available for all platforms, but some are platform specific. Here is a list of all possible global stats, followed by interface-specific stats. Unless indicated otherwise each stat is available on all platforms. If it is not then the platforms on which it is available will be given in parentheses.
The following variables are recognized on a global level (in other words, there are no per-interface statistics available):
tcpActiveOpens
tcpPassiveOpens
tcpAttemptFails
tcpEstabResets
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpRetransSegs
tcpInErrs (non-Windows only)
tcpOutRsts (non-Windows only)
ipInReceives
ipInHdrErrors
ipInAddrErrors
ipForwDatagrams
ipInUnknownProtos
ipInDiscards
ipInDelivers
ipOutRequests
ipOutDiscards
ipOutNoRoutes
ipReasmReqds
ipReasmOKs
ipReasmFails
ipFragOKs
ipFragFails
ipFragCreates
icmpInMsgs
icmpInErrors
icmpInDestUnreachs
icmpInTimeExcds
icmpInParmProbs
icmpInSrcQuenches
icmpInRedirects
icmpInEchos
icmpInEchoReps
icmpInTimestamps
icmpInTimestampReps
icmpInAddrMasks
icmpInAddrMaskReps
icmpOutMsgs
icmpOutErrors
icmpOutDestUnreachs
icmpOutTimeExcds
icmpOutParmProbs
icmpOutSrcQuenches
icmpOutRedirects
icmpOutEchos
icmpOutEchoReps
icmpOutTimestamps
icmpOutTimestampReps
icmpOutAddrMasks
icmpOutAddrMaskReps
udpInDatagrams
udpNoPorts
udpInErrors
udpOutDatagrams
The following variables must be given with an associated interface in parentheses when they are defined.
inBytes (non-Solaris only)
inPackets
inErrors
outBytes (non-Solaris only)
outPackets
outErrors
The netstat module also supports threshold warnings. To specify a threshold, simply specify one of the statistics listed above (with an interface if the variable requires it). This can then be compared against a value using any of the basic logical operators (==, !=, <, >, <=, >=). It should be noted that for a stat to appear in a threshold, it must have been set to be checked by netstat, or else it won't be available to use in thresholds.
Here are some sample thresholds for netstat:
# Example thresholds for netstat thresh1.threshold = NetStat.ipInReceives > 50 thresh2.threshold = NetStat.inBytes(eth0) < 5 thresh3.threshold = NetStat.tcpActiveOpens >= 100 AND NetStat.tcpPassiveOpens >= 100 |