netstat
Name
netstat -- Reports on network statistics as gathered by the system.
Description
The netstat module is designed to gather and report on various
network statistics (such as bytes in/out, packet types received,
etc). This information can be very useful in determining peek network
usage, or to spot Denial of Service attacks as soon as they start.
Netstat collects both global information for the system related
to TCP, IP, ICMP and UDP protocols as well as interface specific
information such as packets in and out over the device.
Netstat can report on many different statistics. Some are reported
by the system as averages, some as total values over the uptime
of the computer. For uniformity sake, for each statistic
netstat will return the average value per second since the last
update. For example, say the poll time for netstat is 60 seconds.
For each stat it is configured to collect, netstat will record
the total number of times that stat occurs in the system over
the 60 second interval, divide by 60, and return that value.
This way, as netstat updates over time you can be sure that you
are seeing current information, as opposed to averages over the
running time of the machine.
In order for netstat to collect information, it must be able to
retrieve the network statistics data from the system. On Linux
systems, netstat requires the following files be available to
this module:
Under Solaris systems, this information is gathered using the kstat
interface, as well as the ARP stream device /dev/arp (should exist
by default on most systems.
On Windows 2000/XP/2003, netstat uses the Performance Data Helper
to gather statistics. Unfortunately netstat is not available on
older Windows platforms as such information is not available.
Configuration
There are many possible pieces of network related information
which can be gathered. Netstat
needs to be told which statistics should be gathered, and
for some, on which network interface.
All of the interfaces on a machine may not be readily apparent.
Netstat can display a list of all interfaces by
running it independently of RSPD. Simply execute the
module with the "-l" or "--list" option, and a list of
all possible interfaces will be printed to standard output.
Although possible in Windows, executing with "-l" should not
be necessary as all devices will appear a list within the
Configuration tab of NetStat, inside the configuration window of RSPD
(see Chapter 2 for more information).
Windows users may select each statistic they want from checkboxes.
Editting of the config file is not neccesary but maybe be done anyway.
Netstat is configured in rspd.conf by listing each requested
statistic. Interface specific statistics must be given with the
corresponding device in parentheses. The following example should
help make this clear.
# Example configuration for netstat
config
{
# The following are global stats
ipInReceives = 1
ipOutRequests = 1
tcpActiveOpens = 1
tcpPassiveOpens = 1
# Interface specific stats
inPackets(eth0) = 1
outPackets(eth0) = 1
}
|
Each stat is treated as a boolean variable. Setting it to
"1" or "yes" or "true" tells netstat to check the given
stat for the given device. If a statistic is not listed, or
if it is set to "0" or "no" or "false", then it is not checked.
Therefore it should only be necessary to set the statistics
that you want checked.
Most stats are available for all platforms, but some are
platform specific. Here is a list of all possible global stats,
followed by interface-specific stats. Unless indicated otherwise
each stat is available on all platforms. If it is not
then the platforms on which it is available will be given in
parentheses.
The following variables are recognized on a global level (in
other words, there are no per-interface statistics available):
The following variables must be given with an associated
interface in parentheses when they are defined.
Thresholds
The netstat module also supports threshold warnings. To specify a
threshold, simply specify one of the statistics listed above
(with an interface if the variable requires it). This can then
be compared against a value using any of the basic logical
operators (==, !=, <, >, <=, >=). It should
be noted that for a stat to appear in a threshold, it must
have been set to be checked by netstat, or else it won't
be available to use in thresholds.
Here are some sample thresholds for netstat:
# Example thresholds for netstat
thresh1.threshold = NetStat.ipInReceives > 50
thresh2.threshold = NetStat.inBytes(eth0) < 5
thresh3.threshold = NetStat.tcpActiveOpens >= 100 AND NetStat.tcpPassiveOpens >= 100
|
History Data
The netstat module will save all of the network statistics, and,
using the RSP History Viewer or RSP Web tools, graphs can be created
showing trends in the network activity levels.