Main Page | Data Structures | Directories | File List | Data Fields | Globals

Ethermux documentation

1

Introduction

Ethermux is a system designed to capture large volumes of network traffic from a tap using only commodity, off-the-shelf hardware. Because typical hard disks have neither the capacity nor the speed to keep up with large volumes of Ethernet traffic, this program allows you to split the task amongst several client computers, using a central server to co-ordinate the clients.

This design allows for several nice features. For one, the server is robust -- it handles client failure with minimal fuss, and allows you to hot-swap clients (or clients' hard drives) with no packet loss or interruption of the logging. In addition, this implementation is very meticulous about keeping track of packet order and timestamps. Finally, while the server does not log packets itself, it does keep careful track of several statistics on the data, and can give a real-time display of network traffic.

Compiling the code

Ethermux has been tested (probably inadequately) on Linux and Mac OS X, and there is no real reason it wouldn't be portable to another platform.

Ethermux uses two libraries -- libpcap and libnet -- that are probably already on your computer. (If they aren't, you'll find out soon enough, in which case, you'll want to get them from http://www.tcpdump.org and http://www.packetfactory.net/libnet).

To build, simply type 'make'.

Hopefully, this should compile the client (logger) and server (ethermux).

If you want extra documentation generated from the code, type 'make doc'.

Setting up a network

In order to do distributed logging, you'll need one fairly fast computer to be a server and several other computers to be clients. You will also need a network switch to connect them (a hub will not work, and a router is a bad idea).

The server should have two network interfaces that operate quickly enough to keep up with the tap. In addition, the switch should have at least one port that can keep up with the traffic, although it's okay if its client ports are slower.

Connect one of the server's network interfaces to the tap, and connect the other to the fastest port on your switch. Also connect each client to the switch. Do not put any other device on this switch. In particular, you will break your network if you link this switch directly back into your network. It is important that only the server be connected to "the outside world".

Running the Server

Before running the server, take note which network interface is connected to the tap (traffic in) and which is connected to the switch (traffic out).

The following command-line arguments modify the behavior of the server. Although none is required, you should always explicitly specify -i and -o, since you don't want to make the program guess.

OptionPurpose
-! Dangerous: Enable real-time scheduling
-a "mac1 mac2 ..." Give a list of MAC addresses of clients
-A "mac1 mac2 ..." Give a list of MAC addresses of "hash" clients
-c number Limit the number of captured packets
-i device Specify the input device (eg, "eth0")
-o device Specify the output device (eg, "eth1")
-m Don't allow clients to connect after starting
-s bytes Limit the number of bytes captured per packet
-w filename Log events and errors to a file
-y milliseconds Screen refresh rate (use -y 0 to disable)

For example, if you type ./ethermux -i eth2 -o eth1 -a "00:11:22:33:44:55 aa:bb:cc:dd:ee:ff" -c 400 -s 200 -w log.txt -y 500 the server will wait until clients with MAC addresses 00:11:22:33:44:55 and aa:bb:cc:dd:ee:ff have connected before beginning. Once started, it will forward traffic from eth2 to eth1, capturing only the first 200 bytes of each packet. After 400 packets, it will stop. Its display will be updated and statistics recalculated every 500ms (1/2 second).

Running the Client

[TODO]

Using the Server

Although the server doesn't require any interaction to do its job, you can get statistics and monitor the clients' status from its interface.

The interface is divided into two panes. The upper pane gives a quick overview of the current status. It gives the (estimated) speed of incoming traffic and an indicator of what percentage of that traffic is being sent to the clients (aka, "goodness").

The lower and larger pane shows one of five tabs. By default, it displays the "LOGFILE" tab, which shows meaningful events, warnings, and errors. When something isn't working right, check the log for out-of-place messages. If you specify a log file with the -w option, the log will also be written out to the file for later examination.

To switch tabs, use the Left and Right arrow keys. The tab to the left of the LOGFILE tab is the CONTROL tab. From here, you can manage the server or all the clients at once. Use the Up and Down arrow keys to select an option from the menu on the CONTROL tab, and press Enter to activate it.

The next tab to the left is the CLIENTS tab. From here, you can see all the clients that are connected to the server. If you select a client, you can see individual statistics and perform a couple commands.

The next tab is the PACKETS tab. This tab shows a histogram of incoming traffic, categorized based on packet size. It can give you a "feel" for what exactly is coming in across the network, and can help you find irregular traffic.

Finally, the leftmost tab is the METRICS tab. It shows three columns: INSTANTANEOUS, PER-SECOND, and CUMULATIVE. The first column shows the raw statistics computed across since the last refresh (by default, this is the last 100ms; you can change this with the -y option). The PER-SECOND column shows statistics scaled -- aproximately -- to per-second units. Note that it's not done perfectly, and depending on the traffic load and the speed of your machine, could be more like per-1.1-seconds. Finally, the CUMULATIVE column shows cumulative statistics.

Generated on Wed Aug 16 21:20:44 2006 for ethermux by  doxygen 1.3.9.1