NAME
na.traffic - network traffic statistics
DESCRIPTION
na.traffic gathers statistics about network traffic (number of packets in a given interval) and reports the information at the end of the interval.
The agent reports Ethernet activity based on information contained in the packet headers, for example, source and destination IP addresses, Ethernet addresses, and port numbers. Each table accepts a key to narrow the information reported, for example, a particular address, port number, packet length, or protocol.
If no reporting interval is given, the agent will use a default reporting interval of 10 seconds.
ATTRIBUTES
na.traffic has one attribute group, AllPackets, and nine attribute tables: SrcIp, DstIP, SrcEth, DstEth, BetweenIp, SrcPort, DstPort, Length and Proto.
The AllPackets group returns the total number of Ethernet packets observed during the interval.
The SrcIp table contains the number of packets transmitted from a particular IP address, using srcipaddr as the key.
Note: An IP address is a string of four decimal numbers (range of 0-255) separated by dots (.) e.g., 129.9.200.3
srcipaddr - source IP address (string[15]) pkts - number of packets from the source IP address per interval (gauge)
The DstIp table contains the number of packets sent to a particular IP address, using dstipaddr as the key.
dstipaddr - destination IP address (string[15]) pkts - number of packets to the destination IP address per interval (gauge)
The SrcEth table contains the number of packets sent from a particular Ethernet address, using srcethaddr as the key.
Note: An Ethernet address is a string of six hexadecimal numbers (range is 0 - FF) separated by colons (:) e.g., 8:0:20:6:41:0:d7. srcethaddr - source Ethernet address (string[17]) pkts - number of packets from the source Ethernet address per interval (gauge)
The DstEth table contains the number of packets sent to a particular Ethernet address, using ethaddr as the key.
ethaddr - destination Ethernet address (string[17]) pkts - number of packets to the destination Ethernet address per interval (gauge)
The BetweenIp table contains the number of packets transferred between two given IP addresses, using ipad_dresses as the key.
ipaddresses - pair of IP addresses (string[30]) pkts - number of packets between the two IP addresses per interval (gauge)
The SrcPort table contains the number of packets that originated from a particular port number, using srcport as the key.
srcport - port number of source IP address (short) pkts - number of packets from source port number per interval (gauge)
The DstPort table contains the number of packets destined for a particular port number, using dstport as the key.
dstport - port number of destination IP address (short) pkts - number of packets to destination port number per interval (gauge)
The Length table contains the number of packets transferred of a particular length or that match a given set of conditions, using length_exp as the key.
length_exp - packet length or range of lengths (string[9]). The length_exp has the format:
[relational operator] <white space> <packet length> where:
relational operator
specifies one of the following:
EQ - equal to
GE - greater than or equal to
GT - greater than
LE - less than or equal to
LT - less than.
If you do not supply a relational operator, the agent returns a table showing all packets that fall within the specified range.
white space
single space delimiter separates the relational operator from the packet length.
packet length
specifies a particular packet size range. The defined ranges of packet size (in bytes) are: 60-241
242-423
424-605
606-787
788-969
970-1151
1152-1333
1334-1514.
pkts - number of packets of specified length per interval (gauge)
The Proto table contains statistics about a particular protocol, using protoname as the key.
protoname - protocol name (string[32]). Currently, na.traffic recognizes the following protocols: UDP, TCP, ICMP, ARP, DECnet and AppleTalk.
pkts - number of packets of selected protocol per interval (gauge)
OPTIONS
na.traffic accepts an option in the request.
ifname
specifies a particular interface when your machine has more than one (for example, ie0 and ie1). Use this option when the particular interface you are interested in differs from the default name. Pass this option in the form: -i ifname, where ifname is ie0, ie1, and so on.
ERRORS
can't open NIT device for ethernet interface (For 4.x systems only.) The agent could not open the NIT device, /dev/nit . NIT may not be present in this kernel, or the device entry is missing from the /dev directory.
If your kernel does not support NIT, run na.traffic in a system that supports NIT and is on the same Ethernet segment as your machine. Alternatively, you can reconfigure your kernel (see config(8)) to support NIT and boot the system.
cannot put ethernet interface into promiscuous mode (For 4.x systems only.) The agent could not set the interface in promiscuous mode. The agent requires the interface to be in promiscuous mode in order to sample all traffic on the net. The most likely cause is a kernel bug.
NIT already in promiscuous mode
(For 4.x systems only.) The agent already set the interface into promiscuous mode. The most likely cause is an internal problem with the agent.
can't push a packet filter
(For 4.x systems only.) An ioctl(2) call to set a message filter failed. The most likely cause is a kernel bug.
bad ethernet address specified
The Ethernet address supplied as a key to either the SrcEth or DstEth groups has an incorrect format.
bad internet address specified
The Internet address supplied as a key to either the SrcIp or DstIp groups has an incorrect format.
bad length expression specified
The length expressions specified as a key has an incorrect format.
bad internet address pair specified
The key specification of a pair of Internet addresses has a syntax error. The expected syntax is two Internet addresses, separated by a single space character.
error during sampling
Indicates the occurrence of some undefined system error during the interval the agent sampled the traffic. The agent will cease sampling and return an error message because recovery may not be possible.
out of memory
Failed to allocate memory for storing network traffic statistics. To alleviate the problem, try reducing the sampling interval or reducing the amount of memory used by other parts of the system.
protocol not yet handled by group Proto The specified protocol is not known by agent.
bad ethernet interface name specified
The optional specification of the Ethernet interface supplied in the options string has a syntax error. The expected syntax is -i ifname, where ifname is the interface name, such as ie0, le0, ie1.
specify ethernet interface name; unable to determine default Under some system configurations the agent cannot determine the default interface for sampling Ethernet traffic. Pass the agent the interface name with the -i flag in the options field.
can't get interface flags
can't get interface list
Indicate internal errors, usually due to kernel incompatibilities.
NOTES
The statistics returned by na.traffic do not include counts for packets sent by the system on which the agent is running.
na.traffic is not intended as a replacement for a protocol analyzer. In fact, the data returned by the traffic agent may differ from statistics obtained by using a protocol analyzer. This is because na.traffic places the Ethernet interface on the system into promiscuous mode in order to gather packet statistics. If other processes are running on the system, packets may be lost.