Red Hat Enterprise Linux 5 Administration Unleashed

416CHAPTER 20Monitoring System ResourcesLISTING 20.11ContinuedRX packets:89409 errors:0 dropped:0 overruns:0 frame:0TX packets:89409 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:34682468 (33.0 MiB) TX bytes:34682468 (33.0 MiB)The eth0 device is the first Ethernet device in the system. If additional Ethernet devices areavailable, they are referred to as eth1, eth2, and so on. The lo device is the local loopbackdevice.If the device has an IP address, it is listed after inet addr: as shown for eth0 in Listing20.11. The MAC address is listed after Hwaddr for each device.By default, ifconfig only displays devices with IP addresses. To list the information for aspecific device such as one without an IP, specify it after the command such as ifconfig eth1.To monitor traffic on a network, use the tcpdump utility. It enables the promiscuous modeof the network card to capture all the packets sent across the network. You must runtcpdump as the root user. This can be useful when trying to determine if packets are reachingtheir destinations and to check response times.When run with no arguments, tcpdump runs continuously until you press Ctrl+C. To limitthe number of packets captured, use the -c argument. After number ofpackets are captured, tcpdump stops. To save the output to a file instead of displaying it onthe command line, use the -w option, and then use the -r argument toread it back from the file.To only capture packets on a specific interface, use the command tcpdump -D to list theinterfaces tcpdump can listen to. In this output, each interface is preceded by a number.Specify this number as with the command tcpdump -i to onlycapture packets on the specified interface.If you prefer a graphical, interactive application to view packet transfers, try Wireshark. UseRed Hat Network as discussed in Chapter 3 to install the wireshark-gnome package if it isnot already installed. It will also install the wireshark package (non-GUI version).After installing the RPM packages, select Internet, Wireshark Network Analyzer from theApplications menu on the top panel of the desktop. You can also execute the wiresharkcommand to start the program. If you run the program as a non-root user, you areprompted for the root password to continue.As shown in Figure 20.4, Wireshark uses the same format as tcpdump, so if you use tcpdump-w to save the output, you can then open it in Wireshark to take advantage of itseasy-to-read color coding and interactive features such as filtering.