Linux administration tips for Red Hat, SUSE, networks, securityLinux security tools and network monitoring <<previous|next>> :Linux security: Top 10 tips
Linux administration issues
Monitoring Network Performance
By sander van vugt
Occasionally, a user complains that the network is too slow. While this is good to know, you may wonder if there is any way to analyze what exactly is causing the slowdown. In this article, you'll get some directions for analyzing network performance.
Before starting to use the different analysis tools that are available, you should know what to analyze. When looking at the OSI-model, you'll see that network traffic consists of different layers, and that every single layer has its own peculiarities. For the sake of network performance analysis, it's enough to differentiate between only two layers: the hardware and the software. In the hardware layer the network interface cards communicate between one another, whereas in the software layer different applications are exchanging information.
Troubleshooting the hardware layer
In the hardware layer, the network board communicates with another network board. To do this, the kernel needs to have the appropriate driver for your network board loaded onto it. When you have done this, the network boards can communicate on the network. The most basic test to see if this works is to use the ping command to see if the other host is available. If it is, in the next step you can check statistics about packets that are being sent over the network. The kernel collects statistics about everything that happens at this layer. The following parameters are normally available:
- Transmitted/received: this is the counter of packets that have been transmitted and received successfully.
- Error: typically this counter increases if there's a bad connection or a duplex mismatch.
- Dropped: this counter typically increases when there is no buffer available for an incoming packet.
- Overruners: if you see this happening, it's more severe than a dropped packet. This counter increases if the receiving kernel or NIC is overwhelmed with packets.
- Frame: the frame error indicates a physical problem that has occurred on a packet, such as a CRC error.
- Multicast: this indicates the number of multicast packets that have been sent.
- Compressed: you can see this counter going up if packets that were compressed using protocols such as PPP or SLIP have been sent.
To get statistics about these parameters, you can use the ifconfig tool or the ip tool. For example, the command ip -s -s link will display all available statistics for all interfaces.
Listing 1: Using ip -s -s link gives you advanced statistics about the available network interfaces.
To view Listing 1, click here.
Another important aide for observing and modifying the physical aspects of your network boards is ethtool. For instance, you can see current settings using ethtool followed by the device name. An example of this is in Listing 2.
Listing 2: Displaying device properties using ethtool
To view Listing 2, click here.
In some cases, you'll find that a particular setting for your network board doesn't work properly. In that case, you can use ethtool to change that setting as well. Be careful when using this tool, though, as the default auto-negotiate option normally works fine. Using the wrong setting may cause a disruption of functionality.
In some situations it's not enough to see statistics about a given moment in time. If you want to see how network traffic has behaved over a longer period of time, it's a good idea to use sar. To do so, make sure that the sysstat package has been installed on your distribution, and that the sysstat daemon is running as well. After 10 minutes, you can use sar on it to show details about network traffic. The best option is to use sar -n FULL; it will show detailed statistics on your network interface.
When no problems are detected at the physical layers, your next step is to analyze the software layers. If the network communicates all right, there may be problems with the services communicating on the network., The iptraf and netstat tools are rather useful in getting details about these services.
The iptraf tool serves as a real time monitoring tool to get information on what is happening on the network. It will show you information on current network traffic, updating the statistics with every new packet that is sent over the network.
***Figure1 The iptraf tool shows real-time monitoring information about packets that are sent over the network. To view Figure 1, click here.
If you just want to get information about the network sockets in use - without the real time statistics on packets that are sent over these sockets - it may be a better idea to use the netstat tool. One unique feature is that it is the only tool that can trace the owner of a socket back to a PID, so you can actually see what programs are responsible for traffic load on a given interface. For instance, to get an overview of listening processes on your network, use netstat &ndashtulp as seen in listing 3 below.Listing 3: Use netstat -tulp to get an overview of processes that offer their services on the network.
You may find the download for the coding in Listing 3 here
If there are problems on your network, you should find out where these problems originate. In this article you have learned how to differentiate between the physical and the logical layers on your network and how to do a performance analysis of both.
31 Mar 2008
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.