| Exploring the /proc/net/ Directory |
| Courtesy: Aman | |
|
The /proc/ filesystem is a trick the Linux kernel uses to make certain internal information available to user-space processes. The kernel presents the information in virtual files in virtual directories. The files and directories of the /proc/ filesystems are virtual because the data is not actually stored on any sort of permanent storage like a hard disk; instead, the directories, files, and data within them are created dynamically in memory from raw kernel data whenever you attempt to read from them. A variety of network information and data is available in the /proc/net/ directory. In this column we'll take a look at some of the more useful files available in the /proc/net/ subdirectory and how you might use them in administration of your network. Mounting the /proc/ filesystem All Linux distributions automatically mount the /proc/ filesystem at boot time. It's not essential that this be done, but a number of programs rely on it, so it's wise. To see if the /proc filesystem is mounted on your machine, use the mount command without any arguments. You should see output that looks something like this: mount .. proc on /proc type proc (rw) .. If not, you can mount the /proc/ filesystem manually using the command: mount -t proc proc /proc and put the following entry into your /etc/fstab file so it is mounted automatically next time you reboot your machine: proc /proc proc defaults 0 0 The /proc/net/ directory When the /proc/ filesystem is mounted, you can treat it as though it were a real filesystem containing directories and files. If you move to the /proc/net/ directory and list the files it contains, you will see a list that looks somewhat like the following: arp ip_fwnames route udp dev ip_mr_cache rpc/ unix dev_mcast ip_mr_vif rt_cache dev_stat netlink snmp igmp netstat sockstat ip_fwchains raw tcp The actual list of files will vary a little depending on what version kernel you are running and what networking options you've compiled into it. Each of these files contains information about some aspect of Linux networking. To view the contents of any of these files, you can simply use the cat command. Other utilities such as more or less should work more or less equally well. If you closely inspect these files, you'll see that they're all listed as zero bytes in length in a directory listing; this confuses some programs, so keep this in mind if you strike problems. Let's take a look at what is inside some of these useful virtual files. Interface statistics The /proc/net/dev file contains information about the configured network interfaces. To view it, type cat /proc/net/dev -- you can view sample output here. If you repeat this command periodically while there is active traffic on your network, you will see some of the numbers changing to reflect the updated statistics collected by the device drivers. If you examine the format of the file, you'll see that there is one line for each logical network interface known to the kernel. In each line you are given the interface name followed by two sets of nearly identical statistics, receive and transmit, for that interface. The meanings of each of the columns are: bytes The total number of bytes of data transmitted or received by the interface. packets The total number of packets of data transmitted or received by the interface. errs The total number of transmit or receive errors detected by the device driver. drop The total number of packets dropped by the device driver. fifo The number of FIFO buffer errors. frame The number of packet framing errors. colls The number of collisions detected on the interface. compressed The number of compressed packets transmitted or received by the device driver. (This appears to be unused in the 2.2.15 kernel.) carrier The number of carrier losses detected by the device driver. multicast The number of multicast frames transmitted or received by the device driver. Socket status The kernel exports information about open network sockets. The relevant /proc/net/ files for IPv4 are: tcp, udp, and raw. All three files have identical syntax. The first line provides labels for each of the columns in the output. Each following line represents one open socket. Results from cat /proc/net/tcp are shown here. The data presented in each output column is: sl The number of the line in the output listing. local_address The local IP address and port number for the socket. The IP address is displayed as a little-endian four-byte hexadecimal number; that is, the least significant byte is listed first, so you'll need to reverse the order of the bytes to convert it to an IP address. The port number is a simple two-byte hexadecimal number. rem_address The remote IP address and port number for the socket. Encoding is the same as for the local_address. st The socket status. tx_queue:rx_queue The size of the transmit and receive queues. tr:tm->when The tr field indicates whether a timer is active for this socket. A value of zero indicates the timer is not active. The tm->when field indicates the time remaining (in jiffies) before timeout occurs. retrnsmt Unused. uid The ID of the user that owns the socket. This is the same ID found in the /etc/passwd file. time-out Unused. inode A cryptic-looking number that identifies the socket to the Linux virtual filesystem. Routing and ARP tables The ARP and routing tables are exported in files named arp and route. They're both fairly self-explanatory. The ARP table looks like this. The fields make sense when you know that HW means "hardware". The hardware type and flag codings are the ARPHRD_* and ATF_* codings found in the /usr/include/linux/if_arp.h file. The Mask field is used when advertising a promiscuous ARP entry for an IP network or subnetwork. The first entry in the example is for a host on an Ethernet network (hardware type 1). The flags indicate the entry is incomplete; this is further evidenced by the hardware address of 00:00:00:00:00:00, which would normally contain the hardware address of the mapping described by the entry. The second entry is a working ARP entry mapping the IP address 192.168.0.4 to the hardware address 00:80:C8:8B:7A:46 on the network connected to the eth0 device. The routing table is also easy to understand (view using cat /proc/net/route, and view an example here). Just as for the socket status tables, the IP addresses and network masks are displayed in byte-reversed hexadecimal. Linux Network Administrator's Guide, 2nd EditionLinux Network Administrator's Guide, 2nd Edition By Olaf Kirch & Terry Dawson 2nd Edition June 2000 1-56592-400-2, Order Number: 4002 503 pages, $39.95 The fields are: Iface The network interface that datagrams matching this route will leave. Destination In combination with the Mark field, this specifies which datagrams will match this route. Gateway The IP address of the host that will act as a gateway for datagrams matching this route. Flags An indicator of a number of route attributes. The flags field values are the RTF_* codings found in the /usr/include/linux/route.h file. RefCnt Unused. Use Unused. Metric The metric value associated with the route. This is used to indicate the cost or priority of a route. Mask In combination with the Destination field, this specifies which datagrams will match this route. MTU Specifies the largest TCP segment (in bytes) that will be built for transmission via this route. Window Specifies the TCP window (in bytes) that will be advertised for TCP connections made via this route. IRTT Specifies the Initial Round Trip time (in milliseconds) that will be used for TCP connections established via this route. The MTU, Window, and IRTT values are per-route values that override those assigned to the interface and allow for some clever ways out of tricky network configurations. Protocol statistics The /proc/net/snmp file exports protocol statistic. It is intended to be used by SNMP (Simple Network Management Protocol) daemon programs and provides summary statistics for each of the IP, ICMP, TCP, and UDP protocols. There is a lot of information in this file, so much that I won't discuss it in detail in this column. Refer to the MIB-2 RFC if you're looking for good descriptions of these fields. Suffice it to say that if you're conversant with how the protocols operate, you can gain important insights into how your network is performing by careful analysis of the information presented here. There is one important thing to note. All of the fields are decimal integers excepting the Ip: Forwarding field, which is a boolean value. In the SNMP world, boolean values are represented with values 1 and 2, so a value of 1 indicates that IP forwarding is disabled. View the results of cat /proc/net/snmp here. How do I use this information? An important part of the power of the /proc/ filesystem is that all of the files are readable and parsable using just about any program. In the past, the sort of information presented in /proc/ would have been made available via ioctl() function calls against special device files. Using plain-text files means that this information is directly usable by shell scripts, Perl scripts, PHP, and C or C++ programs alike. It's possible for example to reimplement much of the functionality of the netstat command as a bash shell script. It's a simple task to write a shell script to read data from the /proc/net/ files and write it to a database or flat file for analysis and presentation at a later time, for example, on a web page or report. You could write a Perl script that monitored the data in the /proc/net/dev file and automatically create or destroy additional PPP connections to share network load using EQL. There are many potential uses. If you're comfortable with the /proc/net/ directory and are hungry for more network-related configuration and statistical information, you should explore the /proc/sys/net/ directory. It contains a whole new level of detail and allows your programs to actually manipulate certain configuration parameters by writing replacement values into the files. |
| < Prev | Next > |
|---|