potion - IP Flow Monitor

potion [options] <interface> [expression]

This is a console utility which will listen on an interface using libpcap, aggregate the traffic into flows and display the top (as many as can fit on your screen) flows with their average throughput. A flow is identified ip protocol, source ip, source port, destination ip, destination port, and type of service flag.

Reading packets from a network interface may require that you have special privileges. Read the tcpdump(1) man page for more details about this.

Potion logs all errors to syslog or if a log file is specified, to that file. It may therefore seem like potion does nothing if some error occurs. Check your logs for errors or warnings.

A summary of options is included below.

-s | --snaplen=<bytes>

Snarf snaplen bytes of data from each packet rather than the default of 128 which should be more than enough (68 bytes is adequate for IP, ICMP, TCP and UDP excluding link layer overhead). Packets truncated because of a limited snapshot are not displayed. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. Setting snaplen to 0 means use the required length to catch whole packets.

-f | --flows=<n>

The maximum number of flows to create. If this limit is reached, the oldest flows will automatically be expired to make room for new ones. The default is 64.

-a | --active=<minutes>

Active flow lifetime. The default is 30 minutes.

-i | --inactive=<seconds>

Idle flow lifetime. The default is 60 seconds.

-S | --syslog=<facility>

Syslog facility to log to. The following facilities can be specified:

[a]

[b]

[c]

[d]

[e]

[f]

[g]

[h]

[i]

[j]

[k]

[l]

[m]

[n]

-h | --help

Display summary of options.

<interface>

Listen on interface. On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. Note that captures on the ``any'' device will not be done in promiscuous mode.

<expression>

Filter expression selects which packets will be captured. If no expression is given, all packets will be captured, otherwise only packets for which expression is true will be captured. Since potion simply drops all non-ip traffic, it is a good idea to specify at least ``ip'' as a filter expression. Read tcpdump(1) for detailed expression syntax.

tcpdump(1), pcap(3), ftm(1)

Written by Abraham vd Merwe <abz@blio.com>