Network traffic monitoring in Linux operations and maintenance isn't limited to checking bandwidth usage. Its deeper value lies in enabling real-time detection and alerting of anomalies through traffic behavior analysis. An effective monitoring system can help administrators identify potential risks such as DDoS attacks, port scans, data leaks, or service anomalies, thereby ensuring the stability and security of online services. By extracting the required data from massive amounts of network data and establishing a normal traffic baseline, any significant deviation from this baseline triggers an alert, providing valuable intervention time for the operations team.

The first step in building a monitoring system is selecting the right tools to capture and present traffic data. For real-time traffic monitoring, traditional tools like iftop and nload provide intuitive real-time rate displays, allowing quick assessment of current bandwidth consumption. However, true anomaly detection relies on analyzing historical data and richer dimensions. This is where lightweight tools like vnstat become particularly useful. They silently collect daily, weekly, and monthly traffic statistics in the background, creating easily searchable historical baselines that help administrators determine whether current traffic is within normal ranges for the same period. For example, install and view a daily summary using the following command:

vnstat -d

When you notice an unusual increase in traffic and need to delve deeper into specific connections, the combination of `nethogs` and `ss` is a powerful tool. `nethogs` can quickly pinpoint the processes consuming the most bandwidth, while the `ss` command provides a detailed display of numerous connection states, which is crucial for identifying unusual spikes in connection counts. For example, counting connections in various TCP states can help identify SYN flood attacks:

ss -ant | awk '{print $1}' | sort | uniq -c

After initial assessments based on command-line tools, deeper analysis often requires more powerful data stream processing capabilities. `tcpdump` is a classic tool for this type of deep packet inspection. It allows administrators to capture all packets passing through a specific network interface and use BPF filters to pinpoint specific issues. The captured raw data can be saved to a file for detailed analysis using graphical tools like Wireshark, or piped to other command-line tools for real-time processing. For example, the following command captures HTTP traffic destined for host 192.168.1.100:

tcpdump -i eth0 -w http_capture.pcap dst host 192.168.1.100 and tcp port 80

However, automation is essential for continuous anomaly detection. This typically involves writing shell scripts to periodically collect key metrics and compare them against thresholds, enabling automated alerting. A simple script can monitor whether the traffic of a specific network interface exceeds a preset threshold within a sampling interval:

#!/bin/日本Server
INTERVAL=10
THRESHOLD=100000 # KB/s
RX_BEFORE=$(cat /sys/class/net/eth0/statistics/rx_bytes)
TX_BEFORE=$(cat /sys/class/net/eth0/statistics/tx_bytes)
sleep $INTERVAL
RX_AFTER=$(cat /sys/class/net/eth0/statistics/rx_bytes)
TX_AFTER=$(cat /sys/class/net/eth0/statistics/tx_bytes)
RX_RATE=$(( ($RX_AFTER - $RX_BEFORE) / $INTERVAL / 1024 ))
TX_RATE=$(( ($TX_AFTER - $TX_BEFORE) / $INTERVAL / 1024 ))
if [ $RX_RATE -gt $THRESHOLD ] || [ $TX_RATE -gt $THRESHOLD ]; then
echo "Warning: Network traffic abnormality! Receive rate: ${RX_RATE}KB/s Send rate: ${TX_RATE}KB/s" | mail -s "Traffic alert" admin@example.com
fi

In addition to traffic volume, abnormal connection behavior is also an important detection criterion. Attacks such as port scans and brute force attacks often exhibit unique connection patterns, such as initiating connections to a large number of different ports or hosts in a very short period of time. Regularly checking for abnormal connections (such as a large number of SYN_SENT or CLOSE_WAIT states) can help detect such threats. The following command can be used to monitor the total number of connections in the ESTABLISHED state. A sudden surge in this number may indicate that the service is experiencing a CC attack or other load anomalies:

EST_COUNT=$(ss -ant state established | wc -l)

For large-scale production environments, a centralized monitoring system is more effective. Prometheus, combined with Node Exporter, collects network metrics from the entire cluster of Japanese servers and displays them powerfully in Grafana. Flexible alerting rules can be set based not only on instantaneous absolute values ​​but also on year-over-year and month-over-month growth rates, significantly enhancing anomaly detection.

In short, anomaly detection in Linux network traffic monitoring is a comprehensive process, from real-time observation to historical baseline analysis, and then to automated scripts and centralized monitoring. This requires operations personnel to not only be familiar with the use of various underlying tools but also understand the traffic characteristics of the service itself. This allows them to develop effective detection strategies, nip potential failures and security risks in the bud, and ensure reliable service operation.