Network Utilization | Performance Tuning for Linux Servers

Computer networking is a major computer discipline by itself as it has become ubiquitous. The government, private companies, and the mass media heavily rely on the Internet to function. The World Wide Web, e-mail, instant messaging, and so on have made the world much smaller, putting dispersed countries much closer than ever before. Search engines are very popular in getting information to your fingertips in a fraction of a second. eBusiness has taken business to the next level, where people, without leaving the place of their comfort, can shop, bank, trade stocks, play games with remote partners, collaborate on work, and so on. All these are made possible through advances in computer networking such as high-speed and high-bandwidth networks. Moreover, these advances facilitate new computer infrastructures such as cluster networks, storage networks, and multitiered setups. Tanenbaum has very good coverage of major topics in this field, such as the TCP/IP protocol suite, circuit and packet switching, wireless communications, security, and voice and data transmission.

Linux not only offers many of the powerful network capabilities that other major operating systems provide, but it also surpasses them through additional features such as masquerading. The Linux kernel supports several networking protocols such as TCP/IP, IPX (Internetwork Packet Exchange), and AppleTalk DDP, and it supports features such as packet forwarding, firewall operations, proxy, masquerading, tunneling, and aliasing.

Many network monitoring tools available in Linux help you evaluate the performance of any Linux network. Some of these tools can also be used to troubleshoot network problems along with monitoring performance. The Linux kernel makes a large amount of networking system information available to the user, helping you monitor the health of the network and detect problems in configuration, runtime, and performance.

This section explores only some of the tools that are readily available in most major Linux distributions. In this section, we look at the network tools netstat, nfsstat, tcpdump, ethtool, snmp, ifport, ifconfig, route, arp, ping, TRaceroute, host, and nslookup.

System and network administrators use some of these tools every day. Tools such as ping, route, arp, TRaceroute, ethtool, and tcpdump are used to determine network problems. These tools can be described as follows:

The command ping ipaddress/hostname shows if a computer is operating and if network connections are intact. ping uses the Internet Control Message Protocol (ICMP) Echo function. A small packet is sent through the network for a given IP address. If a reply to the packet is received, the computer network connection is alive. It also tells how many hops lie between the source computer and the destination computer.
The route command can be used to display the route table, add a route, delete a route to the table, and flush all the routes.
The arp command is useful if ping does not workthat is, if the network connection is not aliveto determine the root cause of the problem. The arp -a command can be used to make sure that the hardware address is correctly associated with the right system. The other options available with this command include flushing the arp cache, adding to the cache.
The IRRTToolset (Internet Routing Register Toolset) makes routing information more convenient and useful for network engineers by providing tools for automated router configuration, routing policies analysis, and maintenance.
ifconfig determines a host's media access control address. If another host with a duplicate IP address exists on the network, the arp cache may have had the media access control address for the other computer placed in it, in which case, the arp command can be used to delete the saved address in the cache and add the correct address to the arp cache.
traceroute tracks one of the possible routing pathways. It can measure the time taken to travel between each hop (router) and identify the hop's address as the packet travels through the network.
ethtool queries and changes the settings of an Ethernet device. The devices are assigned a number for identification, such as eth0, eth1… ethn for n Ethernet devices in the system. This tool uses this device name to query/change the settings.
tcpdump sniffs network packets. It captures all the packets that are seen at the computer. It can be used for network monitoring, protocol debugging, and data acquisition. tcpdump puts the NIC into promiscuous mode in order to capture all the packets going through the wire. Numerous options exist to filter the output down to only those packets of interest. The drawback with tcpdump is that the buffer can overflow and wrap around. tcpdump on high-bandwidth networks tends to drop packetsthat is, tcpdump cannot keep up with the rate of the packets.
ethereal is another network sniffing tool similar to tcpdump. ethereal can read capture files from tcpdump.
host is a tool used to retrieve the host name for a given IP address from the Domain Name System. This tool is much more flexible than nslookup and is suited for use in shell scripts.
Some of the network security tools that are available on Linux include tools such as snort (a network intrusion detection system), dsniff (a suite of powerful network auditing and penetrating-testing tools), and SAINT (Security Administrator's Integrated Network Tool).

Network Statistics

The netstat utility, available in the net-tools package, displays a large amount of information related to the networking subsystem.

netstat is one of the most frequently used tools for monitoring network connections on a Linux server. netstat displays a list of active sockets for each network protocol, such as TCP and UDP. It also provides information about network routes and cumulative statistics for network interfaces, including the number of incoming and outgoing packets and the number of packet collisions. The netstat output that follows shows a number of network protocol statistics and routing information, such as Internet protocol (IP), transport control protocol (TCP), and user datagram protocol (UDP). From the statistics, you can tell whether the number of packets received is higher or lower than expected. This tool can easily be used to investigate performance degradation between kernels.

Without any arguments, netstat displays a list of the existing network sockets and their connection information. All protocol families are displayed, including UNIX domain sockets. The following are typical lines from sample output:

 $ netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address     Foreign Address     State tcp        0      0 *:32768          *:*                LISTEN tcp        0      0 *:smux           *:*                LISTEN tcp        0      0 *:9099           *:*                LISTEN tcp        0      0 *:sunrpc         *:*                LISTEN tcp        0      0 *:x11            *:*                LISTEN tcp        0      0 *:http           *:*                LISTEN tcp        0      0 *:ftp            *:*                LISTEN tcp        0      0 *:ssh            *:*                LISTEN tcp        0      0 *:telnet         *:*                LISTEN tcp        0      0 nethostA:smtp    *:*                LISTEN tcp        0      0 nethostA:32974   nethostB:ssh       ESTABLISHED tcp        0      0 nethostA:32996   nethostB:ssh       ESTABLISHED tcp        0      0 nethostA:33002   64.233.161.99:http ESTABLISHED tcp        0      0 nethostA:33005   nethostB:ftp       ESTABLISHED udp        0      0 *:32768          *:* udp        0      0 *:snmp           *:* udp        0      0 *:sunrpc         *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags       Type       State         I-Node Path unix  2      [ ACC ]     STREAM     LISTENING     2012   /dev/gpmctl unix  2      [ ACC ]     STREAM     LISTENING     159792 /tmp/ksocket-nivedita/kdeinit-:0 unix  2      [ ACC ]     STREAM     LISTENING     2210   /tmp/.X11-unix/X0 unix  2      [ ACC ]     STREAM     LISTENING     79840  /tmp/.ICE-unix/dcop15789-1077867386

The first column indicates the protocol family of the socket, which is commonly either tcp (transport control protocol), udp (user datagram protocol), or unix (UNIX domain socket). The second and third columns indicate the amount of data, in bytes, that is currently present in receive and send socket queues. The next columns list the local and remote address and port information. The last column displays the protocol state that the socket is currently in.

The IP addresses are normally translated into host names (nethostA, nethostB) unless the -n flag is provided to netstat.

To display only select address families, their corresponding flags can be provided. For example, netstat --tcp or -t displays only the TCP sockets present. A full listing of the flags for the individual families is available in the netstat man page.

The asterisk (*) indicates a wildcard. For the local address, this is typical of listener processes, which listen on all the local interfaces. Remote host address and port information is displayed when the socket has made a connection to a remote host and is in established state. You see ssh, http, and ftp connections in progress in the preceding display.

Displaying Interface Information

This information is identical to that displayed by the ifconfig command. It is a listing of the statistics provided by the interface. These include the MTU (maximum transmission unit) and counts of packets received and sent that were successful, erroneous in some way, dropped, or overflowed.

 $ netstat i Kernel Interface table Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg eth0   1500 0     21941      0     0      0   11998      0     0      0 BMRU lo    16436 0       795      0     0      0     795      0     0      0 LRU

TCP/IP Protocol Statistics

The Linux kernel supports the statistics counters specified in RFC 2012 as part of the Simple Network Management Protocol (SNMP) Management Information Base (MIB). It also implements a large number of counters that are Linux-specific and capture network protocol events, primarily TCP.

The netstat utility displays most, but not all, of the counters present in the kernel. To see the full list of the events being counted, view the content of the /proc/net/snmp and /proc/net/netstat files. The former contains the RFC 2012 counters, and the latter contains the extended Linux-specific MIB. The following is a sample listing of SNMP counters produced by the netstat s command:

 netstat -s Ip:     662968 total packets received     0 forwarded     0 incoming packets discarded     659592 incoming packets delivered     162297 requests sent out Tcp:     5721 active connections openings     39 passive connection openings     0 failed connection attempts     0 connection resets received     1 connections established     136759 segments received     152791 segments send out     20660 segments retransmited     3 bad segments received.     1165 resets sent Udp:     14031 packets received     15 packets to unknown port received.     0 packet receive errors     7519 packets sent

Moreover, network communication involves heavy interrupt processing. Thus, in conjunction with netstat, vmstat can be used to capture the number of interrupts, and sar can be used to determine the spread of interrupt processing.

nfsstat

Network File System (NFS) is a technique to incorporate a file system from a remote machine into the local file systemthat is, NFS uses the same read and write interface to access data remotely as the one used locally. nfsstat is a simple tool that prints NFS kernel statistics. nfsstat prints the counts of NFS API calls during a workload. In the following example, the server is running an I/O workload. Output from nfsstat shows the counts of reads and writes, which can be used for debugging purposes. The counts of reads and writes can also be used to understand performance issues.

 Server nfs v3: null       getattr    setattr    lookup     access     readlink 0       0% 8       0% 0       0% 6      0% 43      0% 0       0% read       write      create     mkdir      symlink    mknod 262242 44% 328004  55% 2       0% 0       0% 0       0% 0       0% remove     rmdir      rename     link       readdir    readdirplus 3       0% 0       0% 0       0% 0       0% 0       0% 0      0% fsstat     fsinfo     pathconf   commit 1       0% 1       0% 0       0% 2586    0%