Bandwith usage from pcap files

bandwidthpcap

I've got a huge pcap file (many GBs) that I just can't load in wireshark. What I need is extracting bandwidth usage information, both total and per-protocol (in both incoming and outgoing direction), from it, and possibly graph it in a manager-friendly way.

Essentially, I need something that can process pcap files on the command line, and outputs usage statistics in a format suitable for visualization or usage with tools like rrdtool et al. Any advice welcome.

Best Answer

You could try using the commandline version of wireshark tshark to extract the statistics. There are some examples in tshark's manpage under -z, e.g. io,stat,0,smb for all SMB packets.

Related Solutions

How to read pcap files in a friendly format

Wireshark is probably the best, but if you want/need to look at the payload without loading up a GUI you can use the -X or -A options

tcpdump -qns 0 -X -r serverfault_request.pcap

14:28:33.800865 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
        0x0000:  4500 047d b9c4 4000 4006 63b2 0a02 04f3  E..}..@.@.c.....
        0x0010:  453b c4d4 a40d 0050 f0d4 4747 f847 3ad5  E;.....P..GG.G:.
        0x0020:  8018 f8e0 1d74 0000 0101 080a 0425 4e6d  .....t.......%Nm
        0x0030:  0382 68a1 4745 5420 2f71 7565 7374 696f  ..h.GET./questio
        0x0040:  6e73 2048 5454 502f 312e 310d 0a48 6f73  ns.HTTP/1.1..Hos
        0x0050:  743a 2073 6572 7665 7266 6175 6c74 2e63  t:.serverfault.c
        0x0060:  6f6d 0d0a 5573 6572 2d41 6765 6e74 3a20  om..User-Agent:.
        0x0070:  4d6f 7a69 6c6c 612f 352e 3020 2858 3131  Mozilla/5.0.(X11
        0x0080:  3b20 553b 204c 696e 7578 2069 3638 363b  ;.U;.Linux.i686;

tcpdump -qns 0 -A -r serverfault_request.pcap

14:29:33.256929 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
E..}..@.@.c.
...E;...^M.P..^w.G.......t.....
.%.}..l.GET /questions HTTP/1.1
Host: serverfault.com

There are many other tools for reading and getting stats, extracting payloads and so on. A quick look on the number of things that depend on libpcap in the debian package repository gives a list of 50+ tools that can be used to slice, dice, view, and manipulate captures in various ways.

For example.

How to split a pcap file into a set of smaller ones

You can use tcpdump itself with the -C, -r and -w options

tcpdump -r old_file -w new_files -C 10

The "-C" option specifies the size of the file to split into. Eg: In the above case new files size will be 10 million bytes each.

Best Answer

Related Solutions

How to read pcap files in a friendly format

How to split a pcap file into a set of smaller ones

Related Topic