I'm trying to get the ethernet NIC throughput rate / data transfer rate on a VPS in order to start a capture on Wireshark during DOS/DDOS attacks so I can analyze the nature of the packets.
I'm aware that I can use something called a ring buffer to limit the filesize of Wireshark files and just keep Wireshark running. However, I would like to only start capturing traffic once a specific network traffic threshold is reached as this would make it easier for me to separate the files before inspecting them.
I have looked at several command line tools such as iftop, vnstat and nload, which all do a nice job of providing output to the terminal.
However, can someone help me with a command in either one of those tools or another nice way to simply capture the DTR that would allow me to start wireshark capture? Else, is there an existing command in Tshark that allows this to happen?
Best Answer
You can run TShark with these options:
Meaning:
-i 1: Listen on your first interface. Adjust as needed for your desired interface. (You can usetshark -Dto get a list of interfaces to choose from.)-a duration:30: autostop after 30 seconds-q: Don't display the packets as they are captured; just display a summary at the end-z io,stat,0: Collect and display IO statistics at the end, using an interval of zero seconds. The zero interval means the statistics will be calculated over all packets.Run the capture. It'll stop after 30 seconds (or you can end it early, typically with Ctrl+C) and you'll get a summary like this:
You can then divide 8694272 bytes by 29.1 seconds to see a throughput of 298,772 bytes per second during that capture window.
To automate, run that however often you want -- maybe every five minutes -- and then parse the results with your favorite tool to pull out the duration and the total bytes. Do the division, and launch Wireshark if the throughput is over a designated threshold.