How to measure data transfer across a network interface related to a specifc user

monitoring

I have an Ubuntu server and I am interested in measuring how much data is being transferred (both in and out) across a network interface, by a specific user. How do I do it?

N.B. I know how to measure the total data transfer of the whole machine. I want to restrict my monitoring to a specific user.

Best Answer

You can use iptables rules to do this. Here are some commands that would keep track of all traffic for a user with UID=1000

iptables -I OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
iptables -I INPUT -m mark --mark 1
iptables -I INPUT -j CONNMARK --restore-mark

You can then view the counters with iptables -nvL. The number of bytes is the second field.
For input traffic you'll want to look at the line under INPUT that has mark match 0x1 on the end. For output traffic it'll be the line with CONNMARK set 0x1 on the end.

Details:

iptables -I OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1

This tells iptables to set firewall mark 1 on all outbound traffic from user with uid=1000.

iptables -I INPUT -j CONNMARK --restore-mark

This tells iptables to use connection tracking to figure out which incoming packets are associated with the outgoing packets, and restore any firewall marks for the stream (ie, the ones that we set the mark on above).

iptables -I INPUT -m mark --mark 1

This tells iptables to match any incoming packets that have firewall mark 1. We dont do anything with them, we just use it so it'll increment the counters.

Related Solutions

Slow internet bandwidth on Network

To analyze which device is generating/receiving the most traffic you are going to need network equipment that can collect these statistics.

As mentioned in a previous answer the easiest way to do this is with a managed switch which will allow you to poll the traffic on each port.

Another method is a router that can either collect traffic accounting data on a per MAC address level or export network traffic in "NetFlow" format which can be analyzed by a tool such as NFSen

The final method is going to be installing some sort of packet sniffer (e.g. a PC running Wireshark). In order to get this to work on an unmanaged switch you will need to either install the sniffing PC in-line to the traffic (i.e. two network cards configured for L2 forwarding) or install some form of Ethernet tap between the switch and router.

The less managed network hardware you have in the network the more networking knowledge you will need to collect the statistics.

Router – Monitoring router bandwidth usage via Nagios and SNMP

I did this with a cron script, stores current value in a temp file then next time uses it to calculate bandwidth utilization since last run.

#!/bin/bash

email_address=""
router_ip=""

# 80% BANDWIDTH [ (384000bps) 48,000Bps ] - 20% = 38,400 Bps
alertBW="76800"

lastBWFile="/var/log/ciscoGW.log"
lastBW=`cat $lastBWFile | awk '{print$2}'`
lastTime=`cat $lastBWFile | awk '{print$1}'`

curBW=` snmpget  -c snmap_name -v 1 $router_ip IF-MIB::ifOutOctets.2  | awk '{print$4}'`

let diffBW=$curBW-$lastBW
#echo "Diff BW: $diffBW"
timeNow=`date +%s`
let diffTime=$timeNow-$lastTime
let alertBW=$alertBW*$diffTime

echo "$timeNow $curBW" > $lastBWFile

if [ $diffBW -gt $alertBW ]; then
#       echo "Over limit!"
        echo "Bandwith used over $diffTime seconds: $diffBW" | mail -s "BANDWIDTH OVER LIMIT!!!!" $email_address
fi

Since I was more interested in actual peaks I've since moved to using rrdtool:

#start 15 minutes ago
#end 5 minutes ago since rrdtool queries every 5 minutes 
rrdtool fetch $FROM MAX -s -900 -e -300

Best Answer

Related Solutions

Slow internet bandwidth on Network

Router – Monitoring router bandwidth usage via Nagios and SNMP

Related Topic