I have a linux-based bridge. I'd like to count how much traffic does every IP that passes throug generates. In other words I'd like to get a file like this:
src_IP dst_IP pkt_size
1.1.1.1 2.2.2.2 12304
3.3.3.3 4.4.4.4 430
....
Is there a tool to do it under linux?
I've done some search on ulog, however both "accounting daemon" projects seem to be abandoned (their webpages do not work).
Capturing traffic with tcpdump and then analyzing the dump could be an option, however I can't see how can I get the packet size from the dump.
Please, let me know if there is a way to do it.
Best Answer
In the IP header, you have a TOTAL LENGTH header that contains "the length of the datagram, measured in octets, including internet header and data." (RFC 791). If you want to have only the payload size of a packet, you need to do TOTAL LENGTH minus (IP Header length + (TCP|UDP) header length). (IP header length is in the IHL header, TCP header length is in the data offset header).
With a basic tcpdump command, such as
I will display each TCP packet as follow
The first line contains the IP header, including the total length (length 505). The second line contains the tcp header, including the payload length (length 453), which is 505 - 52 (52 being the length of the IP + TCP headers).
If you want to automate this, you can set tcpdump to store the capture in a pcap file, and then parse the pcap with a script.
However, if you want to do it fast without degrading your performances, you should take a look at libnetfilter_queue. That involves a bit of coding in C, but really not much. The idea is that you place a hook in netfilter to direct the trafic to you program. From there you can parse ip|tcp|udp headers and compute your information, put that in a RRD database if you want, and reinject the trafic in netfilter.