Linux – Monitor number of bytes transferred to/from IP address on port

linuxpacket-analyzerpacket-capturetcpdumptshark

Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port.

The equivalent tcpdump command would be:

tcpdump -s 0 -i any -w mycapture.trc port 80 host google.com

which outputs :

46 packets captured
131 packets received by filter
0 packets dropped by kernel

I'd like something similar that outputs:

54 bytes out, 176 bytes in

I'd like it to work on RHEL and be free/open-source. It would be good if there was an existing tool which I was just missing too!

Best Answer

You could use iptables. If you're not already using it, you can use an open Accept configuration, but have a rule in place to do the counting.

For example, on RHEL your /etc/sysconfig/iptables file could look something like:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j INPUT
-A INPUT -s 10.10.1.1 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.10.1.1 -p tcp -m tcp --dport 80 -j ACCEPT

Where 10.10.1.1:80 is the host:port you want to count traffic to (you can't use a hostname). You can then check traffic counted with the command iptables -nvxL as root.

Example output:

Chain INPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       10.10.1.1            0.0.0.0/0              tcp spt:80


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
       0          0 INPUT      all  --  *      *       0.0.0.0/0            0.0.0.0/0       

Chain OUTPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.10.1.1              tcp dpt:80

Related Solutions

Linux – multicast tcpdump and subscriptions

It depends on your multicast infrastructure: For instance, you could have many multicast routers, and various rules set on your switches (making subscriptions static, or dynamic, or even banned on certain ports/nodes).

But, if you want to subscribe to a multicast group... Just subscribe. Send an IGMP JOIN packet across some infrastructure, which obviously has IGMP snooping enabled. You can generate an IGMP packet with a variety of tools.

Taking a step to a higher level, use iperf to subscribe to any multicast group. If your network infrastructure isn't too complex, and if you are "allowed" to subscribe to any multicast group, then use the following:

iperf -s -u -B 239.100.100.100 Where 239.100.100.100 is your multicast group address.

tcpdump simultaneously to get a detailed report.

Note that I believe iperf only supports IGMP v1 and v2. If you want to craft an IGMP v3 JOIN packet, it shouldn't be too hard to write a program, as you stated. But there would be a lot more tools out there that would probably do the same.

Tcpdump – how to check rate of packets

capinfos is what you are looking for:

$ capinfos ddos.cap
File name:           ddos.cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   1000000
File size:           189073212 bytes
Data size:           173073188 bytes
Capture duration:    2 seconds
Start time:          Fri Jul  5 16:35:04 2013
End time:            Fri Jul  5 16:35:07 2013
Data byte rate:      69839025.27 bytes/sec
Data bit rate:       558712202.18 bits/sec
Average packet size: 173.07 bytes
Average packet rate: 403523.08 packets/sec
SHA1:                34d758e6445061855ca4397729098f469f411fe3
RIPEMD160:           14f430231fc2962cd86ddb8edb8daf75a5d07af8
MD5:                 5893809fb02d1a20997629a9a501842b
Strict time order:   False

Pay attention to the Data bit rate.

What might help here is if someone could edit the original script above instead of capturing 2000 packets and dropping the rest, to capture all packets for a duration of lets say 5 seconds when the threshold hits.

How about this:

tcpdump -n -s0 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap &
sleep 5 && pkill -HUP -f /usr/sbin/tcpdump

Best Answer

Related Solutions

Linux – multicast tcpdump and subscriptions

Tcpdump – how to check rate of packets

Related Topic