I'm using this script that actually checks for the rate of incoming packets and it gets triggered if the rate hits 5mbps or more. The packets are then logged to a tcpdump file.
interface=eth0
dumpdir=/tmp/
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt 5000 ]; then
echo -e "\n`date` Under attack, dumping packets."
tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
The output is something like 2000 Packets captured. XXX packets recieved by Filter and XXX-(minus)2000 dropped by Kernel.
Now what I want to know here is that the output file wouldn't actually tell me the rate of the attack like if it was 300mbps or what? So is the XXX packets recieved by filter is per second? If not, how do I check that because my port sometimes gets saturated.
UPDATE:
I used a program to capture statistics from the captured file through the above script. Here is what I got:
root@$:/tmp/dumps# capinfos dump.20130621-174506.cap
File name: dump.20130621-174506.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 2000
File size: 2065933 bytes
Data size: 2033909 bytes
Capture duration: 43 seconds
Start time: Fri Jun 21 17:45:06 2013
End time: Fri Jun 21 17:45:49 2013
Data byte rate: 46968.49 bytes/sec
Data bit rate: 375747.94 bits/sec
Average packet size: 1016.95 bytes
Average packet rate: 46.19 packets/sec
I believe the attack might only have lasted a good 15-20 seconds while the captured information was 43 seconds so the data-bit rate here might have been averaged over from this total time. What might help here is if someone could edit the original script above instead of capturing 2000 packets and dropping the rest, to capture all packets for a duration of lets say 5 seconds when the threshold hits.
UPDATE:
After changing the script as mentioned, it looked like the file was damaged as I read it in Wireshark which said "The capture file appears to have been cut short in the middle of a packet." Here is output from capinfos:
capinfos: An error occurred after reading 3085 packets from `"dump.20130710-215413.cap": Less data was read than was expected.
On a 2nd try, I was able to read that file only when I pressed Ctrl+C in console of the script:
capinfos dump.20130710-215413.cap
File name: dump.20130710-215413.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 18136
File size: 2600821 bytes
Data size: 2310621 bytes
Capture duration: 591 seconds
Start time: Wed Jul 10 21:54:13 2013
End time: Wed Jul 10 22:04:04 2013
Data byte rate: 3909.73 bytes/sec
Data bit rate: 31277.83 bits/sec
Average packet size: 127.41 bytes
Average packet rate: 30.69 packets/sec
Notice capture duration 591 seconds. I believe the 'sleep 300' has something to do over here because as I see the console output. This output is with '-c 2000' option:
./Log.sh
10275 packets/s
Wed Jul 10 12:41:31 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2000 packets captured
100012 packets received by filter
98003 packets dropped by kernel
Wed Jul 10 12:42:34 MSD 2013 Packets dumped, sleeping now.
Now this is the output after you modified the script with 'sleep 5':
./Log.sh
24103 packets/s
Wed Jul 10 21:54:13 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Wed Jul 10 21:54:18 MSD 2013 Packets dumped, sleeping now.
1620 packets/sroot@nl:~# 18136 packets captured
1850288 packets received by filter
1832106 packets dropped by kernel
^C
Notice I pressed Ctrl+C to break the sleep function I guess which made reading of the file possible.
Best Answer
capinfos is what you are looking for:
Pay attention to the Data bit rate.
How about this: