I have a linux-based bridge. I'd like to count how much traffic does every IP that passes throug generates. In other words I'd like to get a file like this:
src_IP dst_IP pkt_size
1.1.1.1 2.2.2.2 12304
3.3.3.3 4.4.4.4 430
....
Is there a tool to do it under linux?
I've done some search on ulog, however both "accounting daemon" projects seem to be abandoned (their webpages do not work). Capturing traffic with tcpdump and then analyzing the dump could be an option, however I can't see how can I get the packet size from the dump.
Please, let me know if there is a way to do it.
In the IP header, you have a TOTAL LENGTH header that contains "the length of the datagram, measured in octets, including internet header and data." (RFC 791). If you want to have only the payload size of a packet, you need to do TOTAL LENGTH minus (IP Header length + (TCP|UDP) header length). (IP header length is in the IHL header, TCP header length is in the data offset header).
With a basic tcpdump command, such as
I will display each TCP packet as follow
The first line contains the IP header, including the total length (length 505). The second line contains the tcp header, including the payload length (length 453), which is 505 - 52 (52 being the length of the IP + TCP headers).
If you want to automate this, you can set tcpdump to store the capture in a pcap file, and then parse the pcap with a script.
However, if you want to do it fast without degrading your performances, you should take a look at libnetfilter_queue. That involves a bit of coding in C, but really not much. The idea is that you place a hook in netfilter to direct the trafic to you program. From there you can parse ip|tcp|udp headers and compute your information, put that in a RRD database if you want, and reinject the trafic in netfilter.
First of all let's start by mentioning a tool that you can watch this data real time:
iftop
Secondly I think it's important to mention that intrusive packet capturing and analysis like tcpdump is going to take it's toll on your interface and computing resources. Unless you setup a separate system that blindly watches traffic on the wire without touching it, such as snort, you are going to take a hit. Never forget this or you'll end up with a hobbled network and when the load goes up people will wonder why it sucks!
(Edit: finish where I left off)
Lastly, if you really need a permanent logging solution you'll need something that analysis and logs that packet data. For this there are lot of tools, but none that I have used recently.
ngrep
used to be a good way to do this, so didbmon
but I don't know if that even exists any more.tcpdstat
looks like it might be an option as doesbandwidth
although that might do MORE than you want.