Monitoring Network Traffic


Would you be able to tell me how I can monitor my network traffic.
If I could find the number of bytes sent and received to each IP address on my system on a daily basis it would be very helpful.
Furthermore if I can separate it into types of request, e.g. find out how much traffic goes on DNS requests...

Thanks very much for your help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try 'netstat -s' to start with.  This will give you all the
network statistics on the system.  This is NOT on a daily basis,
though.  And the statistics is NOT broken down by IP address.
applecrusherAuthor Commented:
Hi Seedy.

Thanks for this. Would you be able to tell me over what period these results are? e.g monthly? since the server was re-started
This is since the server is started.  You probably can run
a script every day to save the info and find the differences
for a daily statistics.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

applecrusherAuthor Commented:
Thanks for that. Is there a way to get it to show stats for a specific IP?
No.  I am not aware of any standard unix command or tool that
can get you this.  You probably need a network analyzing tool.

The only way you could do that on the short term is the sniffer. Otherwise, depending on which hardware you use and if it does support SNMP, you could write some code to poll
the MIB-II ifentry table to see some network utilization. Others solutions are quite complex and very expensive for you to implement in small organizations. What you asked could be done in a small network of 10 nodes & less. If you want to keep track of 100 nodes fully meshed, the data you collect on the wire will simply kill your network.

Good luck,
Minh Lai
If you're running a Linux system, you can enable (verbose) IP
accounting and set up rules similar to access lists on a packet
filter who count each and every byte/packet going through your
box. Have a look at the man page of ipfwadm(8) so see how this
is done. For example
      ipfwadm -A -b -P udp -S 0/0 53 -D 0/0
would count each and every UDP packet going to and coming from
every address, as long as the source or destination port is 53.
This will count your DNS queries. Well not exactly, zone transfer
would not be counted by this.
This would do the analysis on a per ACL basis, that is the
protocol specific part of your question.
If you enable verbose accounting, you can tell the kernel to
syslog each and every packet you want. From this syslog file, you
can extract the number of bytes/packets to/from every address you like to monitor.
What I do for accounting purpose is taking this list, read out
the numbers every 15 minutes and accumulate them on a daily and
monthly basis.
If you're not running Linux on your box, try it as a router and
it will do the job independantly of what OS you're system runs.

If you have a Cisco router on the boundary of your network, you
can enable accounting on this machine as well. It will count
tupels with key <SRCIP><DSTIP> and value <NUMBYTES><NUMPACKETS>
up to a certain limit ("ip accounting-threshold"), which on a
regular basis can be queried and cleared. This won't allow you
to breakdown the numbers to the protocols, though.

applecrusherAuthor Commented:

Thanks for trying to help. I am running BSDI 3.0 (sorry I should have said this before) and it doesn;t have the ipfwadm command so I couldn't get it to work.

Concluding from the man page of the "ipfw" command which does
about the same as the Linux "ipfwadm" on FreeBSD ...

     based upon code written by Daniel Boulet for BSDI.

     ipfw first appeared in FreeBSD 2.0.

... there should be something similar in your BSDI system.


applecrusherAuthor Commented:

I tried this command and it is not a valid command unfortunately.

Thanks for trying.

Perhaps you should look for the program then? Apparently this
should solve your problem, so it might be worth searching for
the binary/source/whatever on the net.
applecrusherAuthor Commented:

I did that and couldn't find one so that is why I came to experts-exchange and made the question worth 400 points :o)

Here, check this out:

If you wish, I can email these files to you (it isn't much anyway), but I'm sure downloading them won't be a problem for
you. If you want, I can dig up the manpage for you as well.

Good luck,

applecrusherAuthor Commented:

I'm using BSDI 3.1 not FreeBSD (although soon i'll have both)
I dont think I have the ipfw command. I typed it in and got command not found.

Thanks anyway

check netwatch

latest version I've seen is 0.7a.

It monitors traffic sorted by IP/hostname, send/received packets,
send/received bytes, last communication partner, etc. Can dump
the result to a file.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
There are a number of tools to do this, one in particular and free is mrtg, a perl/c based tool that queries snmp nodes for these statistics and create html statistics pages with drill down detail.  Requires Unix / web services /perl 5.x and snmp on the device you wnat to track stats for.  It is slick. see for sample and for sources, I have it running on FreeBSD, but BSDI should work just fine
I don't believe there is a standard unix tool on BSDI that does exactly what you want. Someone has previously suggested
"netstat -s" and has quite rightly said that it will only give you total bytes across all interfaces. One possible way around this is to use the packet counts across the interfaces to give you a % of the total byte count that has come from a particular interface. Firstly you need to determine the interface you wish to collect your byte count from. This can be done by running "netstat -i -n" which enables you to associate the interface name e.g. le0 with the IP address.
Once you have established the interface (I will use le0) name you can then run "netstat -i" to give you total packet counts across all the interfaces. Use this information to establish the % of packets (and therefore bytes - a fudge but probably good enough) through that interface. You can then apply this % to the total bytes from "netstat -s".

I have written a ksh script which will output the date,time,totbytes,proportionfrominterface

You will need to set up the script as a cron job in your crontab file e.g.
cron_time_details  netbytes le0 >> netbytes.log 2>netbytes.err

The script assumes netstat output from Solaris 5.5.1. You may have to change the awk bits to allow for your variation of netstat output:

# Usage: netbytes <interface eg le0>
# Prints out to std out the date,time,bytes out to and in from the network,how much of the data is from the interface specified
# This script includes the loopback interface lo0 in the how much calculation ie assumes loopback data is included in netstat -s output
# Produced by Paul Singleton 01473 645813 on 14-05-1998

date_time=$(date | awk '{printf("%s-%s-%s,%s",$3,$2,$6,$4)}')

address_ratio=$(netstat -i|awk '{if(NR>1){total=total+$5+$7;if($1=="'$1'"){address_total=$5+$7}}}END{print address_total/total}')

bytes_from_boot=$(netstat -s|awk '/tcpOutDataBytes/{output1=substr($4,2,100)} /tcpInInorderBytes/{input1=substr($4,2,100)}END{print output1+input1}')

echo $date_time,$bytes_from_boot,$address_ratio

if you want to separate multiple packet traces into "flows"
categorized by service type, and to find flows which are
contrary to policy or otherwise anomalous, you might consider argus.  i believe the most current version is capable of aggregating  udp and rpc-based protocols as well (e.g. it will tell you  host a and host b did 200MB of NFS traffic).

the flow level, rather than the packet level, seems to be a useful granularity for quality of service measurement and possibly also for enforcement of security policy.

this acquires packets by sniffing, so it needs to be placed
on an unswitched network or a spanning port of a switch.
start at ftp:/ 
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.