applecrusher
asked on
Monitoring Network Traffic
Hi.
Would you be able to tell me how I can monitor my network traffic.
If I could find the number of bytes sent and received to each IP address on my system on a daily basis it would be very helpful.
Furthermore if I can separate it into types of request, e.g. find out how much traffic goes on DNS requests...
Thanks very much for your help.
Would you be able to tell me how I can monitor my network traffic.
If I could find the number of bytes sent and received to each IP address on my system on a daily basis it would be very helpful.
Furthermore if I can separate it into types of request, e.g. find out how much traffic goes on DNS requests...
Thanks very much for your help.
ASKER
Hi Seedy.
Thanks for this. Would you be able to tell me over what period these results are? e.g monthly? since the server was re-started
Thanks for this. Would you be able to tell me over what period these results are? e.g monthly? since the server was re-started
This is since the server is started. You probably can run
a script every day to save the info and find the differences
for a daily statistics.
Cheers,
-Seedy-
a script every day to save the info and find the differences
for a daily statistics.
Cheers,
-Seedy-
ASKER
Thanks for that. Is there a way to get it to show stats for a specific IP?
No. I am not aware of any standard unix command or tool that
can get you this. You probably need a network analyzing tool.
Cheers,
-Seedy-
can get you this. You probably need a network analyzing tool.
Cheers,
-Seedy-
The only way you could do that on the short term is the sniffer. Otherwise, depending on which hardware you use and if it does support SNMP, you could write some code to poll
the MIB-II ifentry table to see some network utilization. Others solutions are quite complex and very expensive for you to implement in small organizations. What you asked could be done in a small network of 10 nodes & less. If you want to keep track of 100 nodes fully meshed, the data you collect on the wire will simply kill your network.
Good luck,
Minh Lai
the MIB-II ifentry table to see some network utilization. Others solutions are quite complex and very expensive for you to implement in small organizations. What you asked could be done in a small network of 10 nodes & less. If you want to keep track of 100 nodes fully meshed, the data you collect on the wire will simply kill your network.
Good luck,
Minh Lai
If you're running a Linux system, you can enable (verbose) IP
accounting and set up rules similar to access lists on a packet
filter who count each and every byte/packet going through your
box. Have a look at the man page of ipfwadm(8) so see how this
is done. For example
ipfwadm -A -b -P udp -S 0/0 53 -D 0/0
would count each and every UDP packet going to and coming from
every address, as long as the source or destination port is 53.
This will count your DNS queries. Well not exactly, zone transfer
would not be counted by this.
This would do the analysis on a per ACL basis, that is the
protocol specific part of your question.
If you enable verbose accounting, you can tell the kernel to
syslog each and every packet you want. From this syslog file, you
can extract the number of bytes/packets to/from every address you like to monitor.
What I do for accounting purpose is taking this list, read out
the numbers every 15 minutes and accumulate them on a daily and
monthly basis.
If you're not running Linux on your box, try it as a router and
it will do the job independantly of what OS you're system runs.
If you have a Cisco router on the boundary of your network, you
can enable accounting on this machine as well. It will count
tupels with key <SRCIP><DSTIP> and value <NUMBYTES><NUMPACKETS>
up to a certain limit ("ip accounting-threshold"), which on a
regular basis can be queried and cleared. This won't allow you
to breakdown the numbers to the protocols, though.
accounting and set up rules similar to access lists on a packet
filter who count each and every byte/packet going through your
box. Have a look at the man page of ipfwadm(8) so see how this
is done. For example
ipfwadm -A -b -P udp -S 0/0 53 -D 0/0
would count each and every UDP packet going to and coming from
every address, as long as the source or destination port is 53.
This will count your DNS queries. Well not exactly, zone transfer
would not be counted by this.
This would do the analysis on a per ACL basis, that is the
protocol specific part of your question.
If you enable verbose accounting, you can tell the kernel to
syslog each and every packet you want. From this syslog file, you
can extract the number of bytes/packets to/from every address you like to monitor.
What I do for accounting purpose is taking this list, read out
the numbers every 15 minutes and accumulate them on a daily and
monthly basis.
If you're not running Linux on your box, try it as a router and
it will do the job independantly of what OS you're system runs.
If you have a Cisco router on the boundary of your network, you
can enable accounting on this machine as well. It will count
tupels with key <SRCIP><DSTIP> and value <NUMBYTES><NUMPACKETS>
up to a certain limit ("ip accounting-threshold"), which on a
regular basis can be queried and cleared. This won't allow you
to breakdown the numbers to the protocols, though.
ASKER
Hi.
Thanks for trying to help. I am running BSDI 3.0 (sorry I should have said this before) and it doesn;t have the ipfwadm command so I couldn't get it to work.
Thanks for trying to help. I am running BSDI 3.0 (sorry I should have said this before) and it doesn;t have the ipfwadm command so I couldn't get it to work.
Concluding from the man page of the "ipfw" command which does
about the same as the Linux "ipfwadm" on FreeBSD ...
[...]
based upon code written by Daniel Boulet for BSDI.
HISTORY
ipfw first appeared in FreeBSD 2.0.
[...]
... there should be something similar in your BSDI system.
Regards,
Michael
about the same as the Linux "ipfwadm" on FreeBSD ...
[...]
based upon code written by Daniel Boulet for BSDI.
HISTORY
ipfw first appeared in FreeBSD 2.0.
[...]
... there should be something similar in your BSDI system.
Regards,
Michael
ASKER
Hi.
I tried this command and it is not a valid command unfortunately.
Thanks for trying.
I tried this command and it is not a valid command unfortunately.
Thanks for trying.
Perhaps you should look for the program then? Apparently this
should solve your problem, so it might be worth searching for
the binary/source/whatever on the net.
should solve your problem, so it might be worth searching for
the binary/source/whatever on the net.
ASKER
Hi.
I did that and couldn't find one so that is why I came to experts-exchange and made the question worth 400 points :o)
I did that and couldn't find one so that is why I came to experts-exchange and made the question worth 400 points :o)
Here, check this out:
ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-stable/src/sbin/ipfw/
If you wish, I can email these files to you (it isn't much anyway), but I'm sure downloading them won't be a problem for
you. If you want, I can dig up the manpage for you as well.
Good luck,
Talence
ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-stable/src/sbin/ipfw/
If you wish, I can email these files to you (it isn't much anyway), but I'm sure downloading them won't be a problem for
you. If you want, I can dig up the manpage for you as well.
Good luck,
Talence
ASKER
Hi...
I'm using BSDI 3.1 not FreeBSD (although soon i'll have both)
I dont think I have the ipfw command. I typed it in and got command not found.
Thanks anyway
I'm using BSDI 3.1 not FreeBSD (although soon i'll have both)
I dont think I have the ipfw command. I typed it in and got command not found.
Thanks anyway
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are a number of tools to do this, one in particular and free is mrtg, a perl/c based tool that queries snmp nodes for these statistics and create html statistics pages with drill down detail. Requires Unix / web services /perl 5.x and snmp on the device you wnat to track stats for. It is slick. see http://www.ee.ethz.ch/stats/mrtg/ for sample and http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/pub/ for sources, I have it running on FreeBSD, but BSDI should work just fine
I don't believe there is a standard unix tool on BSDI that does exactly what you want. Someone has previously suggested
"netstat -s" and has quite rightly said that it will only give you total bytes across all interfaces. One possible way around this is to use the packet counts across the interfaces to give you a % of the total byte count that has come from a particular interface. Firstly you need to determine the interface you wish to collect your byte count from. This can be done by running "netstat -i -n" which enables you to associate the interface name e.g. le0 with the IP address.
Once you have established the interface (I will use le0) name you can then run "netstat -i" to give you total packet counts across all the interfaces. Use this information to establish the % of packets (and therefore bytes - a fudge but probably good enough) through that interface. You can then apply this % to the total bytes from "netstat -s".
I have written a ksh script which will output the date,time,totbytes,proport
You will need to set up the script as a cron job in your crontab file e.g.
cron_time_details netbytes le0 >> netbytes.log 2>netbytes.err
The script assumes netstat output from Solaris 5.5.1. You may have to change the awk bits to allow for your variation of netstat output:
#!/bin/ksh
# Usage: netbytes <interface eg le0>
# Prints out to std out the date,time,bytes out to and in from the network,how much of the data is from the interface specified
# This script includes the loopback interface lo0 in the how much calculation ie assumes loopback data is included in netstat -s output
# Produced by Paul Singleton 01473 645813 on 14-05-1998
date_time=$(date | awk '{printf("%s-%s-%s,%s",$3,
address_ratio=$(netstat -i|awk '{if(NR>1){total=total+$5+
bytes_from_boot=$(netstat -s|awk '/tcpOutDataBytes/{output1
echo $date_time,$bytes_from_boo
"netstat -s" and has quite rightly said that it will only give you total bytes across all interfaces. One possible way around this is to use the packet counts across the interfaces to give you a % of the total byte count that has come from a particular interface. Firstly you need to determine the interface you wish to collect your byte count from. This can be done by running "netstat -i -n" which enables you to associate the interface name e.g. le0 with the IP address.
Once you have established the interface (I will use le0) name you can then run "netstat -i" to give you total packet counts across all the interfaces. Use this information to establish the % of packets (and therefore bytes - a fudge but probably good enough) through that interface. You can then apply this % to the total bytes from "netstat -s".
I have written a ksh script which will output the date,time,totbytes,proport
You will need to set up the script as a cron job in your crontab file e.g.
cron_time_details netbytes le0 >> netbytes.log 2>netbytes.err
The script assumes netstat output from Solaris 5.5.1. You may have to change the awk bits to allow for your variation of netstat output:
#!/bin/ksh
# Usage: netbytes <interface eg le0>
# Prints out to std out the date,time,bytes out to and in from the network,how much of the data is from the interface specified
# This script includes the loopback interface lo0 in the how much calculation ie assumes loopback data is included in netstat -s output
# Produced by Paul Singleton 01473 645813 on 14-05-1998
date_time=$(date | awk '{printf("%s-%s-%s,%s",$3,
address_ratio=$(netstat -i|awk '{if(NR>1){total=total+$5+
bytes_from_boot=$(netstat -s|awk '/tcpOutDataBytes/{output1
echo $date_time,$bytes_from_boo
if you want to separate multiple packet traces into "flows"
categorized by service type, and to find flows which are
contrary to policy or otherwise anomalous, you might consider argus. i believe the most current version is capable of aggregating udp and rpc-based protocols as well (e.g. it will tell you host a and host b did 200MB of NFS traffic).
the flow level, rather than the packet level, seems to be a useful granularity for quality of service measurement and possibly also for enforcement of security policy.
this acquires packets by sniffing, so it needs to be placed
on an unswitched network or a spanning port of a switch.
start at ftp:/ftp.sei.cmu.edu/pub/argus
categorized by service type, and to find flows which are
contrary to policy or otherwise anomalous, you might consider argus. i believe the most current version is capable of aggregating udp and rpc-based protocols as well (e.g. it will tell you host a and host b did 200MB of NFS traffic).
the flow level, rather than the packet level, seems to be a useful granularity for quality of service measurement and possibly also for enforcement of security policy.
this acquires packets by sniffing, so it needs to be placed
on an unswitched network or a spanning port of a switch.
start at ftp:/ftp.sei.cmu.edu/pub/argus
network statistics on the system. This is NOT on a daily basis,
though. And the statistics is NOT broken down by IP address.
-Seedy-