Solved

Monitoring Network Traffic

Posted on 1998-04-02
18
370 Views
Last Modified: 2013-12-23
Hi.

Would you be able to tell me how I can monitor my network traffic.
If I could find the number of bytes sent and received to each IP address on my system on a daily basis it would be very helpful.
Furthermore if I can separate it into types of request, e.g. find out how much traffic goes on DNS requests...

Thanks very much for your help.
0
Comment
Question by:applecrusher
  • 6
  • 3
  • 2
  • +6
18 Comments
 
LVL 2

Expert Comment

by:seedy
ID: 1583211
Try 'netstat -s' to start with.  This will give you all the
network statistics on the system.  This is NOT on a daily basis,
though.  And the statistics is NOT broken down by IP address.
-Seedy-
0
 

Author Comment

by:applecrusher
ID: 1583212
Hi Seedy.

Thanks for this. Would you be able to tell me over what period these results are? e.g monthly? since the server was re-started
0
 
LVL 2

Expert Comment

by:seedy
ID: 1583213
This is since the server is started.  You probably can run
a script every day to save the info and find the differences
for a daily statistics.
Cheers,
-Seedy-
0
 

Author Comment

by:applecrusher
ID: 1583214
Thanks for that. Is there a way to get it to show stats for a specific IP?
0
 
LVL 2

Expert Comment

by:seedy
ID: 1583215
No.  I am not aware of any standard unix command or tool that
can get you this.  You probably need a network analyzing tool.
Cheers,
-Seedy-

0
 
LVL 5

Expert Comment

by:n0thing
ID: 1583216
The only way you could do that on the short term is the sniffer. Otherwise, depending on which hardware you use and if it does support SNMP, you could write some code to poll
the MIB-II ifentry table to see some network utilization. Others solutions are quite complex and very expensive for you to implement in small organizations. What you asked could be done in a small network of 10 nodes & less. If you want to keep track of 100 nodes fully meshed, the data you collect on the wire will simply kill your network.

Good luck,
Minh Lai
0
 
LVL 1

Expert Comment

by:mrausch
ID: 1583217
If you're running a Linux system, you can enable (verbose) IP
accounting and set up rules similar to access lists on a packet
filter who count each and every byte/packet going through your
box. Have a look at the man page of ipfwadm(8) so see how this
is done. For example
      ipfwadm -A -b -P udp -S 0/0 53 -D 0/0
would count each and every UDP packet going to and coming from
every address, as long as the source or destination port is 53.
This will count your DNS queries. Well not exactly, zone transfer
would not be counted by this.
This would do the analysis on a per ACL basis, that is the
protocol specific part of your question.
If you enable verbose accounting, you can tell the kernel to
syslog each and every packet you want. From this syslog file, you
can extract the number of bytes/packets to/from every address you like to monitor.
What I do for accounting purpose is taking this list, read out
the numbers every 15 minutes and accumulate them on a daily and
monthly basis.
If you're not running Linux on your box, try it as a router and
it will do the job independantly of what OS you're system runs.

If you have a Cisco router on the boundary of your network, you
can enable accounting on this machine as well. It will count
tupels with key <SRCIP><DSTIP> and value <NUMBYTES><NUMPACKETS>
up to a certain limit ("ip accounting-threshold"), which on a
regular basis can be queried and cleared. This won't allow you
to breakdown the numbers to the protocols, though.


0
 

Author Comment

by:applecrusher
ID: 1583218
Hi.

Thanks for trying to help. I am running BSDI 3.0 (sorry I should have said this before) and it doesn;t have the ipfwadm command so I couldn't get it to work.


0
 
LVL 1

Expert Comment

by:mrausch
ID: 1583219
Concluding from the man page of the "ipfw" command which does
about the same as the Linux "ipfwadm" on FreeBSD ...

[...]
     based upon code written by Daniel Boulet for BSDI.

HISTORY
     ipfw first appeared in FreeBSD 2.0.
[...]

... there should be something similar in your BSDI system.

Regards,
Michael

0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:applecrusher
ID: 1583220
Hi.

I tried this command and it is not a valid command unfortunately.

Thanks for trying.

0
 
LVL 1

Expert Comment

by:Talence
ID: 1583221
Perhaps you should look for the program then? Apparently this
should solve your problem, so it might be worth searching for
the binary/source/whatever on the net.
0
 

Author Comment

by:applecrusher
ID: 1583222
Hi.

I did that and couldn't find one so that is why I came to experts-exchange and made the question worth 400 points :o)


0
 
LVL 1

Expert Comment

by:Talence
ID: 1583223
Here, check this out:

ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-stable/src/sbin/ipfw/

If you wish, I can email these files to you (it isn't much anyway), but I'm sure downloading them won't be a problem for
you. If you want, I can dig up the manpage for you as well.

Good luck,

Talence
0
 

Author Comment

by:applecrusher
ID: 1583224
Hi...

I'm using BSDI 3.1 not FreeBSD (although soon i'll have both)
I dont think I have the ipfw command. I typed it in and got command not found.

Thanks anyway


0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 400 total points
ID: 1583225
check netwatch  
  ftp://sunsite.unc.edu/pub/Linux/system/Network/management

latest version I've seen is 0.7a.

It monitors traffic sorted by IP/hostname, send/received packets,
send/received bytes, last communication partner, etc. Can dump
the result to a file.
0
 

Expert Comment

by:pcoyne
ID: 1583226
There are a number of tools to do this, one in particular and free is mrtg, a perl/c based tool that queries snmp nodes for these statistics and create html statistics pages with drill down detail.  Requires Unix / web services /perl 5.x and snmp on the device you wnat to track stats for.  It is slick. see  http://www.ee.ethz.ch/stats/mrtg/ for sample and http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/pub/ for sources, I have it running on FreeBSD, but BSDI should work just fine
0
 

Expert Comment

by:singlep2
ID: 1583227
I don't believe there is a standard unix tool on BSDI that does exactly what you want. Someone has previously suggested
"netstat -s" and has quite rightly said that it will only give you total bytes across all interfaces. One possible way around this is to use the packet counts across the interfaces to give you a % of the total byte count that has come from a particular interface. Firstly you need to determine the interface you wish to collect your byte count from. This can be done by running "netstat -i -n" which enables you to associate the interface name e.g. le0 with the IP address.
Once you have established the interface (I will use le0) name you can then run "netstat -i" to give you total packet counts across all the interfaces. Use this information to establish the % of packets (and therefore bytes - a fudge but probably good enough) through that interface. You can then apply this % to the total bytes from "netstat -s".

I have written a ksh script which will output the date,time,totbytes,proportionfrominterface

You will need to set up the script as a cron job in your crontab file e.g.
cron_time_details  netbytes le0 >> netbytes.log 2>netbytes.err

The script assumes netstat output from Solaris 5.5.1. You may have to change the awk bits to allow for your variation of netstat output:

#!/bin/ksh
# Usage: netbytes <interface eg le0>
# Prints out to std out the date,time,bytes out to and in from the network,how much of the data is from the interface specified
# This script includes the loopback interface lo0 in the how much calculation ie assumes loopback data is included in netstat -s output
# Produced by Paul Singleton 01473 645813 on 14-05-1998

date_time=$(date | awk '{printf("%s-%s-%s,%s",$3,$2,$6,$4)}')

address_ratio=$(netstat -i|awk '{if(NR>1){total=total+$5+$7;if($1=="'$1'"){address_total=$5+$7}}}END{print address_total/total}')

bytes_from_boot=$(netstat -s|awk '/tcpOutDataBytes/{output1=substr($4,2,100)} /tcpInInorderBytes/{input1=substr($4,2,100)}END{print output1+input1}')

echo $date_time,$bytes_from_boot,$address_ratio

0
 

Expert Comment

by:mseiden
ID: 1583228
if you want to separate multiple packet traces into "flows"
categorized by service type, and to find flows which are
contrary to policy or otherwise anomalous, you might consider argus.  i believe the most current version is capable of aggregating  udp and rpc-based protocols as well (e.g. it will tell you  host a and host b did 200MB of NFS traffic).

the flow level, rather than the packet level, seems to be a useful granularity for quality of service measurement and possibly also for enforcement of security policy.

this acquires packets by sniffing, so it needs to be placed
on an unswitched network or a spanning port of a switch.
start at ftp:/ftp.sei.cmu.edu/pub/argus
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now