CentOS - Sep 2021 - Find out which process consumed Network bandwidth

On Mon, 6 Sept 2021 at 14:24, Anand Buddhdev <anandb at ripe.net>
>> On 06/09/2021 19:35, Kaushal Shriyan wrote:
>>
>> Hi Kaushal,
>>
>>> I am running CentOS Linux release 7.9.2009 (Core). Is there a way
to find
>>> out which process consumed network bandwidth during a specific time
period?
>>>
>>> For example, the Nginx process consumed how much network traffic on
Sept
>>> 01, 2021.
>> As far as I know, such accounting isn't done in a standard CentOS
>> system, so there's no way to determine such information about a
past event
Kaushal,

While you probably can't recover such information for past events,
going forward, iptables can help you figure this out. Putting an IPtables
rule in the OUTPUT table prior to ACCEPTing the packets can help, e.g.:

 ??? iptables -A OUTPUT -p tcp -m owner --uid-owner nginx -j ACCEPT

because now "iptables -L" will display a count of the packets that
matched
each rule and the number of bytes. By comparing with the total packets
and bytes for a given time period, you can work out the share for nginx.
You can also estimate packet and byte counts by IP and port using this
method. You could run an hourly cronjob to log the stats.

See "man iptables-extensions" and "man iptables". I
don't know how this
works with firewall-cmd, but I imagine firewalld "just" manages
iptables?

Good luck!

> See "man iptables-extensions" and "man iptables". I
don't know how this
> works with firewall-cmd, but I imagine firewalld "just" manages 
> iptables?
Yes thats right
>>>> I am running CentOS Linux release 7.9.2009 (Core). Is there a
way to
>>>> find
>>>> out which process consumed network bandwidth during a specific
time
>>>> period?
>>>> 
>>>> For example, the Nginx process consumed how much network
traffic on
>>>> Sept
>>>> 01, 2021.
>>> As far as I know, such accounting isn't done in a standard
CentOS
>>> system, so there's no way to determine such information about a
past
>>> event
> 
> While you probably can't recover such information for past events,
> going forward, iptables can help you figure this out. Putting an 
> IPtables
> rule in the OUTPUT table prior to ACCEPTing the packets can help, e.g.:
> 
> ??? iptables -A OUTPUT -p tcp -m owner --uid-owner nginx -j ACCEPT
> 
> because now "iptables -L" will display a count of the packets
that
> matched
> each rule and the number of bytes. By comparing with the total packets
> and bytes for a given time period, you can work out the share for 
> nginx.
> You can also estimate packet and byte counts by IP and port using this
> method. You could run an hourly cronjob to log the stats.
That is nice solution! Why do you add a new output rule rather you can 
look at the existing port rule:

# iptables -v -L | grep https
xxx yyy ACCEPT     tcp  --  any    any     anywhere             anywhere 
             tcp dpt:https ctstate NEW,UNTRACKED

xxx is number packets, yyy is number bytes. If adding OUTPUT rule, what 
is gained?