Hi, How can i count the number of packets on an interface evry 2 or 5 seconds. and i want to count only specific packets like only arriving packets from port 5001 Any thoughts... Muhammad
On Wed, Mar 16, 2005 at 09:46:35AM -0600, M. A. Imam wrote:> Hi,> How can i count the number of packets on an interface evry 2 or 5 seconds. and > i want to count only specific packets like only arriving packets from port > 5001I knocked up something like that using the built-in counters in iptables. It was pretty nasty, and it''s just been replaced with netflow. But it _can_ be done, taking advantage of iptables''s atomic display/clear command. Which I forget off hand. ^_^ If you want to go this way, I can post the script I''m using to get the data out of iptables. -- Paul "TBBle" Hampson, on an alternate email client.
Sure i would like to try that... Also if you can tell me how accurate it can be, i will be greatful.. By accurate i mean like if i will be able to get the count for each second also... Thanks alot... Muhammad>===== Original Message From Paul.Hampson@PObox.com (Paul Hampson) ====>On Wed, Mar 16, 2005 at 09:46:35AM -0600, M. A. Imam wrote: >> Hi, > >> How can i count the number of packets on an interface evry 2 or 5 seconds.and>> i want to count only specific packets like only arriving packets from port >> 5001 > >I knocked up something like that using the built-in counters in >iptables. It was pretty nasty, and it''s just been replaced with >netflow. But it _can_ be done, taking advantage of iptables''s >atomic display/clear command. Which I forget off hand. ^_^ > >If you want to go this way, I can post the script I''m using to >get the data out of iptables. > >-- >Paul "TBBle" Hampson, on an alternate email client. >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Wed, Mar 16, 2005 at 10:16:32AM -0600, M. A. Imam wrote:> Sure i would like to try that... Also if you can tell me how accurate it can > be, i will be greatful.. By accurate i mean like if i will be able to get the > count for each second also...I''m not sure it''s _that_ accurate, but here it is: (Unscripted, you need a USAGE table which everything from FORWARD that you''re interested in gets passed through.) This script is used to create the tables. #! /usr/bin/perl for my $i (33..254) { print "/sbin/iptables -N USAGE_$i\n"; print "/sbin/iptables -A USAGE -d 203.194.23.$i -j USAGE_$i\n"; } This snippet is part of my RADIUS dial-in script, and adds a link from the USAGE_nnn table to a table named for the user who is on that IP: ($1 is the IP address, $ACCOUNT_NAME is the account name) if [ $# -eq 1 -a "x$ACCOUNT_NAME" != "x" -a "x$POOL_NAME" != "x\"expired_pool\"" ]; then CLASS=`echo $1 | /usr/bin/cut -d. -f 4` SUBNET=`echo $1 | /usr/bin/cut -d. -f 3` if [ "$SUBNET" = "23" ]; then TABLE_NAME=`echo $ACCOUNT_NAME` sudo /sbin/iptables -N USAGE_$TABLE_NAME && sudo /sbin/iptables -A USAGE_$TABLE_NAME -j ACCEPT || true sudo /sbin/iptables -F USAGE_$CLASS && sudo /sbin/iptables -A USAGE_$CLASS -j USAGE_$TABLE_NAME || true fi fi This perl script is run every ten minutes to scrape the usage data. #! /usr/bin/perl use strict; open IPTABLES, "/sbin/iptables -t filter -Z -L -v -x |"; my $table; my $account; while (<IPTABLES>) { $table = $1 if m#^Chain (.*) \(.*\)#; next unless $table =~ /USAGE_\"(.*)\"/; $account = $1; next unless m#^\s+\d+\s+(\d+)\s+ACCEPT#; next if $1 == 0; print "$account: $1\n"; } I hope that helps? -- Paul "TBBle" Hampson, on an alternate email client.
You could use a custom ip chain. Add a rule to forward matching packets (such as all packets with a source port of 5001) to this chain. Then just simply add a "return" line in the chain itself. Chains automatically track bytes/packets so you could easily keep tabs that way. On 16 Mar 2005 at 9:46, M. A. Imam wrote:> Hi, > > How can i count the number of packets on an interface evry 2 or 5 > seconds. and i want to count only specific packets like only arriving > packets from port 5001 > > Any thoughts... > > Muhammad > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Brian Carrig Research Assistant Department of Computing & Networking Institute of Technology, Carlow Mobile: +353 86 3867467
> On 16 Mar 2005 at 9:46, M. A. Imam wrote: > >> How can i count the number of packets on an interface evry 2 or 5 >> seconds. and i want to count only specific packets like only arriving >> packets from port 5001 >> >> Any thoughts...I''m wondering what your usage needs are. 1) Do you just neeed a quick view of what is going on, 2) or do your need some stable permanent statistics collector? If the case is 1) the quick view, I will recommend the tool: "tcpstat" http://www.frenchfries.net/paul/tcpstat/ tcpstat supports tcpdump style filters (berkley packet filter) thus you should run the following command: tcpstat -i eth1 -f ''port 5001'' 5 The number 5 at the end gives you stats every 5 sec. Greatings Jesper Brouer -- ------------------------------------------------------------------- Research Assistant Dept. of Computer Science, University of Copenhagen E-mail: hawk@diku.dk, Direct Tel.: 353 21438 -------------------------------------------------------------------