All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Packet Counting...
@ 2005-03-16 15:46 M. A. Imam
  2005-03-16 16:07 ` Paul Hampson
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: M. A. Imam @ 2005-03-16 15:46 UTC (permalink / raw)
  To: lartc

Hi,

How can i count the number of packets on an interface evry 2 or 5 seconds. and 
i want to count only specific packets like only arriving packets from port 
5001

Any thoughts...

Muhammad

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] Packet Counting...
  2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
@ 2005-03-16 16:07 ` Paul Hampson
  2005-03-16 16:16 ` M. A. Imam
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Paul Hampson @ 2005-03-16 16:07 UTC (permalink / raw)
  To: lartc

On Wed, Mar 16, 2005 at 09:46:35AM -0600, M. A. Imam wrote:
> Hi,

> How can i count the number of packets on an interface evry 2 or 5 seconds. and 
> i want to count only specific packets like only arriving packets from port 
> 5001

I knocked up something like that using the built-in counters in
iptables. It was pretty nasty, and it's just been replaced with
netflow. But it _can_ be done, taking advantage of iptables's
atomic display/clear command. Which I forget off hand. ^_^

If you want to go this way, I can post the script I'm using to
get the data out of iptables.

-- 
Paul "TBBle" Hampson, on an alternate email client.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: [LARTC] Packet Counting...
  2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
  2005-03-16 16:07 ` Paul Hampson
@ 2005-03-16 16:16 ` M. A. Imam
  2005-03-17  0:14 ` Paul Hampson
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: M. A. Imam @ 2005-03-16 16:16 UTC (permalink / raw)
  To: lartc

Sure i would like to try that... Also if you can tell me how accurate it can 
be, i will be greatful.. By accurate i mean like if i will be able to get the 
count for each second also...

Thanks alot...

Muhammad
>=== Original Message From Paul.Hampson@PObox.com (Paul Hampson) ==>On Wed, Mar 16, 2005 at 09:46:35AM -0600, M. A. Imam wrote:
>> Hi,
>
>> How can i count the number of packets on an interface evry 2 or 5 seconds. 
and
>> i want to count only specific packets like only arriving packets from port
>> 5001
>
>I knocked up something like that using the built-in counters in
>iptables. It was pretty nasty, and it's just been replaced with
>netflow. But it _can_ be done, taking advantage of iptables's
>atomic display/clear command. Which I forget off hand. ^_^
>
>If you want to go this way, I can post the script I'm using to
>get the data out of iptables.
>
>--
>Paul "TBBle" Hampson, on an alternate email client.
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] Packet Counting...
  2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
  2005-03-16 16:07 ` Paul Hampson
  2005-03-16 16:16 ` M. A. Imam
@ 2005-03-17  0:14 ` Paul Hampson
  2005-03-21 10:10 ` Brian Carrig
  2005-03-21 10:57 ` Jesper Dangaard Brouer
  4 siblings, 0 replies; 6+ messages in thread
From: Paul Hampson @ 2005-03-17  0:14 UTC (permalink / raw)
  To: lartc

On Wed, Mar 16, 2005 at 10:16:32AM -0600, M. A. Imam wrote:
> Sure i would like to try that... Also if you can tell me how accurate it can 
> be, i will be greatful.. By accurate i mean like if i will be able to get the 
> count for each second also...

I'm not sure it's _that_ accurate, but here it is:
	(Unscripted, you need a USAGE table which everything from FORWARD
	that you're interested in gets passed through.)

	This script is used to create the tables.

#! /usr/bin/perl
for my $i (33..254) {
    print "/sbin/iptables -N USAGE_$i\n";
    print "/sbin/iptables -A USAGE -d 203.194.23.$i -j USAGE_$i\n";
}


	This snippet is part of my RADIUS dial-in script, and adds a link from
	the USAGE_nnn table to a table named for the user who is on that IP:
	($1 is the IP address, $ACCOUNT_NAME is the account name)

if [ $# -eq 1 -a "x$ACCOUNT_NAME" != "x" -a "x$POOL_NAME" != "x\"expired_pool\"" ]; then
        CLASS=`echo $1 | /usr/bin/cut -d. -f 4`
        SUBNET=`echo $1 | /usr/bin/cut -d. -f 3`
        if [ "$SUBNET" = "23" ]; then
                TABLE_NAME=`echo $ACCOUNT_NAME`
                sudo /sbin/iptables -N USAGE_$TABLE_NAME && sudo /sbin/iptables -A USAGE_$TABLE_NAME -j ACCEPT || true
                sudo /sbin/iptables -F USAGE_$CLASS && sudo /sbin/iptables -A USAGE_$CLASS -j USAGE_$TABLE_NAME || true
        fi
fi

	This perl script is run every ten minutes to scrape the usage data.

#! /usr/bin/perl
use strict;
open IPTABLES, "/sbin/iptables -t filter -Z -L -v -x |";
my $table;
my $account;
while (<IPTABLES>) {
    $table = $1 if m#^Chain (.*) \(.*\)#;
    next unless $table =~ /USAGE_\"(.*)\"/;
    $account = $1;
    next unless m#^\s+\d+\s+(\d+)\s+ACCEPT#;
    next if $1 = 0;
    print "$account: $1\n";
}

	I hope that helps?

-- 
Paul "TBBle" Hampson, on an alternate email client.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] Packet Counting...
  2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
                   ` (2 preceding siblings ...)
  2005-03-17  0:14 ` Paul Hampson
@ 2005-03-21 10:10 ` Brian Carrig
  2005-03-21 10:57 ` Jesper Dangaard Brouer
  4 siblings, 0 replies; 6+ messages in thread
From: Brian Carrig @ 2005-03-21 10:10 UTC (permalink / raw)
  To: lartc

You could use a custom ip chain. Add a rule to forward matching packets (such as all 
packets with a source port of 5001) to this chain. Then just simply add a "return" line 
in the chain itself. Chains automatically track bytes/packets so you could easily keep 
tabs that way.

On 16 Mar 2005 at 9:46, M. A. Imam wrote:

> Hi,
> 
> How can i count the number of packets on an interface evry 2 or 5
> seconds. and i want to count only specific packets like only arriving
> packets from port 5001
> 
> Any thoughts...
> 
> Muhammad
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


-- 
Brian Carrig
Research Assistant
Department of Computing & Networking
Institute of Technology, Carlow
Mobile: +353 86 3867467

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] Packet Counting...
  2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
                   ` (3 preceding siblings ...)
  2005-03-21 10:10 ` Brian Carrig
@ 2005-03-21 10:57 ` Jesper Dangaard Brouer
  4 siblings, 0 replies; 6+ messages in thread
From: Jesper Dangaard Brouer @ 2005-03-21 10:57 UTC (permalink / raw)
  To: lartc



> On 16 Mar 2005 at 9:46, M. A. Imam wrote:
>
>> How can i count the number of packets on an interface evry 2 or 5
>> seconds. and i want to count only specific packets like only arriving
>> packets from port 5001
>>
>> Any thoughts...

I'm wondering what your usage needs are.
1) Do you just neeed a quick view of what is going on,
2) or do your need some stable permanent statistics collector?

If the case is 1) the quick view, I will recommend the tool: "tcpstat"
  http://www.frenchfries.net/paul/tcpstat/

tcpstat supports tcpdump style filters (berkley packet filter) thus you 
should run the following command:

  tcpstat -i eth1 -f 'port 5001' 5

The number 5 at the end gives you stats every 5 sec.

Greatings
   Jesper Brouer

--
-------------------------------------------------------------------
Research Assistant
Dept. of Computer Science, University of Copenhagen
E-mail: hawk@diku.dk, Direct Tel.: 353 21438
-------------------------------------------------------------------
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-03-21 10:57 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-16 15:46 [LARTC] Packet Counting M. A. Imam
2005-03-16 16:07 ` Paul Hampson
2005-03-16 16:16 ` M. A. Imam
2005-03-17  0:14 ` Paul Hampson
2005-03-21 10:10 ` Brian Carrig
2005-03-21 10:57 ` Jesper Dangaard Brouer

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.