Packets Counting

Packets Counting

[M. A. Imam]

Hi,

How can i count the number of packets on an interface evry 2 or 5 seconds. and 
i want to count only specific packets like only arriving packets from port 
5001

Any ideas...

Muhammad 

RE: Packets Counting

[Seferovic Edvin]

Maybe you should use tcpdump for testing purposes instead of using iptables.

Just my opinion.

Regards,

Edvin

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of M. A. Imam
Sent: Mittwoch, 16. März 2005 16:56
To: netfilter@lists.netfilter.org
Subject: Packets Counting

Hi,

How can i count the number of packets on an interface evry 2 or 5 seconds.
and 
i want to count only specific packets like only arriving packets from port 
5001

Any ideas...

Muhammad 

RE: Packets Counting

[M. A. Imam]

Can i record the the number of packets each 2 seconds with tcpdump. i can see
packets with tcpdump but how to count it every 2 seconds

>===== Original Message From edvin.seferovic@kolp.at =====
>Maybe you should use tcpdump for testing purposes instead of using iptables.
>
>Just my opinion.
>
>Regards,
>
>Edvin
>
>-----Original Message-----
>From: netfilter-bounces@lists.netfilter.org
>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of M. A. Imam
>Sent: Mittwoch, 16. März 2005 16:56
>To: netfilter@lists.netfilter.org
>Subject: Packets Counting
>
>Hi,
>
>How can i count the number of packets on an interface evry 2 or 5 seconds.
>and
>i want to count only specific packets like only arriving packets from port
>5001
>
>Any ideas...
>
>Muhammad

Re: Packets Counting

[Steven M Campbell]

M. A. Imam wrote:

>Hi,
>
>How can i count the number of packets on an interface evry 2 or 5 seconds. and 
>i want to count only specific packets like only arriving packets from port 
>5001
>
>Any ideas...
>
>Muhammad 
>
>
>  
>
iptables -L -v will show packet counts and byte counts on rules so, 
using your specific example and assuming you meant tcp port 5001

First create a matching rule that has no target
#  iptables -I INPUT 1 -p tcp --dport 5001

Then, every x seconds run
iptables -L -v -n
and parse out the counter of interest.

Hope that helps,
SCampbell

Re: Packets Counting

[Bill Chappell]

I do not have time this instant to share the code but the outline of
a packet counter I use is to create chain MANGLE_ACTIVITY in -t mangle,
add a rule that simply RETURNs to MANGLE_ACTIVITY, Insert a jump to the
MANGLE_ACTIVITY chain in -t mangle PREROUTING (so it is the first chain
hit by all incoming packets), use whatever matches, like --sport or
--dport (remember to specify protocol with port matches) and/or an 
interface match.  Then, in a script (mine happens to be Perl), run
"iptables -t mangle -nvL MANGLE_ACTIVITY" and pipe (|) it through grep
to get the RETURN line with the packet count and pipe it through
awk to pick off the packet count followed by
"iptables -t mangle -Z MANGLE_ACTIVITY" to zero the counter,
both in a loop with a sleep to get the interval (approximately).

Hope this helps.

Bill

(Without deadlines, we'd live forever.)



M. A. Imam wrote:
> Can i record the the number of packets each 2 seconds with tcpdump. i can see 
> packets with tcpdump but how to count it every 2 seconds
> 
> 
>>===== Original Message From edvin.seferovic@kolp.at =====
>>Maybe you should use tcpdump for testing purposes instead of using iptables.
>>
>>Just my opinion.
>>
>>Regards,
>>
>>Edvin
>>
>>-----Original Message-----
>>From: netfilter-bounces@lists.netfilter.org
>>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of M. A. Imam
>>Sent: Mittwoch, 16. März 2005 16:56
>>To: netfilter@lists.netfilter.org
>>Subject: Packets Counting
>>
>>Hi,
>>
>>How can i count the number of packets on an interface evry 2 or 5 seconds.
>>and
>>i want to count only specific packets like only arriving packets from port
>>5001
>>
>>Any ideas...
>>
>>Muhammad
> 
> 
> 
> 

-- 
William Chappell, Software Engineer, Critical Technologies Inc.
* Creativity * Diversity * Expertise * Flexibility * Integrity *
Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501
315-793-0248 x148 FAX -9710 <bill.chappell@critical.com> www.critical.com

Re: Packets Counting

[Bill Chappell]

I do not have time this instant to share the code but the outline of
a packet counter I use is to create chain MANGLE_ACTIVITY in -t mangle,
add a rule that simply RETURNs to MANGLE_ACTIVITY, Insert a jump to the
MANGLE_ACTIVITY chain in -t mangle PREROUTING (so it is the first chain
hit by all incoming packets), use whatever matches, like --sport or
--dport (remember to specify protocol with port matches) and/or an
interface match.  Then, in a script (mine happens to be Perl), run
"iptables -t mangle -nvL MANGLE_ACTIVITY" and pipe (|) it through grep
to get the RETURN line with the packet count and pipe it through
awk to pick off the packet count followed by
"iptables -t mangle -Z MANGLE_ACTIVITY" to zero the counter,
both in a loop with a sleep to get the interval (approximately).

Hope this helps.

Bill

(Without deadlines, we'd live forever.)



M. A. Imam wrote:
> Can i record the the number of packets each 2 seconds with tcpdump. i can see 
> packets with tcpdump but how to count it every 2 seconds
> 
> 
>>===== Original Message From edvin.seferovic@kolp.at =====
>>Maybe you should use tcpdump for testing purposes instead of using iptables.
>>
>>Just my opinion.
>>
>>Regards,
>>
>>Edvin
>>
>>-----Original Message-----
>>From: netfilter-bounces@lists.netfilter.org
>>[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of M. A. Imam
>>Sent: Mittwoch, 16. März 2005 16:56
>>To: netfilter@lists.netfilter.org
>>Subject: Packets Counting
>>
>>Hi,
>>
>>How can i count the number of packets on an interface evry 2 or 5 seconds.
>>and
>>i want to count only specific packets like only arriving packets from port
>>5001
>>
>>Any ideas...
>>
>>Muhammad
> 
> 
> 
> 

-- 
William Chappell, Software Engineer, Critical Technologies Inc.
* Creativity * Diversity * Expertise * Flexibility * Integrity *
Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501
315-793-0248 x148 FAX -9710 <bill.chappell@critical.com> www.critical.com

Re: Packets Counting

[Steven M Campbell]

Heh, no fair!  That's more clever than the one I did off the cuff :)

Bill Chappell wrote:

>
> I do not have time this instant to share the code but the outline of
> a packet counter I use is to create chain MANGLE_ACTIVITY in -t mangle,
> add a rule that simply RETURNs to MANGLE_ACTIVITY, Insert a jump to the
> MANGLE_ACTIVITY chain in -t mangle PREROUTING (so it is the first chain
> hit by all incoming packets), use whatever matches, like --sport or
> --dport (remember to specify protocol with port matches) and/or an
> interface match.  Then, in a script (mine happens to be Perl), run
> "iptables -t mangle -nvL MANGLE_ACTIVITY" and pipe (|) it through grep
> to get the RETURN line with the packet count and pipe it through
> awk to pick off the packet count followed by
> "iptables -t mangle -Z MANGLE_ACTIVITY" to zero the counter,
> both in a loop with a sleep to get the interval (approximately).
>
> Hope this helps.
>
> Bill
>
> (Without deadlines, we'd live forever.)
>
>
>
> M. A. Imam wrote:
>
>> Can i record the the number of packets each 2 seconds with tcpdump. i 
>> can see packets with tcpdump but how to count it every 2 seconds
>>
>>
>>> ===== Original Message From edvin.seferovic@kolp.at =====
>>> Maybe you should use tcpdump for testing purposes instead of using 
>>> iptables.
>>>
>>> Just my opinion.
>>>
>>> Regards,
>>>
>>> Edvin
>>>
>>> -----Original Message-----
>>> From: netfilter-bounces@lists.netfilter.org
>>> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of M. A. Imam
>>> Sent: Mittwoch, 16. März 2005 16:56
>>> To: netfilter@lists.netfilter.org
>>> Subject: Packets Counting
>>>
>>> Hi,
>>>
>>> How can i count the number of packets on an interface evry 2 or 5 
>>> seconds.
>>> and
>>> i want to count only specific packets like only arriving packets 
>>> from port
>>> 5001
>>>
>>> Any ideas...
>>>
>>> Muhammad
>>
>>
>>
>>
>>
>

Re: Packets Counting

[Maxime Ducharme]

Hello

Got a little script that i use to create graphs
with RRD tool.

The main idea is :
create a rule that will match packet that you want to
count. It can be ACCEPTED packets for bandwidth monitoring
or DROP / REJECT to know how many packets have been
blocked on the firewall.

example rules that will count inbound and outbound bytes and
packets for a NATed host :
$IPTABLES -t filter -A FORWARD -i eth0 -o ppp0 -s 192.168.0.2 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i ppp0 -o eth0 -d 192.168.0.2 -j ACCEPT
...



change these rules to fit what you want to count (in your question,
it would be --sport 5001).

Then, another script to extract the information : "iptbwcheck.sh"

# extract information from iptables, put in a file and zero the counter (-Z)
# -x stands for "show info in bytes not megs or gigs"
/sbin/iptables -x -nvL -Z FORWARD >tmp_forward

# put these in local vars
inputPckMax=`grep "^.*ppp0   eth0.*192\.168\.0\.2 .*$" tmp_forward |awk
'{print $1}'`
inputBytesMax=`grep "^.*ppp0   eth0.*192\.168\.0\.2 .*$" tmp_forward |awk
'{print $2}'`
outputPckMax=`grep "^.*eth0   ppp0.*192\.168\.0\.2 .*$" tmp_forward |awk
'{print $1}'`
outputBytesMax=`grep "^.*eth0   ppp0.*192\.168\.0\.2 .*$" tmp_forward |awk
'{print $2}'`

# del tmp file
rm -f tmp_forward

# call RRD
endDate=`date +%s`
/usr/local/rrdtool-1.0.49/bin/rrdtool update nat.rrd \
$endDate:\
$inputBytesMax:$outputBytesMax:$inputPckMax:$outputPckMax

# do whatever else you want to do with this information
# ex : log in a file, log into mysql, upload to another syslog server, ...

See some graphs created from this script :

- Bandwidth monitoring
http://69.156.160.170/mephisto_day_full.gif

- Blocked packets / 5 mins
http://69.156.160.170/mephisto_day_full_firewall.gif

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "M. A. Imam" <maimam@wichita.edu>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, March 16, 2005 10:56 AM
Subject: Packets Counting


> Hi,
>
> How can i count the number of packets on an interface evry 2 or 5 seconds.
and
> i want to count only specific packets like only arriving packets from port
> 5001
>
> Any ideas...
>
> Muhammad
>

Re: Packets Counting

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 Mar 2005, M. A. Imam wrote:

> Hi,
>
> How can i count the number of packets on an interface evry 2 or 5 seconds. and
> i want to count only specific packets like only arriving packets from port
> 5001
>
> Any ideas...
>

Or;  how to chew up resources;

cron this to run every 3-5 seconds, minutes, hours, days or years are the 
desire hits you;

iptables -L -v |grep 5001

add redirection to a file and you'll have something more to play with.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCOKZEst+vzJSwZikRAs3RAKCGI8Ji1bMGHHHebbAYi951EUFQQACgosUJ
pSAQIRep4SsVhm82CxpoXMQ=
=XwHT
-----END PGP SIGNATURE-----

Re: Packets Counting

[Jose Maria Lopez Hernandez]

El mié, 16-03-2005 a las 14:15 -0500, Bill Chappell escribió:
> I do not have time this instant to share the code but the outline of
> a packet counter I use is to create chain MANGLE_ACTIVITY in -t mangle,
> add a rule that simply RETURNs to MANGLE_ACTIVITY, Insert a jump to the
> MANGLE_ACTIVITY chain in -t mangle PREROUTING (so it is the first chain
> hit by all incoming packets), use whatever matches, like --sport or
> --dport (remember to specify protocol with port matches) and/or an
> interface match.  Then, in a script (mine happens to be Perl), run
> "iptables -t mangle -nvL MANGLE_ACTIVITY" and pipe (|) it through grep
> to get the RETURN line with the packet count and pipe it through
> awk to pick off the packet count followed by
> "iptables -t mangle -Z MANGLE_ACTIVITY" to zero the counter,
> both in a loop with a sleep to get the interval (approximately).
> 
> Hope this helps.
> 
> Bill
> 
> (Without deadlines, we'd live forever.)

If you have a lot of rules you have to watch the counters it's
better to do a little daemon that read the counters using
libiptc, because using bash or perl to read them it's too slow.

We have a daemon that do this called bastion-firewall-stats in
our bastion-firewall GPL firewall. Anyone interested can download
the source in our web site: http://www.bgsec.com/downloads.html

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"