Wednesday, June 27, 2012

Analyse network traffic using tcpdump and tcpstat

The other day I was doing a set of system programming experiments which required me to generate graphs of network traffic per second between two hosts.

Though I knew wireshark was one reliable automated tool with a pretty GUI, I was in search of some better tool that could give me exact stats, rather exact distribution of the packets recieved per second by one host from the other host.

Searching over the net I tumbled upon '''tcpdump''', which has the capability to "sniff" packets over LAN or any localized network.

At first I tried running it by making it catch hold of all the packets that it could get a hand on. And that included network traffic of Office of the HOD of my college :P , and packets of some three or four other Professors. Though I didn't try and read the contents of the packets, i strongly believe tcpdump can be used to do that in verbose mode using vvv option. But thats something I'll try some other day.  

Well it was fun using it in amorous mode (yes thats the exact term given to listening to all the packets that are circulating in the network), but due to shortage of time and the perennial project advisor's pressure, I had to abstain myself from getting adventurous.

Comming back to tcpdump option - I used the following command to analyze the traffice between two hosts ::

tcpdump -f -n -S host $host1 and host $host2 -w file1.cap

This results in the generation of a binary file that can be read by tcpdump using the following command ::

tcpdump -r file1.cap

So far so good. But there was one problem. My intention was to give a comprehensive time varied traffic rate between two hosts. and tcpdump gave me a bunch of packets with their sizes. So creating a assorted list of packets and bandwidth usage per second would have required me to write a new script.

 This is when tcpstat came to the rescue. Using tcpstat, we can read the binary file (created above by the tcpdump command) and get a time sliced version of the network traffic using the following command

tcpstat -r file1.cap $timeslice

timeslice denotes the time scale on which packets are  analysed. for my purpose I set it to 5.

This blog in no means is comprehensive and I would strongly advise the reader to look at man page for tcpdump and tcpstat.


How do we run tcpdump as a non-sudo user?

groupadd tcpdump
addgroup <username> tcpdump
chown root.tcpdump /usr/sbin/tcpdump
chmod 0750 tcpdump
setcap "CAP_NET_RAW+eip" /usr/sbin/tcpdump

==Don Jaffer==


  1. Are there any API s to read the number of packets received per second from a dump file?

  2. not that I know of. Per second analysis is simple using tcpstat.
    I assume you have the tcpdump.cap file.
    Install tcpstat on your machine. It will be present on your repo (do apt-get install on Ubuntu).

    I use the following script to get per time traffic of the dump file. Save the below script as

    tcpstat -r tcpdump.cap 1 > tcpstat_output #replace tcpdump.cap to your captured dump file.

    cut -f5 -d"=" tcpstat_output > length
    cut -f1 -d"n" tcpstat_output | cut -f2 -d":" > time

    paste time length > timelength

    starttime=`head -1 timelength | awk '{print $1}'`

    while read line
    recordtime=`echo $line | awk '{print $1}'`
    traffic=`echo $line | awk '{print $2}'`
    echo "$recordtime1 $traffic"
    done < timelength

    save the above script as and run it in bash using
    ./ > statistics

    Open statistics file. You get what you want :: time per sec and traffic in bips.

    let me know if this helped :-)

  3. hey thanks for your help but now i have this other doubt... suppose i generate a tcpstat file.. are there any APIs using which i could parse the contents of the file ? consider the below:
    1. From the timestamp, i can find the actual time, then find the seconds component.
    2. For every second, aggregate the data for other columns so that i end up with the data set as follows:

    As an example, the data set may look like:

    12:00:01 n=something avg=something bps=something
    12:00:02 n=something avg=something bps=something
    12:00:03 n=something avg=something bps=something
    12:00:04 n=something avg=something bps=something
    12:00:05 n=something avg=something bps=something

    Now i will have statistics for every second.

    would that work ? i am unable to find any parser for the tcpstat file