The other day I was doing a set of system programming experiments which required me to generate graphs of network traffic per second between two hosts.
Though I knew wireshark was one reliable automated tool with a pretty GUI, I was in search of some better tool that could give me exact stats, rather exact distribution of the packets recieved per second by one host from the other host.
Searching over the net I tumbled upon '''tcpdump''', which has the capability to "sniff" packets over LAN or any localized network.
At first I tried running it by making it catch hold of all the packets that it could get a hand on. And that included network traffic of Office of the HOD of my college :P , and packets of some three or four other Professors. Though I didn't try and read the contents of the packets, i strongly believe tcpdump can be used to do that in verbose mode using vvv option. But thats something I'll try some other day.
Well it was fun using it in amorous mode (yes thats the exact term given to listening to all the packets that are circulating in the network), but due to shortage of time and the perennial project advisor's pressure, I had to abstain myself from getting adventurous.
Comming back to tcpdump option - I used the following command to analyze the traffice between two hosts ::
tcpdump -f -n -S host $host1 and host $host2 -w file1.cap
This results in the generation of a binary file that can be read by tcpdump using the following command ::
tcpdump -r file1.cap
So far so good. But there was one problem. My intention was to give a comprehensive time varied traffic rate between two hosts. and tcpdump gave me a bunch of packets with their sizes. So creating a assorted list of packets and bandwidth usage per second would have required me to write a new script.
This is when tcpstat came to the rescue. Using tcpstat, we can read the binary file (created above by the tcpdump command) and get a time sliced version of the network traffic using the following command
timeslice denotes the time scale on which packets are analysed. for my purpose I set it to 5.
This blog in no means is comprehensive and I would strongly advise the reader to look at man page for tcpdump and tcpstat.
Notes::
How do we run tcpdump as a non-sudo user?
==Don Jaffer==
Though I knew wireshark was one reliable automated tool with a pretty GUI, I was in search of some better tool that could give me exact stats, rather exact distribution of the packets recieved per second by one host from the other host.
Searching over the net I tumbled upon '''tcpdump''', which has the capability to "sniff" packets over LAN or any localized network.
At first I tried running it by making it catch hold of all the packets that it could get a hand on. And that included network traffic of Office of the HOD of my college :P , and packets of some three or four other Professors. Though I didn't try and read the contents of the packets, i strongly believe tcpdump can be used to do that in verbose mode using vvv option. But thats something I'll try some other day.
Well it was fun using it in amorous mode (yes thats the exact term given to listening to all the packets that are circulating in the network), but due to shortage of time and the perennial project advisor's pressure, I had to abstain myself from getting adventurous.
Comming back to tcpdump option - I used the following command to analyze the traffice between two hosts ::
tcpdump -f -n -S host $host1 and host $host2 -w file1.cap
This results in the generation of a binary file that can be read by tcpdump using the following command ::
tcpdump -r file1.cap
So far so good. But there was one problem. My intention was to give a comprehensive time varied traffic rate between two hosts. and tcpdump gave me a bunch of packets with their sizes. So creating a assorted list of packets and bandwidth usage per second would have required me to write a new script.
This is when tcpstat came to the rescue. Using tcpstat, we can read the binary file (created above by the tcpdump command) and get a time sliced version of the network traffic using the following command
tcpstat -r file1.cap $timeslice
timeslice denotes the time scale on which packets are analysed. for my purpose I set it to 5.
This blog in no means is comprehensive and I would strongly advise the reader to look at man page for tcpdump and tcpstat.
Notes::
How do we run tcpdump as a non-sudo user?
groupadd tcpdump
addgroup <username> tcpdump
chown root.tcpdump /usr/sbin/tcpdump
chmod 0750 tcpdump
setcap "CAP_NET_RAW+eip" /usr/sbin/tcpdump
==Don Jaffer==