If you play with packet captures on a regular basis, it’s likely you’ve already wondered if it’s possible to identify quickly what generates most traffic, what amount of data was transferred, etc.

tcpdump can read from your PCAP files with the option -r, and this is great! But it won’t give any sum nor bit-rate for traffic exchanged between IP addresses. You could retrieve a PCAP file on you computer, open it in wireshark and play with statistics, or index packets metadata in some database in order to be able to aggregate counters, … but in most cases this may be overkill.

What you want is a quick tool you can run directly from your Linux based network probe, something simple and stupid. Here is a script, tcpdump-stats, to sum the amount of IP traffic by srcip.srcport > dstip.dstport keys and to print the top n keys.

jthomas@blackbird:~$ tcpdump-stats --help
Usage: tcpdump-stats [OPTION...] PCAP-FILE... [-- TCPDUMP-OPTION...]
Print traffic statistics from PCAP file(s).
Available options:
  -a, --all              Overall stats instead of per PCAP file stats.
  -t, --top=NUMBER       Top n connections, default 10.
  -u, --unsupported      Print unsupported tcpdump output to stderr.
  -h, --help             Display this help.

PCAP files can be compressed (ex: .gz, .xz, …) as long as the corresponding cat-like tools (ex: zcat, xzcat, …) are available in $PATH.

It is possible to pass tcpdump arguments, this allows to filter packets in the PCAP files. In order to do that, tcpdump arguments must be separated from script arguments with the -- marker.

Here is a usage example and the corresponding output:

jthomas@blackbird:~$ tcpdump-stats -a -t 20 /data/capture/20200629-08/wan.pcap* -- not net 188.0.0.0/24
PCAP file /data/capture/20200629-08/wan.pcap0
reading from file -, link-type EN10MB (Ethernet)
95.4MiB 0:00:01 [55.5MiB/s] [================================>] 100%
PCAP file /data/capture/20200629-08/wan.pcap1.gz
reading from file -, link-type EN10MB (Ethernet)
90.8MiB 0:00:01 [59.6MiB/s] [================================>] 100%
[...]
*                                                 900.75 MB        24m2s    5.24 Mbps
212.83.132.142.4949 > 192.168.1.2.35685           768.01 MB        24m2s    4.47 Mbps
192.168.1.2.35685 > 212.83.132.142.4949            35.21 MB        24m2s  204.85 Kbps
92.122.188.23.443 > 192.168.1.2.49232              10.56 MB          31s    2.86 Mbps
104.123.50.35.443 > 192.168.1.2.59972               9.99 MB          31s    2.69 Mbps
92.122.188.31.443 > 192.168.1.2.48092               9.04 MB          31s    2.43 Mbps
92.122.188.28.443 > 192.168.1.2.46656               8.67 MB          31s    2.34 Mbps
92.122.188.31.443 > 192.168.1.2.46344               7.50 MB          31s    2.04 Mbps
92.122.188.28.443 > 192.168.1.2.46126               7.07 MB          31s    1.92 Mbps
192.229.221.12.443 > 192.168.1.2.52156              6.68 MB          31s    1.82 Mbps
104.123.50.122.443 > 192.168.1.2.56064              6.61 MB          31s    1.79 Mbps
34.241.191.143.443 > 192.168.1.2.33094              2.45 MB        3m10s  107.84 Kbps
13.227.220.84.443 > 192.168.1.2.59272               1.66 MB          36s  388.93 Kbps
34.241.191.143.443 > 192.168.1.2.32826              1.50 MB        2m14s   93.84 Kbps
13.227.222.76.443 > 192.168.1.2.42780             904.65 KB          35s  210.21 Kbps
151.101.130.49.443 > 192.168.1.2.56312            747.43 KB          31s  196.94 Kbps
34.248.104.12.443 > 192.168.1.2.58296             717.19 KB          58s  100.51 Kbps
52.210.208.94.443 > 192.168.1.2.53048             687.66 KB          31s  181.70 Kbps
34.241.191.143.443 > 192.168.1.2.33448            683.05 KB          31s  180.53 Kbps
34.241.191.143.443 > 192.168.1.2.33522            682.20 KB          31s  180.08 Kbps

The tcpdump-stats script is using:

• tcpdump, the powerful command-line packet analyzer
• awk, the famous
• sed, the cheeky, so it can work on Busybox because its awk match() does not support parenthesis captures
• bash, to put it all together

Next, let’s do it with a live capture!?