If you play with packet captures on a regular basis, it’s likely you’ve already wondered if it’s possible to identify quickly what generates most traffic, what amount of data was transferred, etc.
tcpdump can read from your PCAP files with the option -r, and this is great! But it won’t give any sum nor bit-rate for traffic exchanged between IP addresses. You could retrieve a PCAP file on you computer, open it in wireshark and play with statistics, or index packets metadata in some database in order to be able to aggregate counters, … but in most cases this may be overkill.
What you want is a quick tool you can run directly from your Linux based network probe, something simple and stupid. Here is a script, tcpdump-stats, to sum the amount of IP traffic by srcip.srcport > dstip.dstport keys and to print the top n keys.
jthomas@blackbird:~$ tcpdump-stats --help Usage: tcpdump-stats [OPTION...] PCAP-FILE... [-- TCPDUMP-OPTION...] Print traffic statistics from PCAP file(s). Available options: -a, --all Overall stats instead of per PCAP file stats. -t, --top=NUMBER Top n connections, default 10. -u, --unsupported Print unsupported tcpdump output to stderr. -h, --help Display this help.
PCAP files can be compressed (ex: .gz, .xz, …) as long as the corresponding cat-like tools (ex: zcat, xzcat, …) are available in $PATH.
It is possible to pass tcpdump arguments, this allows to filter packets in the PCAP files. In order to do that, tcpdump arguments must be separated from script arguments with the -- marker.
Here is a usage example and the corresponding output:
jthomas@blackbird:~$ tcpdump-stats -a -t 20 /data/capture/20200629-08/wan.pcap* -- not net 188.0.0.0/24 PCAP file /data/capture/20200629-08/wan.pcap0 reading from file -, link-type EN10MB (Ethernet) 95.4MiB 0:00:01 [55.5MiB/s] [================================>] 100% PCAP file /data/capture/20200629-08/wan.pcap1.gz reading from file -, link-type EN10MB (Ethernet) 90.8MiB 0:00:01 [59.6MiB/s] [================================>] 100% [...] * 900.75 MB 24m2s 5.24 Mbps 212.83.132.142.4949 > 192.168.1.2.35685 768.01 MB 24m2s 4.47 Mbps 192.168.1.2.35685 > 212.83.132.142.4949 35.21 MB 24m2s 204.85 Kbps 92.122.188.23.443 > 192.168.1.2.49232 10.56 MB 31s 2.86 Mbps 104.123.50.35.443 > 192.168.1.2.59972 9.99 MB 31s 2.69 Mbps 92.122.188.31.443 > 192.168.1.2.48092 9.04 MB 31s 2.43 Mbps 92.122.188.28.443 > 192.168.1.2.46656 8.67 MB 31s 2.34 Mbps 92.122.188.31.443 > 192.168.1.2.46344 7.50 MB 31s 2.04 Mbps 92.122.188.28.443 > 192.168.1.2.46126 7.07 MB 31s 1.92 Mbps 192.229.221.12.443 > 192.168.1.2.52156 6.68 MB 31s 1.82 Mbps 104.123.50.122.443 > 192.168.1.2.56064 6.61 MB 31s 1.79 Mbps 34.241.191.143.443 > 192.168.1.2.33094 2.45 MB 3m10s 107.84 Kbps 13.227.220.84.443 > 192.168.1.2.59272 1.66 MB 36s 388.93 Kbps 34.241.191.143.443 > 192.168.1.2.32826 1.50 MB 2m14s 93.84 Kbps 13.227.222.76.443 > 192.168.1.2.42780 904.65 KB 35s 210.21 Kbps 151.101.130.49.443 > 192.168.1.2.56312 747.43 KB 31s 196.94 Kbps 34.248.104.12.443 > 192.168.1.2.58296 717.19 KB 58s 100.51 Kbps 52.210.208.94.443 > 192.168.1.2.53048 687.66 KB 31s 181.70 Kbps 34.241.191.143.443 > 192.168.1.2.33448 683.05 KB 31s 180.53 Kbps 34.241.191.143.443 > 192.168.1.2.33522 682.20 KB 31s 180.08 Kbps
The tcpdump-stats script is using:
- tcpdump, the powerful command-line packet analyzer
- awk, the famous
- sed, the cheeky, so it can work on Busybox because its awk match() does not support parenthesis captures
- bash, to put it all together
Next, let’s do it with a live capture!?