ZENETYS
  • Nos services
  • Témoignages
  • Blog
  • L’équipe
  • Recrutement
  • Contact
  • Accès Client
  • fr_FR
  • en_GB
30/06/2020 par Julien Thomas

Tips & Tricks : Quick traffic stats from your PCAP files

Tips & Tricks : Quick traffic stats from your PCAP files
30/06/2020 par Julien Thomas

If you play with packet captures on a regular basis, it’s likely you’ve already wondered if it’s possible to identify quickly what generates most traffic, what amount of data was transferred, etc.

tcpdump can read from your PCAP files with the option -r, and this is great! But it won’t give any sum nor bit-rate for traffic exchanged between IP addresses. You could retrieve a PCAP file on you computer, open it in wireshark and play with statistics, or index packets metadata in some database in order to be able to aggregate counters, … but in most cases this may be overkill.

What you want is a quick tool you can run directly from your Linux based network probe, something simple and stupid. Here is a script, tcpdump-stats, to sum the amount of IP traffic by srcip.srcport > dstip.dstport keys and to print the top n keys.

jthomas@blackbird:~$ tcpdump-stats --help
Usage: tcpdump-stats [OPTION...] PCAP-FILE... [-- TCPDUMP-OPTION...]
Print traffic statistics from PCAP file(s).
Available options:
  -a, --all              Overall stats instead of per PCAP file stats.
  -t, --top=NUMBER       Top n connections, default 10.
  -u, --unsupported      Print unsupported tcpdump output to stderr.
  -h, --help             Display this help.

PCAP files can be compressed (ex: .gz, .xz, …) as long as the corresponding cat-like tools (ex: zcat, xzcat, …) are available in $PATH.

It is possible to pass tcpdump arguments, this allows to filter packets in the PCAP files. In order to do that, tcpdump arguments must be separated from script arguments with the -- marker.

Here is a usage example and the corresponding output:

jthomas@blackbird:~$ tcpdump-stats -a -t 20 /data/capture/20200629-08/wan.pcap* -- not net 188.0.0.0/24
PCAP file /data/capture/20200629-08/wan.pcap0
reading from file -, link-type EN10MB (Ethernet)
95.4MiB 0:00:01 [55.5MiB/s] [================================>] 100%
PCAP file /data/capture/20200629-08/wan.pcap1.gz
reading from file -, link-type EN10MB (Ethernet)
90.8MiB 0:00:01 [59.6MiB/s] [================================>] 100%
[...]
*                                                 900.75 MB        24m2s    5.24 Mbps
212.83.132.142.4949 > 192.168.1.2.35685           768.01 MB        24m2s    4.47 Mbps
192.168.1.2.35685 > 212.83.132.142.4949            35.21 MB        24m2s  204.85 Kbps
92.122.188.23.443 > 192.168.1.2.49232              10.56 MB          31s    2.86 Mbps
104.123.50.35.443 > 192.168.1.2.59972               9.99 MB          31s    2.69 Mbps
92.122.188.31.443 > 192.168.1.2.48092               9.04 MB          31s    2.43 Mbps
92.122.188.28.443 > 192.168.1.2.46656               8.67 MB          31s    2.34 Mbps
92.122.188.31.443 > 192.168.1.2.46344               7.50 MB          31s    2.04 Mbps
92.122.188.28.443 > 192.168.1.2.46126               7.07 MB          31s    1.92 Mbps
192.229.221.12.443 > 192.168.1.2.52156              6.68 MB          31s    1.82 Mbps
104.123.50.122.443 > 192.168.1.2.56064              6.61 MB          31s    1.79 Mbps
34.241.191.143.443 > 192.168.1.2.33094              2.45 MB        3m10s  107.84 Kbps
13.227.220.84.443 > 192.168.1.2.59272               1.66 MB          36s  388.93 Kbps
34.241.191.143.443 > 192.168.1.2.32826              1.50 MB        2m14s   93.84 Kbps
13.227.222.76.443 > 192.168.1.2.42780             904.65 KB          35s  210.21 Kbps
151.101.130.49.443 > 192.168.1.2.56312            747.43 KB          31s  196.94 Kbps
34.248.104.12.443 > 192.168.1.2.58296             717.19 KB          58s  100.51 Kbps
52.210.208.94.443 > 192.168.1.2.53048             687.66 KB          31s  181.70 Kbps
34.241.191.143.443 > 192.168.1.2.33448            683.05 KB          31s  180.53 Kbps
34.241.191.143.443 > 192.168.1.2.33522            682.20 KB          31s  180.08 Kbps

The tcpdump-stats script is using:

  • tcpdump, the powerful command-line packet analyzer
  • awk, the famous
  • sed, the cheeky, so it can work on Busybox because its awk match() does not support parenthesis captures
  • bash, to put it all together

Next, let’s do it with a live capture!?

Article précédentTips & Tricks : Extract HTTP/XML/SOAP requests from PCAP tracesArticle suivant Forcepoint NGFW log indexing in Elasticsearch

Publications récentes

Croissance des entreprises par le digital et la cybersécurité : anticipez la formule gagnante15/10/2020
Comment protéger un site Web avec HAProxy et ModSecurity via SPOE13/08/2020
Tips & Tricks : PCAP to Elastic… make it work!30/07/2020

Catégories

  • awk
  • bash
  • diagnostique
  • firewall
  • guacamole
  • haproxy
  • loadbalancing
  • modsecurity
  • monitoring
  • observability
  • pcap
  • refcard
  • sécurité
  • sed
  • spoe
  • ssh
  • tcpdump
  • tips&tricks

Étiquettes

awk bash cef Cybersécurité digitalisation EL6 elasticsearch filebeat firewall forcepoint Guacamole HAProxy jq logs Nagios NodeJS pcap Rsyslog sed ssh tcpdump tshark
Nous utilisons des cookies pour vous garantir la meilleure expérience sur notre site. Si vous continuez à utiliser ce dernier, nous considérerons que vous acceptez l'utilisation des cookies.OkPolitique de confidentialité