Find the answer to your Linux question:
Results 1 to 4 of 4
Hi all, my boss told me to analyze our network traffic to find out which local user (resp. workstation) downloads how much from the internet. Not for any obscure Big ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2011
    Posts
    4

    Question Help needed: Getting traffic in bytes per user from PCAP file?


    Hi all,

    my boss told me to analyze our network traffic to find out which local user (resp. workstation) downloads how much from the internet. Not for any obscure Big Brother purposes just to get an overview of the needs of our users (there are 14) and as a basis for a future line upgrade.

    So I set up a linux box with 3 NICs and established a bridge br0 with eth0 and eth1, eth2 just to access the box via ssh. Then placed this box between our main switch and our internet gateway. It works flawlessly and is completely transparent to the local network.

    I then started tcpdump on br0 and dumped the complete traffic into a PCAP file. The size is quite big after a day in the office, about 2.5 GB. When I try to open it in Wireshark, it takes forever and it usually crashes before the complete PCAP gets loaded.

    I was wondering if there is a more elegant and useful way to determine the inbound and outbound traffic per local workstation out of a PCAP file? I already thought of first reading out all ip addresses containing 192.168. from the big PCAP, then extract new PCAP's from the big one, one per local IP, then measure the bytes in that files. That's a lot of work.. and I'm almost sure there's some better way to do it?

    Thanks for your help!

    Regards, Rob

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Have you thought about using IPTRAF?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Feb 2011
    Posts
    4
    Thanks for your reply. Yes, I tried iptraf, but for some reason I cannot choose the bridge interface br0 as the interface I'd like to monitor. I also tried etherape which looked quite promising, but it works "too good" as it lists the accumulated traffic not only per host ip but also per port, so I would have to add the values manually every time.

  4. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    sluggish and brainwashy arguments.

    if you just need the overall traffic, why would you want to monitor each of them? it is surely enough to monitor the overall traffic and specially peaks. if your users tend to download too much, limit their bandwidth to 50kb/s and you'll see that they will stop. you could further block unwanted traffic like torrent and blacklist certain websites that make not much sense at the workspace.

    anyway: set up iptable rules that match each single host and do nothing else and watch the packet counter.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •