Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Help needed: Getting traffic in bytes per user from PCAP file?

    Hi all,

    my boss told me to analyze our network traffic to find out which local user (resp. workstation) downloads how much from the internet. Not for any obscure Big Brother purposes just to get an overview of the needs of our users (there are 14) and as a basis for a future line upgrade.

    So I set up a linux box with 3 NICs and established a bridge br0 with eth0 and eth1, eth2 just to access the box via ssh. Then placed this box between our main switch and our internet gateway. It works flawlessly and is completely transparent to the local network.

    I then started tcpdump on br0 and dumped the complete traffic into a PCAP file. The size is quite big after a day in the office, about 2.5 GB. When I try to open it in Wireshark, it takes forever and it usually crashes before the complete PCAP gets loaded.

    I was wondering if there is a more elegant and useful way to determine the inbound and outbound traffic per local workstation out of a PCAP file? I already thought of first reading out all ip addresses containing 192.168. from the big PCAP, then extract new PCAP's from the big one, one per local IP, then measure the bytes in that files. That's a lot of work.. and I'm almost sure there's some better way to do it?

    Thanks for your help!

    Regards, Rob

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State
    Have you thought about using IPTRAF?


    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Thanks for your reply. Yes, I tried iptraf, but for some reason I cannot choose the bridge interface br0 as the interface I'd like to monitor. I also tried etherape which looked quite promising, but it works "too good" as it lists the accumulated traffic not only per host ip but also per port, so I would have to add the values manually every time.

  4. $spacer_open
  5. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    sluggish and brainwashy arguments.

    if you just need the overall traffic, why would you want to monitor each of them? it is surely enough to monitor the overall traffic and specially peaks. if your users tend to download too much, limit their bandwidth to 50kb/s and you'll see that they will stop. you could further block unwanted traffic like torrent and blacklist certain websites that make not much sense at the workspace.

    anyway: set up iptable rules that match each single host and do nothing else and watch the packet counter.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts