Results 1 to 4 of 4
Hi all, my boss told me to analyze our network traffic to find out which local user (resp. workstation) downloads how much from the internet. Not for any obscure Big ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-01-2011 #1
- Join Date
- Feb 2011
Help needed: Getting traffic in bytes per user from PCAP file?
my boss told me to analyze our network traffic to find out which local user (resp. workstation) downloads how much from the internet. Not for any obscure Big Brother purposes just to get an overview of the needs of our users (there are 14) and as a basis for a future line upgrade.
So I set up a linux box with 3 NICs and established a bridge br0 with eth0 and eth1, eth2 just to access the box via ssh. Then placed this box between our main switch and our internet gateway. It works flawlessly and is completely transparent to the local network.
I then started tcpdump on br0 and dumped the complete traffic into a PCAP file. The size is quite big after a day in the office, about 2.5 GB. When I try to open it in Wireshark, it takes forever and it usually crashes before the complete PCAP gets loaded.
I was wondering if there is a more elegant and useful way to determine the inbound and outbound traffic per local workstation out of a PCAP file? I already thought of first reading out all ip addresses containing 192.168. from the big PCAP, then extract new PCAP's from the big one, one per local IP, then measure the bytes in that files. That's a lot of work.. and I'm almost sure there's some better way to do it?
Thanks for your help!
- 02-01-2011 #2
Have you thought about using IPTRAF?
The adventure of a life time.
Linux User #296285
- 02-01-2011 #3
- Join Date
- Feb 2011
Thanks for your reply. Yes, I tried iptraf, but for some reason I cannot choose the bridge interface br0 as the interface I'd like to monitor. I also tried etherape which looked quite promising, but it works "too good" as it lists the accumulated traffic not only per host ip but also per port, so I would have to add the values manually every time.
- 02-02-2011 #4
sluggish and brainwashy arguments.
if you just need the overall traffic, why would you want to monitor each of them? it is surely enough to monitor the overall traffic and specially peaks. if your users tend to download too much, limit their bandwidth to 50kb/s and you'll see that they will stop. you could further block unwanted traffic like torrent and blacklist certain websites that make not much sense at the workspace.
anyway: set up iptable rules that match each single host and do nothing else and watch the packet counter.