How to display IP connection usage?

Larry James · 12-09-2008, 05:32 AM

My system is being bogged down something fierce. Can someone tell me of a program that I can install that will allow me to monitor what IP address is soaking up the bandwidth?

Thanks in advance for any suggestions and comments on this matter.

-- L. James

--
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames

jimbo1954 · 12-09-2008, 05:37 AM

Try Wireshark, it will let you watch what is happening interactively as it comes in.

Larry James · 12-09-2008, 05:47 AM

Thanks, Jimbo. I'll let you know how it works out.

-- L. James

--
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames

Larry James · 12-09-2008, 10:16 PM

Hi, Jimbo. Thanks again for the quick advice. The installation went smooth. I’m studying all the parameters. I don’t use GUI and couldn’t get the wireshark command to function. It complains about the gtk display (Gtk-WARNING **: cannot open display). First study gave me the tshark.

I’m still experimenting.

Would you have a quick method to type in a few commands and get the most active IP’s sorted to the top? Any suggestions you might have in helping me to get started with is appreciated. I’m sure I’ll be in for a long haul learning all the features. It looks like a very powerful utility.

Thanks again for sharing.

-- L. James

--
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames

gilead · 12-09-2008, 10:36 PM

For a check of what is happening on your box for a 30 second window the following can be used:

Code:

tshark -i eth0 -a duration:30 -f "tcp and not port 22"

I told it to skip port 22 because I was connected to the box via SSH and didn't want that traffic cluttering the output. At the time I was connected to port 80 via telnet and had issued GET / HTTP1.1. The (incomplete) output was:

Code:

Capturing on eth0
  0.000000 192.168.1.50 -> 192.168.1.20 TCP 9498 > http [SYN] Seq=0 Win=64512 Len=0 MSS=1460
  0.000008 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
  0.000161 192.168.1.50 -> 192.168.1.20 TCP 9498 > http [ACK] Seq=1 Ack=1 Win=64512 Len=0
  1.047246 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  1.047281 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=2 Win=5840 Len=0
  1.103207 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  1.103221 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=3 Win=5840 Len=0
  1.327248 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  1.327260 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=4 Win=5840 Len=0
  1.407230 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  1.407243 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=5 Win=5840 Len=0
  2.079248 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  2.079275 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=6 Win=5840 Len=0
  2.207250 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  2.207277 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=7 Win=5840 Len=0
  3.287279 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  3.287330 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=8 Win=5840 Len=0
  3.447203 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  3.447234 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=9 Win=5840 Len=0
  3.615184 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  3.615212 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=10 Win=5840 Len=0
  3.871262 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  3.871290 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=11 Win=5840 Len=0
  4.231223 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  4.231254 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=12 Win=5840 Len=0
  4.367261 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  4.367287 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=13 Win=5840 Len=0
  4.455340 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  4.455363 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=14 Win=5840 Len=0
  4.647215 192.168.1.50 -> 192.168.1.20 HTTP Continuation or non-HTTP traffic
  4.647243 192.168.1.20 -> 192.168.1.50 TCP http > 9498 [ACK] Seq=1 Ack=16 Win=5840 Len=0
31 packets captured

If you're not using X, but have ncurses installed I recommend iptstate. The screenshots page will give you an idea whether it will do what you want though.

jimbo1954 · 12-10-2008, 05:42 AM

I made the unjustified assumption that you would have a GUI running, just because its my practice to do so even on my Servers. However, I see Gilead has come up with a better way of running wireshark for your environment, and iptstate looks more than a bit interesting, so we both benefited...Thanks Gilead

Larry James · 12-10-2008, 10:38 AM

Quote:

Originally Posted by jimbo1954

I made the unjustified assumption that you would have a GUI running, just because its my practice to do so even on my Servers. However, I see Gilead has come up with a better way of running wireshark for your environment, and iptstate looks more than a bit interesting, so we both benefited...Thanks Gilead

I had mentioned that I was running the tshark. My question was some type of parameter or method to sort the output in such a way as to display the IP's on top that's hogging the most bandwidth.

I guess if there isn't anything obvious that I'm missing, I will presume that the only way of knowing the amount of bandwidth going to an IP is to count the IP's and tally up the "len="'s. Almost all of the IP's are "0". My system get's bogged down a few times a day. I haven't caught it happening since the installation of the wireshark program (thought looking at the logs it did happen a couple of times for a few minutes at a time when I wasn't at the system.

I'm still at the drawing board. If there isn't any standard methods the people are already using to sort the output, then again, I'm continuing to study and figure things out with time.

By the way, I notice lots of input options that wireshark has. So, initially, I thought one would use tcpdump (or the tshark output), then use the utility to analyze it.

By the way, thanks Gilead for chiming in. When you use tshark, do you have some routine for sorting out the output?

-- L. James

--
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames

gilead · 12-10-2008, 01:21 PM

I usually use iptstate for that sort of output. Below is a sample output. The B column is bytes and the P column is packets:

Code:

                                                  IPTState - IPTables State Top
Version: 2.2.1        Sort: SrcIP           b: change sorting   h: help
Source                                         Destination                                   Proto State       TTL       B     P
62.162.62.141:11837                            203.211.113.8:25                              tcp   SYN_RECV      0:00:46 48    1
62.162.62.141:11838                            203.211.113.8:25                              tcp   SYN_RECV      0:00:49 48    1
94.50.85.109:4412                              203.211.113.8:80                              tcp   ESTABLISHED 114:34:09 204   4
116.71.20.6:2674                               203.211.113.8:80                              tcp   ESTABLISHED  97:19:16 200   4
119.30.103.187:4469                            203.211.113.8:80                              tcp   ESTABLISHED 109:58:01 200   4
119.30.110.116:4542                            203.211.113.8:80                              tcp   ESTABLISHED 112:06:50 200   4
192.168.0.20:55005                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:29 1884  24
192.168.0.20:54999                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:25 8537  102
192.168.0.20:55000                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:25 8567  103
192.168.0.20:55003                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:31 7279  94
192.168.0.20:55004                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:31 6846  89
192.168.0.20:12299                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:24 12695 177
192.168.0.20:12298                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:30 13155 184
192.168.0.20:55002                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:24 2163  27
192.168.0.20:55006                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:29 2243  29
192.168.0.20:55001                             192.168.0.20:993                              tcp   ESTABLISHED 119:59:24 2163  27

malaprop · 12-10-2008, 01:47 PM

Check out "iftop"

It'll give you a display (in terminal) of the bandwidth usage.
I think it'll do exactly what you're looking for.

jimbo1954 · 12-11-2008, 02:14 AM

Quote:

Originally Posted by Larry James

Almost all of the IP's are "0".

The IP Addresses in the packet (source and destination) should be real addresses in the majority. If you are seeing lots of IP addresses set to "0", this could indicate excessive broadcast activity, either from a broken NIC, a mis-configured interface, or possibly malware activity