LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 06-14-2006, 04:52 PM   #1
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Rep: Reputation: 0
Lightbulb Shell Script: A Broadcast Packet Counter


Hi all,

I'm attempting to create a shell script that will allow me to monitor the amount of broadcast packets being picked up on the LAN I'm using. I'm doing this on a Fedora Core 1 box that I happen to have here, though my "native" environment is Debian and Windows.

Basically I'm not sure where to start. I'm looking at tcpdump but can't fathom a way to count packets from that - my end objective is to be able to graph the results (or have results in a graphable form) so I can see what's happening with the traffic being received. I'm looking to have this happen in real time as opposed to analysing past captures - to have something running continuously to provide up-to-the-minute data.

Any advice to this end would be greatly appreciated! Thank you for taking the time to read this.

Biggs
 
Old 06-14-2006, 07:30 PM   #2
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,162

Rep: Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505
Almost all packet counters in one or another way are based on tcpdump or the libcap libraries. Maybe you can steal some ideas from there.

Another idea might be to use iptables. Either you match the broacast packets and log them to a file (if you are interested where they come from) and you read & process the file.

Or you could use the internal counters of iptables, which you can read and reset.

jlinkels
 
Old 06-14-2006, 08:02 PM   #3
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jlinkels
Another idea might be to use iptables. Either you match the broacast packets and log them to a file (if you are interested where they come from) and you read & process the file.

Or you could use the internal counters of iptables, which you can read and reset.
Thanks for your response. I'm not intimately familiar with iptables (and more's the pity) but I will read up and see what I can find.

If I were to set up a script to log the iptables counter value and then reset it each minute - would that seem a reasonable thing to do? I should explain that I'm on a large University network on which each node receives a fair amount of broadcast traffic, and I'm looking to see how that "chatter" varies over time.

Thanks again for your reply.

Biggs
 
Old 06-14-2006, 08:26 PM   #4
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by BigglesZX
Thanks for your response. I'm not intimately familiar with iptables (and more's the pity) but I will read up and see what I can find.

If I were to set up a script to log the iptables counter value and then reset it each minute - would that seem a reasonable thing to do? I should explain that I'm on a large University network on which each node receives a fair amount of broadcast traffic, and I'm looking to see how that "chatter" varies over time.

Thanks again for your reply.

Biggs
If you have large amounts of traffic iptables is definitely the best way to go. See, the script will only be querying iptables each minute (not much overhead), and some additional rules have to be added.

Here's the basic gist:
  1. You create a new chain (in the filter table) that will be soley for broadcast packets (maybe call it bcast or similar).
  2. In your INPUT chain, you put an appropriate `jump' to said chain.
  3. Since there is nothing actually in the bcast chain, the packet will only `touch' the chain, and then resume what it was doing.
  4. So then, you need to parse the output of iptables's query of the netfilter chains in a loop.
    • This can be viewed with `iptables -nvL' (verbosely list the chains with numbers instead of DNS)
    • You should see a chain bcast with counters for pkts and bytes
    • You can zero the counters on a chain by using `iptables -Z bcast'
    • Then sleep for 60 seconds
    • Lather, rinse, repeat.
 
Old 06-14-2006, 08:29 PM   #5
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,162

Rep: Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505Reputation: 505
Quote:
Thanks for your response. I'm not intimately familiar with iptables (and more's the pity) but I will read up and see what I can find.
There is plenty of docs around on the Internet. Unfortunately the learning curve is quite steep.

As soon as you understand what forwarding and masquerading is, you can get a kickstart by installing the ipmasq debian package. You need to understand forwarding because that is most likely what you are going to disable on this box. ipmasq creates a firewall script for you based on your current computer configuration and provides an excellent example.

Quote:
If I were to set up a script to log the iptables counter value and then reset it each minute - would that seem a reasonable thing to do?
I would say so. I know of at least one traffic counting package that works in that way (ipac-ng). Unfortunately that package is broken.

jlinkels
 
Old 06-15-2006, 05:13 AM   #6
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Okay, that's great, thanks to you both.

My next question is: if I'm looking to count IP and Ethernet broadcast packets, and IP and Ethernet multicast packets (all together in one rule), what protocols/options am I going to have to give iptables?

Thanks again,

Biggs
 
Old 06-15-2006, 07:04 AM   #7
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
I should add that I want to include ARP and ICMP traffic in the count with the IP and Ethernet broad/multicasts, and that the counts would ideally include all packets received, even if they're ultimately dropped by the system (the packet count on the normal INPUT chain seems lower than what tcpdump shows coming in). Thanks again.

Last edited by BigglesZX; 06-15-2006 at 07:50 AM.
 
Old 06-15-2006, 10:50 AM   #8
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by BigglesZX
Okay, that's great, thanks to you both.

My next question is: if I'm looking to count IP and Ethernet broadcast packets, and IP and Ethernet multicast packets (all together in one rule), what protocols/options am I going to have to give iptables?

Thanks again,

Biggs
AFAIK, broadcast and multicast are strcitly on the IP level (although UDP is often used with multicast). A broadcast address will apply to a specific network. For example, if I have a network 192.168.18.0/24, then any packet with a destination of the broadcast address (192.168.18.255) will (theoretically) reach all hosts on that network. So to match broadcast, you just have to match all packets with destinations of 192.168.18.255.

Similarly, multicast traffic is sent to a specific destination address. Any packet with a destination in the range 224.0.0.0/4 should be considered multicast. Thus, you only have to make a rule to match packets with that destination address.

Quote:
Originally Posted by BigglesZX
Hi all,

I should add that I want to include ARP and ICMP traffic in the count with the IP and Ethernet broad/multicasts, and that the counts would ideally include all packets received, even if they're ultimately dropped by the system (the packet count on the normal INPUT chain seems lower than what tcpdump shows coming in). Thanks again.
I do not think iptables can do arp (anyone?). For that there is arp_tables. ICMP traffic can be matched with `--protocol icmp'. If you put the jump to the dummy chain at the very beginning of INPUT, then its count will reflect the number of attempted packets/bytes. If you put it after any ACCEPT, DROP, or REJECT jumps, it will not be accurate (for example, if you put it after all DROP and REJECT targets, then it will show only those that were accepted). Also, make sure that none of the PREROUTING chains is messing up your count.
 
Old 06-15-2006, 10:53 AM   #9
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Also, when doing packet/byte counts, use `iptables -nvxL' instead of just `iptables -nvL'. The -x makes sure that the `byte-count' will be measured in powers of 2 instead of 10 (for example: without -x 5 kilobytes = 5*10^3 bytes, but with -x 5 kilobytes = 5*2^10 bytes).
 
Old 06-15-2006, 11:17 AM   #10
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Thanks again for your reply. I take it I should put all the testing conditions on the INPUT chain, then only jump to my chain (bcast) if those are met, thus allowing me to count from the bcast chain - right?

Edit: Ignore this, I've got the logic of it worked out in my head now .

Thanks again,

Biggs

Last edited by BigglesZX; 06-15-2006 at 11:26 AM.
 
Old 06-15-2006, 11:20 AM   #11
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Also, should I add seperate rules for each "condition" I'm testing for (broadcast, or icmp, or etc) or is there a way to conveniently combine them in one rule? Thanks. B
 
Old 06-15-2006, 11:41 AM   #12
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by BigglesZX
Also, should I add seperate rules for each "condition" I'm testing for (broadcast, or icmp, or etc) or is there a way to conveniently combine them in one rule? Thanks. B
The normal thing to do is to write many rules whose destination is a single chain. Then count the packets/bytes on that chain. The rules should be located close to each other in the script.

E.g., in your firewall script:
Code:
# The default policy goes here
# E.g.:
# iptables --policy INPUT DROP

iptables --new-chain counted
iptables --append INPUT --destination 192.168.18.255 --jump counted
iptables --append INPUT --destination 224.0.0.0/4    --jump counted
iptables --append INPUT --protocol icmp              --jump counted

# The rest of the chain goes here.
 
Old 06-15-2006, 02:23 PM   #13
BigglesZX
LQ Newbie
 
Registered: Mar 2004
Location: London, UK
Distribution: Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Got it - and it seems to be working!

Now for some fun with rrdtool. Many thanks to both of you for your helpful replies!

Best regards,

Biggs
 
  


Reply

Tags
bash, iptables, linux, network, networking, packet, shell script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Script to change file names with incremental counter. rickh Linux - Software 2 05-01-2006 10:43 PM
I made a shortcut to a shell script and it is using default shell icon... shlinux Linux - Software 2 04-20-2006 06:29 AM
Counter-Strike php control script JedisonGames Linux - Software 5 02-23-2006 11:31 PM
shell script problem, want to use shell script auto update IP~! singying304 Programming 4 11-29-2005 05:32 PM
What's Packet Counter? mrpc_cambodia Red Hat 3 10-02-2004 10:21 PM


All times are GMT -5. The time now is 04:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration