Incoming and out Going Broadcasted network traffic
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Incoming and out Going Broadcasted network traffic
This question is with reference to Linux OS.
Does Linux maintain any data structures or internal proc file system to store the incoming and outgoing bytes that are transmitted through broadcast method only.
I looked at /sys/class/net/<if>/.., but could not find any.
Is there any way to capture this info for every second so that , I can use them to calculate used bandwidth of any given interface.
The command ifconfig will display received and transmitted bytes and packets on each interface. Writing a simple script to poll those values will achieve what you want. There are also some tools available but I don't use them so don't have the details.
If you did a simple search for what you want you would find a lot of resources so you could choose what would work for your needs. We are not in the business of performing web searches for you.
The command ifconfig will display received and transmitted bytes and packets on each interface. Writing a simple script to poll those values will achieve what you want. There are also some tools available but I don't use them so don't have the details.
If you did a simple search for what you want you would find a lot of resources so you could choose what would work for your needs. We are not in the business of performing web searches for you.
ifconfig is not really much helpful here, it displays only the broadcast address not actual statistics.
But I have found a way using tool called ethtool to display statistics
According to this, multicast is packets.
Broadcast statistics are not standard, dependent on the device driver.
There is a suggestion here that will show packets.
True, it is a single value, not defined by time other than since the interface was last activated, but with readings taken at specified intervals (maybe in a database) it is easy to calculate the rate.
OTOH ethtool has many more features so good luck with it.
I really do not understand why you would be concerned with broadcast and multicast bits/bytes/packets since other than transmitted the machine has no control over that. Received and transmitted OTOH actually reflect the amount of data actually going over the interface.
While I don't remember the units for sure, I think it is packets. Those are packets that are generally received or transmitted when a device on the net needs to obtain an arp packet so it can send data directly to the target. Broadcast goes to all devices on the net, multicast goes to several but limited in scope.
I really do not understand why you would be concerned with broadcast and multicast bits/bytes/packets since other than transmitted the machine has no control over that. Received and transmitted OTOH actually reflect the amount of data actually going over the interface.
While I don't remember the units for sure, I think it is packets. Those are packets that are generally received or transmitted when a device on the net needs to obtain an arp packet so it can send data directly to the target. Broadcast goes to all devices on the net, multicast goes to several but limited in scope.
We are actually setting some upper limit on each interface how much it should receive, exceeding that limit has to be handled so that we can detect broadcast storm or any other activity(which can be an attack etc..)
I understand what you are asking for, but it seems that should be related to a rate rather than an absolute top value received/sent. If a user transfers a large file but does not exceed the capacity of the network or interface in the speed at which it transfers then that may be OK. A flood of smaller packets that may be a lot less data but received in a very short time may overwhelm the ability of the interface to respond. That is really what you appear to be concerned about and you may have to track the rate for packets as well as data in order to handle it properly.
This is similar to the many ways that have been devised of identifying and handling a DDOS attack.
I understand what you are asking for, but it seems that should be related to a rate rather than an absolute top value received/sent.
This is where we can read the values in certain time period (for every 5 sec or so) take the diff of previous and current bytes, then convert them to appropriate kB's/Mb's as required then match with whatever threshold value.
Is that not enough, pls comment, am really new to this.
That is what I anticipated according to your posts. There are a lot of already existing methods available. I found many with a search for "how to detect ddos attack" and "tools to detect ddos attack"
I have never played with it myself, but I think you really should set the trigger on packets and not on data (bytes) since as I mentioned earlier downloading a large file could transfer a lot of data in large packets in a short time but is in no way an attack. In fact, if the attacker is transferring a lot of data then you already have a broken system.
OTOH, most ddos attacks depend on overwhelming the ability of the system to respond to everything incoming so they use a flood of much smaller packets.
Last edited by computersavvy; 08-05-2021 at 10:55 AM.
OTOH, most ddos attacks depend on overwhelming the ability of the system to respond to everything incoming so they use a flood of much smaller packets.
The one DDoS "method" I got anywhere close to was a dos .bat file, which everybody on some irc channel ran simultaneously. It just pinged the chosen address. I forbade my kids using it.
The one DDoS "method" I got anywhere close to was a dos .bat file, which everybody on some irc channel ran simultaneously. It just pinged the chosen address. I forbade my kids using it.
I remember that, called a "ping flood". I heard about it but refused to indulge, as you did. A normal ping waits for a response, a flood does not wait but sends out as fast as possible.
That is not even close to what is used today with all the bot nets (windows machines with back doors and trojans) that do the true distributed attacks by remote control from around the world and are capable of bringing down even massive systems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.