Here is a usage example and the corresponding output: blackbird:~$ tcpdump-stats -a -t 20 /data/capture/20200629-08/wan.pcap* - not net 188.0.0.0/24 In order to do that, tcpdump arguments must be separated from script arguments with the - marker. It is possible to pass tcpdump arguments, this allows to filter packets in the PCAP files. xz, …) as long as the corresponding cat-like tools (ex: zcat, xzcat, …) are available in $PATH. u, -unsupported Print unsupported tcpdump output to stderr. t, -top=NUMBER Top n connections, default 10. a, -all Overall stats instead of per PCAP file stats. Print traffic statistics from PCAP file(s). Here is a script, tcpdump-stats, to sum the amount of IP traffic by srcip.srcport > dstip.dstport keys and to print the top n keys. What you want is a quick tool you can run directly from your Linux based network probe, something simple and stupid. You could retrieve a PCAP file on you computer, open it in wireshark and play with statistics, or index packets metadata in some database in order to be able to aggregate counters, … but in most cases this may be overkill. Tcpdump can read from your PCAP files with the option -r, and this is great! But it won’t give any sum nor bit-rate for traffic exchanged between IP addresses.
If you play with packet captures on a regular basis, it’s likely you’ve already wondered if it’s possible to identify quickly what generates most traffic, what amount of data was transferred, etc.
0 kommentar(er)
