| HARDWARE BASED TRAFFIC Monitor |
|
| Eth0 is behind the firewall and has a private�IP, Eth1 is in promiscuous
mode, unbound�and able to monitor all traffic coming into�and leaving the
cable/ADSL modem.
The LINUX Box has LIBPCAP and TCPDUMP
In addition to a PERL script which logs 10 minute�sums of traffic.
|
 |
Sample Output
(Date/Time/Source IP/Dest IP/Source Port/Dest Port/Protocol/Data Size/Packet
Count)
|
2003-11-30 21:20:00 203.45.100.200
61.9.208.14 3553 domain udp 64 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 1548 udp 98 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 1073 udp 113 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3550 domain udp 71 1
2003-11-30 21:20:00 202.139.232.71 203.45.100.200 http 3573 tcp 40746 34
2003-11-30 21:20:00 202.139.232.71 203.45.100.200 http 3561 tcp 40769 34
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3532 domain udp 54 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3536 domain udp 48 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 1074 domain udp 225 4
2003-11-30 21:20:00 61.9.208.13 203.45.100.200 5051 5050 udp 16 2
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3531 udp 97 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3547 domain udp 71 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3533 domain udp 49 1
2003-11-30 21:20:00 194.69.203.105 203.45.100.200 na na icmp 1 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.13 5050 5050 udp 84 2
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3549 udp 115 1
2003-11-30 21:20:00 203.45.100.200 205.188.146.88 32776 domain udp 36 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 1545 udp 95 1
2003-11-30 21:20:00 203.45.101.79 203.45.100.200 1025 1221 tcp 0 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3544 udp 112 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 1547 domain udp 181 3
2003-11-30 21:20:00 218.61.78.120 203.45.100.200 na na icmp 1 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 1027 udp 319 2
2003-11-30 21:20:00 203.45.100.200 192.58.128.30 32776 domain udp 68 2
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3533 udp 100 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3552 udp 116 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3533 udp 100 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3553 udp 109 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3542 udp 119 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3535 udp 97 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.15 1073 domain udp 49 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3551 domain udp 73 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 1546 udp 224 2
2003-11-30 21:20:00 203.45.156.57 203.45.100.200 na na icmp 1 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.15 3529 domain udp 53 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3538 udp 99 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3539 udp 121 1
2003-11-30 21:20:00 144.135.24.13 203.45.100.200 pop3 3569 tcp 299 13
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 1519 udp 817 4
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3536 udp 99 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3535 udp 97 1
2003-11-30 21:20:00 61.9.208.15 203.45.100.200 domain 3530 udp 118 1
2003-11-30 21:20:00 203.45.100.200 66.187.224.4 ntp ntp udp 48 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.15 1548 domain udp 46 1
2003-11-30 21:20:00 61.9.208.14 203.45.100.200 domain 3547 udp 116 1
2003-11-30 21:20:00 203.45.100.200 61.9.208.14 3540 domain udp 53 1 |
| Perl Script Source
Code |
#!/usr/bin/perl
$cmd = '/usr/sbin/tcpdump -tt -n -q -l -i eth1 not arp |';
$dump_dir = "/var/log/traffic";
sub dump_time {
my ($time,$hash) = (@_);
%hash = %{$hash};
$filename = "$dump_dir/$time.log";
$filename =~ s/ /_/g;
open DUMPFILE,">$filename";
foreach $index (keys %{$hash{$time}}) {
$bytes = $hash{$time}{$index}{bytes};
$count = $hash{$time}{$index}{count};
print DUMPFILE "$time $index $bytes $count\n";
}
close DUMPFILE;
delete($hash{$time});
}
sub get_time_stamp
{
my ($the_time) = @_;
($seconds,$minutes,$hours,$day,$month,$year,$wday,$yday,$isdst) = localtime($the_time);
$seconds = 0;
$minutes = int($minutes/10)*10;
$year = $year + 1900;
return(sprintf "%04d-%02d-%02d %02d:%02d:%02d", $year,$month+1,$day,$hours,$minutes,$seconds);
}
$current = '';
open(TRAFFIC,$cmd);
while (<TRAFFIC>) {
if (/(.+) (\d+.\d+.\d+.\d+)\.?(.*) > (\d+.\d+.\d+.\d+)\.?(.*):\s+(\S+)\s+(\d+)/)
{
($srcip,$srcport,$dstip,$dstport,$proto,$size) = ($2,$3,$4,$5,$6,$7);
$timestamp = get_time_stamp($1);
if ($current eq '') { $current = $timestamp };
if ($current ne $timestamp) {
dump_time($current,\%data);
$current = $timestamp;
}
$srcport = ($srcport ne '')?$srcport:'na';
$dstport = ($dstport ne '')?$dstport:'na';
$index = "$srcip
$dstip $srcport $dstport $proto";
$data{$timestamp}{$index}{bytes} += $size;
$data{$timestamp}{$index}{count} += 1;
} elsif (/(.+) (\d+.\d+.\d+.\d+) > (\d+.\d+.\d+.\d+):\s+(\S+):/) {
($srcip,$dstip,$proto) = ($2,$3,$4);
$timestamp = get_time_stamp($1);
if ($current eq '') { $current = $timestamp };
if ($current ne $timestamp) {
dump_time($current,\%data);
$current = $timestamp;
}
$index = "$srcip $dstip na na $proto";
$data{$timestamp}{$index}{bytes} += 1;
$data{$timestamp}{$index}{count} += 1;
}
}
dump_time ($timestamp,\%data);
close(TRAFFIC); |
|
