CentOS monitoring traffic on port

Question

I am looking for a tool to monitor traffic on some ports of a CentOS server. On this server each service runs on a port from 3000 to 3050 and I would like to compare traffic consumption on these services; like which is the main talker/listener.

/proc/net/dev only give the global amount of bits send and received on the network interface, and not at port level.

Every tool I have found out goofing google provide report on interface level (such like eth0) and none at port level, but I may have not searched enough after all.

Do you guys know any way to do such thing?

Thanks a lot, folks! I really appreciate the first solution, which is command-lined and let me build script from it. tcpdump is interactive, so I have to use screen or put stuff into crontab to use it, and on a second time parse the output. And iptraf as iftop are graphic-like. Thanks again, I have enough materials to continue :) — philippe, Nov 08 '11 at 22:31

Rilindo · Answer 1 · 2011-11-08T18:05:53.980

tcpdump:

[root@bespinwerks ~] # tcpdump -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:23:39.478997 IP dw135-198-237-222.dhcpw.sest.example.com.3364 > bespinwerks.http: Flags [S], seq 388975608, win 65535, options [mss 1260,nop,wscale 1,nop,nop,sackOK], length 0
12:23:39.479043 IP bespinwerks.http > dw135-198-237-222.dhcpw.sest.example.com.3364: Flags [S.], seq 3273086762, ack 388975609, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
12:23:39.479982 IP dw135-198-237-222.dhcpw.sest.example.com.3364 > bespinwerks.http: Flags [.], ack 1, win 32768, length 0
12:23:39.480543 IP dw135-198-237-222.dhcpw.sest.example.com.3364 > bespinwerks.http: Flags [P.], seq 1:595, ack 1, win 32768, length 594
12:23:39.480564 IP bespinwerks.http > dw135-198-237-222.dhcpw.sest.example.com.3364: Flags [.], ack 595, win 110, length 0
12:23:39.542350 IP bespinwerks.http > dw135-198-237-222.dhcpw.sest.example.com.3364: Flags [.], seq 1:3781, ack 595, win 110, length 3780
12:23:39.543976 IP dw135-198-237-222.dhcpw.sest.example.com.3364 > bespinwerks.http: Flags [.], ack 2521, win 32768, length 0
12:23:39.544007 IP bespinwerks.http > dw135-198-237-222.dhcpw.sest.example.com.3364: Flags [.], seq 3781:7561, ack 595, win 110, length 3780
12:23:39.544884 IP dw135-198-237-222.dhcpw.sest.example.com.3364 > bespinwerks.http: Flags [.], ack 3781, win 32768, length 0

EDIT: After re-reading your question, iftop may be a better option:

                             12.5Kb                        25.0Kb                        37.5Kb                        50.0Kb                  62.5Kb
+----------------------------+-----------------------------+-----------------------------+-----------------------------+-----------------------------
bespinwerks:ssh                                              => dw135-198-237-222.dhcpw.sest.example.com:dj-ilm                   1.48Kb  1.88Kb  2.08Kb
                                                             <=                                                                160b    160b    177b
192.168.1.255:netbios-dgm                                    => STATION:netbios-dgm                                       0b      0b      0b
                                                             <=                                                                  0b    194b     51b
192.168.1.255:17500                                          => rm-macbook:17500                                                 0b      0b      0b
                                                             <=                                                                  0b    109b     57b
255.255.255.255:17500                                        => rm-macbook:17500                                                 0b      0b      0b
                                                             <=                                                                  0b    109b     57b
255.255.255.255:17500                                        => GACDTL05RX7322:17500                                             0b      0b      0b
                                                             <=                                                                  0b      0b    116b
bespinwerks:41307                                            => bespin:domain                                                    0b      0b     16b
                                                             <=                                                                  0b      0b     36b
bespinwerks:39407                                            => bespin:domain                                                    0b      0b     15b
                                                             <=                                                                  0b      0b     21b
bespinwerks:44091                                            => bespin:domain                                                    0b      0b     15b
                                                             <=                                                                  0b      0b     20b
bespinwerks:44738                                            => bespin:domain                                                    0b      0b     15b
                                                             <=                                                                  0b      0b     19b
bespinwerks:59540                                            => bespin:domain                                                    0b      0b     16b
                                                             <=                                                                  0b      0b     16b
bespinwerks:49364                                            => bespin:domain                                                    0b      0b     15b
                                                             <=                                                                  0b      0b     15b
192.168.1.255:17500                                          => STATION:17500                                             0b      0b      0b
                                                             <=                                                                  0b      0b     29b

score 4 · Accepted Answer · answered Nov 08 '11 at 18:09

Or you could use targetless iptables, which is quite legal and harmless:

iptables -A INPUT -p tcp --dport 3000
iptables -A INPUT -p tcp --dport 3001
...
iptables -A INPUT -p tcp --dport 3050

and

iptables -A OUTPUT -p tcp --sport 3000
iptables -A OUTPUT -p tcp --sport 3001
...
iptables -A OUTPUT -p tcp --sport 3050

Since none of these rules has a target, none of them will change the traffic flow. But each of them will increment its packet and byte counts for each matching packet, so iptables -L -n -v should return something like

15733  933K           tcp  --  * *      0.0.0.0/0      0.0.0.0/0     tcp dpt:3000
5733   133K           tcp  --  * *      0.0.0.0/0      0.0.0.0/0     tcp dpt:3001
...

Note this assumes you aren't using any firewalling right now; if you are, these rules will need to go in the right place in the INPUT and OUTPUT chains, ie, first.

Given the number of ports you're monitoring, you might want to delegate this to a user-defined chain to keep your iptables output sane; but that's an exercise for you!

score 1 · Answer 3 · answered Nov 08 '11 at 17:33

1

iptraf and iftop comes to my mind, former being a very small and efficient.

answered Nov 08 '11 at 17:33

Janne Pikkarainen

31,852
4
58
81

CentOS monitoring traffic on port

3 Answers3