3

I'd like to count the number of incoming packets on a network interface (e.g eth0) for a specific period of time (till 5 minutes after executing the script), how can I do it via shell or python script? which one is more accurate?

I'm aware of network tools such as iptraf but I want it to be done via an script and preferably print the counted value on screen or into a file.

msw
  • 42,753
  • 9
  • 87
  • 112
Sina Sh
  • 1,177
  • 3
  • 15
  • 24
  • 2
    I think you can use `/sys/class/net/eth0/statistics/rx_packets` . it contains only a number, so you just need to check it twice and subtract – Duffydake Dec 11 '15 at 21:07
  • @Duffydake Given the stated problem, that ought be the answer. The other answers, though valid, are certainly overkill for the request. – msw Dec 11 '15 at 22:05

3 Answers3

2

Check out https://github.com/dugsong/pypcap it uses libpcap and it looks like it supports linux/win/mac

>>> import pcap
>>> for ts, pkt in pcap.pcap():
...     print ts, `pkt`

someone posted a longer example script here: http://pylibpcap.sourceforge.net

Back2Basics
  • 7,406
  • 2
  • 32
  • 45
2

If you're using linux shell, you can use tcpdump to get the job done. Most of the commands used in the shell are pre-installed in most linux distributions.

#!/bin/sh
# # # Run this as sudo
# # # Pass an argument of your IP address
# # $ Usage: sudo ./<nameOfTheScript> <IPofYourMachine>
# Parameters
captureTime=300


# Capture packets for X Seconds
tcpdump -i eth0 dst host $1 >> /dev/null 2> out &
pid=$!
sleep $captureTime
kill $pid

# Extract relevant data
cat out | tail -2 | head -1 | cut -d " " -f 1

# Cleaning up!
rm out

The shell runs tcpdump for 300 seconds and terminates it. tcpdump outputs the data that your require to stderr. That would be the reason to redirect that stream to a file (2> out). The last-second command of the shell extracts the data that we want from the full message that's thrown from tcpdump. It requires to be run as sudo! Also don't forget to modify the listening interface as required.

If it's still not clear about why I've done what I've done, let me know!

Harsh
  • 389
  • 2
  • 18
  • 1
    `tcpdump -i eth0` will capture outgoing packets too. You should add `ip dst $Ipaddr` or an equivalent to make sure you've got only incoming packets – Duffydake Dec 11 '15 at 21:42
  • Yes, I thought about it, but missed it while writing the script! Anyways the edit should the issue. – Harsh Dec 11 '15 at 21:55
  • Thanks a lot, it works for me like a charm :-) There's only one thing, for some generated traffics it seems doesn't work properly (e.g 5Gb/s or upper) I don't get any accurate value, how can I fix it? – Sina Sh Dec 12 '15 at 20:09
  • @Sina Sh Use kernel files instead of libpcap based tool, it's faster and more reliable for high speed connection, see my answer. – Duffydake Dec 14 '15 at 01:01
2

You can use /sys/class/net/INTERFACE/statistics/rx_packets if you are using Linux Kernel (I don't know about BSD, ... kernels)

capture.sh interface time_in_seconds

#!/bin/sh
pcksFile="/sys/class/net/$1/statistics/rx_packets"
nbPcks=`cat $pcksFile`
sleep $2
echo $(expr `cat $pcksFile` - $nbPcks)

Output :

$ ./capture.sh eth0 2
7
Duffydake
  • 917
  • 7
  • 18
  • This gives me "permission denied" error, even though I'm the root on machine, tried "sudo" and got " command not found " for it... chmod +x is done on the file, result still the same, – Sina Sh Dec 14 '15 at 08:55
  • FYI it's Debian 3.16.7 – Sina Sh Dec 14 '15 at 08:56
  • I tried on a debian 3.15.9 and it works fine even with a "simple" user (root/sudo is not needed): `touch capture.sh` , `nano capture.sh` copy/paste the script , `chmod +x capture.sh` and then `./capture.sh eth0 10` . My rx_packets file permission is `-r--r--r--`by default – Duffydake Dec 14 '15 at 15:40