[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Analyzing IPtraf output
Hello everyone,
I'm trying to capture and analyze *all* traffic (not just web traffic,
which I can use Wusage for) coming to and from my server. I've
recently been introduced to iptraf and am wondering about how I'm to
use it's statistics.
I'm thinking of having it run in the background for all interfaces
(iptraf -i all -B) and capturing it a day at a time and summarizing
and storing each days traffic in a flat file db.
Here's a sample of the data I get when I capture some traffic:
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.233:80 to
172.16.1.180:41664; FIN sent; 7 packets, 4712 bytes, avg flow rate
0.00 kbits/s
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664
to 172.16.1.233:80; FIN acknowleged
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664
to 172.16.1.233:80; FIN sent; 8 packets, 864 bytes, avg flow rate 0.00
kbits/s
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.233:80 to
172.16.1.180:41664; FIN acknowleged
Thu Jun 24 12:21:53 2004; UDP; eth0; 68 bytes; from 172.16.8.7:4135 to
255.255.255.255:7100
In the Perl script I write to analyze this data, I'm going to separate
the traffic by TCP and UDP, but I was confused at what "bytes" I'm
suppose to add and subtract?
For instance, this line is the request (I think):
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664
to 172.16.1.233:80; FIN acknowleged
And this, is the reponse (I think):
Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664
to 172.16.1.233:80; FIN sent; 8 packets, 864 bytes, avg flow rate 0.00
kbits/s
You'll notice that the 52 bytes is in both lines. Should I only "add
up" the traffic on the "FIN sent" lines to avoid reporting a higher
amount of traffic that is actually coming through?
Any help is appreciated,
--
Kevin Old
kevinold@gmail.com