f



Accurately measureing traffic in a network

	In my network, I have a variable number of devices connected to a 
single modem/router, both wire and wireless. I would like to monitor the 
amount of data that goes through that router, both in and out. Ideally, 
the router should do this. And it does, but in a very limited, rather 
coarse, way. 

	Are theare any Linux applications that, running in a Linux system 
connected to this network, would allow me to monitor that traffic 
accurately. Notice that I mean the total traffic going through the 
router, from all devices in the network, not just the Linux system 
running the application.
0
Harold
8/7/2016 8:27:00 PM
comp.os.linux.networking 15677 articles. 0 followers. Post Follow

10 Replies
278 Views

Similar Articles

[PageSpeed] 3

On 2016-08-07 22:27, Harold Johanssen wrote:
> 	In my network, I have a variable number of devices connected to a 
> single modem/router, both wire and wireless. I would like to monitor the 
> amount of data that goes through that router, both in and out. Ideally, 
> the router should do this. And it does, but in a very limited, rather 
> coarse, way. 
> 
> 	Are theare any Linux applications that, running in a Linux system 
> connected to this network, would allow me to monitor that traffic 
> accurately. Notice that I mean the total traffic going through the 
> router, from all devices in the network, not just the Linux system 
> running the application.

It can only be done /accurately/ if the router provides the
measurements. Post processing can be done elsewhere.


-- 
Cheers, Carlos.
0
Carlos
8/8/2016 3:14:23 AM
Harold Johanssen <noemail@please.net> writes:

> 	In my network, I have a variable number of devices connected to a 
> single modem/router, both wire and wireless. I would like to monitor the 
> amount of data that goes through that router, both in and out. Ideally, 
> the router should do this. And it does, but in a very limited, rather 
> coarse, way. 
> 
> 	Are theare any Linux applications that, running in a Linux system 
> connected to this network, would allow me to monitor that traffic 
> accurately. Notice that I mean the total traffic going through the 
> router, from all devices in the network, not just the Linux system 
> running the application.

There are several ways:

* ip -s link show will show you the traffic that has passed through
  each of your interfaces, in packets and in bytes.
* If you want separate figures for TCP, UDP, ICMP, or by port numbers,
  you could use a number of netfilter rules (iptables) and look at the
  number by calling iptables -vL
* I have once used tcpdump, hacked a little to account and log the
  traffic it gets from the socket via libpcap.
* Yet another option is nfcapd/nfdump to capture traffic from an
  interface and analyze/account it on the same or another host.

urs
0
Urs
9/20/2016 5:40:41 PM
On Tue, 20 Sep 2016 19:40:41 +0200, Urs Thuermann wrote:

> Harold Johanssen <noemail@please.net> writes:
> 
>> 	In my network, I have a variable number of devices connected to a
>> single modem/router, both wire and wireless. I would like to monitor
>> the amount of data that goes through that router, both in and out.
>> Ideally, the router should do this. And it does, but in a very limited,
>> rather coarse, way.
>> 
>> 	Are theare any Linux applications that, running in a Linux system
>> connected to this network, would allow me to monitor that traffic
>> accurately. Notice that I mean the total traffic going through the
>> router, from all devices in the network, not just the Linux system
>> running the application.
> 
> There are several ways:
> 
> * ip -s link show will show you the traffic that has passed through
>   each of your interfaces, in packets and in bytes.
> * If you want separate figures for TCP, UDP, ICMP, or by port numbers,
>   you could use a number of netfilter rules (iptables) and look at the
>   number by calling iptables -vL
> * I have once used tcpdump, hacked a little to account and log the
>   traffic it gets from the socket via libpcap.
> * Yet another option is nfcapd/nfdump to capture traffic from an
>   interface and analyze/account it on the same or another host.

	It would seem that, for that to work, I would have to do in every 
device connected to my network. That would be certainly impractical, 
probably unfeasible - I have no privileged access to all those devices.
0
Harold
9/20/2016 7:53:06 PM
On 2016-09-20, Harold Johanssen <noemail@please.net> wrote:
> On Tue, 20 Sep 2016 19:40:41 +0200, Urs Thuermann wrote:
>
>> Harold Johanssen <noemail@please.net> writes:
>> 
>>> 	In my network, I have a variable number of devices connected to a
>>> single modem/router, both wire and wireless. I would like to monitor
>>> the amount of data that goes through that router, both in and out.
>>> Ideally, the router should do this. And it does, but in a very limited,
>>> rather coarse, way.
>>> 
>>> 	Are theare any Linux applications that, running in a Linux system
>>> connected to this network, would allow me to monitor that traffic
>>> accurately. Notice that I mean the total traffic going through the
>>> router, from all devices in the network, not just the Linux system
>>> running the application.
>> 
>> There are several ways:
>> 
>> * ip -s link show will show you the traffic that has passed through
>>   each of your interfaces, in packets and in bytes.
>> * If you want separate figures for TCP, UDP, ICMP, or by port numbers,
>>   you could use a number of netfilter rules (iptables) and look at the
>>   number by calling iptables -vL
>> * I have once used tcpdump, hacked a little to account and log the
>>   traffic it gets from the socket via libpcap.
>> * Yet another option is nfcapd/nfdump to capture traffic from an
>>   interface and analyze/account it on the same or another host.
>
> 	It would seem that, for that to work, I would have to do in every 
> device connected to my network. That would be certainly impractical, 
> probably unfeasible - I have no privileged access to all those devices.

They why are you doing this? It seems pretty intrusive to me,
espexcialoly as you do not have control of the network or the systems
connected to it.
But anyway, presumably evry packet has to pass by your one machine, so
that it can see if it is a packet for it or something else. For example
tcpdump can look at every packet passing by. 
0
William
9/21/2016 4:59:28 AM
William Unruh <unruh@invalid.ca> writes:
> But anyway, presumably evry packet has to pass by your one machine, so
> that it can see if it is a packet for it or something else. For example
> tcpdump can look at every packet passing by. 

I’ve seen nothing in the description which indicates that every packet
goes through his ‘one machine’ - only through the router[1] which he’s
already said doesn’t do adequate monitoring.

  [1] presumably in fact a combined modem, router, switch and AP

If the router supports SNMP then traffic on each port can almost
certainly be measured with that.  Otherwise with the current hardware
the OP is probably out of luck.

The only option I can see would be to buy a separate AP and a managed
switch, each with sufficient monitoring capabilities[2], and use those
instead of the combined device.  As it happens that’s close to the
structure of my home network, although not for the same reasons.

  [2] or a combined switch/AP; but when I was looking for one I couldn’t
      one that met my performan requirements and had to buy separate
      devices.

-- 
http://www.greenend.org.uk/rjk/
0
Richard
9/21/2016 7:59:05 AM
On 2016-09-21, Richard Kettlewell <invalid@invalid.invalid> wrote:
> William Unruh <unruh@invalid.ca> writes:
>> But anyway, presumably evry packet has to pass by your one machine, so
>> that it can see if it is a packet for it or something else. For example
>> tcpdump can look at every packet passing by. 
>
> I???ve seen nothing in the description which indicates that every packet
> goes through his ???one machine??? - only through the router[1] which he???s
> already said doesn???t do adequate monitoring.

Often it does. It does not have to, but packets tend to get dumped onto
the lan for each machine to pick out which packets are its.

>
>   [1] presumably in fact a combined modem, router, switch and AP
>
> If the router supports SNMP then traffic on each port can almost
> certainly be measured with that.  Otherwise with the current hardware
> the OP is probably out of luck.
>
> The only option I can see would be to buy a separate AP and a managed
> switch, each with sufficient monitoring capabilities[2], and use those
> instead of the combined device.  As it happens that???s close to the
> structure of my home network, although not for the same reasons.
>
>   [2] or a combined switch/AP; but when I was looking for one I couldn???t
>       one that met my performan requirements and had to buy separate
>       devices.
>
0
William
9/21/2016 1:22:30 PM
William Unruh wrote:
> On 2016-09-21, Richard Kettlewell <invalid@invalid.invalid> wrote:
>> William Unruh <unruh@invalid.ca> writes:
>>> But anyway, presumably evry packet has to pass by your one machine, so
>>> that it can see if it is a packet for it or something else. For example
>>> tcpdump can look at every packet passing by.
>>
>> I???ve seen nothing in the description which indicates that every packet
>> goes through his ???one machine??? - only through the router[1] which he???s
>> already said doesn???t do adequate monitoring.
>
> Often it does. It does not have to, but packets tend to get dumped onto
> the lan for each machine to pick out which packets are its.

In 2016? Are you still using a hub?

0
Andy
9/21/2016 3:09:21 PM
William Unruh <unruh@invalid.ca> wrote:
> Often it does. It does not have to, but packets tend to get dumped
> onto the lan for each machine to pick out which packets are its.

I'm pretty sure that most if not virtually all home gateways have
built-in switches (aka multi-port bridges) behind their RJ45
connections, (and joining to the wireless "segment") rather than hubs,
so I don't think that is going to be doable thanks to the traffic
isolation.  And of course, there probably isn't much "ThinLAN" being
run these days :)

rick jones
-- 
portable adj, code that compiles under more than one compiler
these opinions are mine, all mine; HPE might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hpe.com but NOT BOTH...
0
Rick
9/21/2016 8:28:30 PM
On Wed, 21 Sep 2016 08:59:05 +0100, Richard Kettlewell wrote:

> William Unruh <unruh@invalid.ca> writes:
>> But anyway, presumably evry packet has to pass by your one machine, so
>> that it can see if it is a packet for it or something else. For example
>> tcpdump can look at every packet passing by.
> 
> I’ve seen nothing in the description which indicates that every packet
> goes through his ‘one machine’ - only through the router[1] which he’s
> already said doesn’t do adequate monitoring.

	Correct. That's what I wanted to convey. I think I never said 
anything about all the packets going through a specific machine - other 
than the router.

>   [1] presumably in fact a combined modem, router, switch and AP

	Right.
 
> If the router supports SNMP then traffic on each port can almost
> certainly be measured with that.  Otherwise with the current hardware
> the OP is probably out of luck.

	I think I am.
 
> The only option I can see would be to buy a separate AP and a managed
> switch, each with sufficient monitoring capabilities[2], and use those
> instead of the combined device.  As it happens that’s close to the
> structure of my home network, although not for the same reasons.
> 
>   [2] or a combined switch/AP; but when I was looking for one I couldn’t
>       one that met my performan requirements and had to buy separate
>       devices.

	Thanks for the suggestion; I will look into it.

0
Harold
9/21/2016 9:21:09 PM
William Unruh <unruh@invalid.ca> writes:
> Richard Kettlewell <invalid@invalid.invalid> wrote:
>> William Unruh <unruh@invalid.ca> writes:
>>> But anyway, presumably evry packet has to pass by your one machine, so
>>> that it can see if it is a packet for it or something else. For example
>>> tcpdump can look at every packet passing by. 
>>
>> I’ve seen nothing in the description which indicates that every packet
>> goes through his “one machine” - only through the router[1] which he???s
>> already said doesn’t do adequate monitoring.
>
> Often it does. It does not have to, but packets tend to get dumped
> onto the lan for each machine to pick out which packets are its.

Not with any modern network equipment in a normal configuration...

-- 
http://www.greenend.org.uk/rjk/
0
Richard
9/21/2016 9:56:58 PM
Reply: