linux 数据包检查,tcpdump – 如何检查数据包的速率？

我正在使用这个脚本实际检查传入数据包的速率,如果速率达到5mbps或更高,它就会被触发.然后将数据包记录到tcpdump文件中.

interface=eth0

dumpdir=/tmp/

while /bin/true; do

pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`

sleep 1

pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`

pkt=$(( $pkt_new - $pkt_old ))

echo -ne "\r$pkt packets/s\033[0K"

if [ $pkt -gt 5000 ]; then

echo -e "\n`date` Under attack, dumping packets."

tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap

echo "`date` Packets dumped, sleeping now."

sleep 300

fi

done

输出类似于捕获的2000个数据包.过滤器收到的XXX数据包和内核丢弃的XXX-(减号)2000.

现在我想知道的是,输出文件实际上并没有告诉我攻击的速度,如果它是300mbps还是什么？那么过滤器每秒收到的XXX数据包是多少？如果没有,我该如何检查,因为我的端口有时会饱和.

更新：

我使用程序通过上面的脚本从捕获的文件中捕获统计信息.这是我得到的：

root@$:/tmp/dumps# capinfos dump.20130621-174506.cap

File name: dump.20130621-174506.cap

File type: Wireshark/tcpdump/... - libpcap

File encapsulation: Linux cooked-mode capture

Number of packets: 2000

File size: 2065933 bytes

Data size: 2033909 bytes

Capture duration: 43 seconds

Start time: Fri Jun 21 17:45:06 2013

End time: Fri Jun 21 17:45:49 2013

Data byte rate: 46968.49 bytes/sec

Data bit rate: 375747.94 bits/sec

Average packet size: 1016.95 bytes

Average packet rate: 46.19 packets/sec

我相信攻击可能只持续了15-20秒,而捕获的信息是43秒,因此这里的数据位速率可能已经从这个总时间平均得分.这里可能有用的是,如果有人可以编辑上面的原始脚本而不是捕获2000个数据包并丢弃其余部分,则捕获所有数据包,持续时间为5秒,当阈值达到时.

更新：

在改变了上面提到的脚本之后,看起来文件被损坏了,因为我在Wireshark中读到它说“捕获文件似乎在数据包中间被缩短了.”这是capinfos的输出：

capinfos: An error occurred after reading 3085 packets from `"dump.20130710-215413.cap": Less data was read than was expected.

在第二次尝试时,只有当我在脚本的控制台中按下Ctrl C时才能读取该文件：

capinfos dump.20130710-215413.cap

File name: dump.20130710-215413.cap

File type: Wireshark/tcpdump/... - libpcap

File encapsulation: Linux cooked-mode capture

Number of packets: 18136

File size: 2600821 bytes

Data size: 2310621 bytes

Capture duration: 591 seconds

Start time: Wed Jul 10 21:54:13 2013

End time: Wed Jul 10 22:04:04 2013

Data byte rate: 3909.73 bytes/sec

Data bit rate: 31277.83 bits/sec

Average packet size: 127.41 bytes

Average packet rate: 30.69 packets/sec

注意捕获持续时间为591秒.我相信’睡眠300’在这里有一些事情要做,因为我看到了控制台输出.此输出使用’-c 2000’选项：

./Log.sh

10275 packets/s

Wed Jul 10 12:41:31 MSD 2013 Under attack, dumping packets.

tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

2000 packets captured

100012 packets received by filter

98003 packets dropped by kernel

Wed Jul 10 12:42:34 MSD 2013 Packets dumped, sleeping now.

现在,这是使用’sleep 5’修改脚本后的输出：

./Log.sh

24103 packets/s

Wed Jul 10 21:54:13 MSD 2013 Under attack, dumping packets.

tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

Wed Jul 10 21:54:18 MSD 2013 Packets dumped, sleeping now.

1620 packets/sroot@nl:~# 18136 packets captured

1850288 packets received by filter

1832106 packets dropped by kernel

^C

注意我按下Ctrl C来打破睡眠功能,我想这使得文件的读取成为可能.