A very simple bandwidth monitor
From FBSD_tips
Contents |
[edit] Rationale
There exist a great number of bandwidth monitors in ports, most of which are capable of indepth analysis of bandwidth utilization. This tiny hack is just designed to get a quick look at traffic passing on the interface in a few lines of shell and using only the tools found in BASE. It uses the IPFW 'count' action which does nothing more than what it says : it increments the rules counters and proceeds to the next rule.
[edit] Example
To track port 80 and port 22 on the interface, put these rules early in the ruleset to avoid missing any packets that get denied or redirected in some way.
ipfw add 310 count tcp from any to any via dc0 ipfw add 320 count tcp from any to any 22 via dc0 ipfw add 330 count tcp from any to any 80 via dc0
Now when you want to poll the traffic that matches these rules it is as simple as 'ipfw show rule1, rule2 ... ruleN'
# ipfw show 310 320 330 00310 1431 989068 count tcp from any to any via dc0 00320 517 29819 count tcp from any to any dst-port 22 via dc0 00330 5 374 count tcp from any to any dst-port 80 via dc0
The 1st column is the rule number. The 2nd column is the number of packets matched. the 3rd column is the number of bytes passed. The balance of the line is the rule body.
[edit] Watching
If you want to watch the counters 'in real time' you can get a bit fancier like in Watching_things and do this.
while [ 1 ]; do clear; ipfw show 310 320 330; sleep 1; done
This is kind of a "poor man's" curses based updater.
[edit] Analysis
Any rule you can think of you can now track, the limit is your need and imagination. For instance from this group of rules you can calculate the proportion of ssh and web traffic to eachother or to the total network traffic. Another use might be to track outgoing traffic vs. incoming.
[edit] Discussion
The counters are in kernel memory and will reset if the machine reboots or if the firewall rules are re-read. If you want to make it persistant your could write it to a file.
