21

Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port.

The equivalent tcpdump command would be:

tcpdump -s 0 -i any -w mycapture.trc port 80 host google.com

which outputs :

46 packets captured
131 packets received by filter
0 packets dropped by kernel

I'd like something similar that outputs:

54 bytes out, 176 bytes in

I'd like it to work on RHEL and be free/open-source. It would be good if there was an existing tool which I was just missing too!

quanta
  • 50,327
  • 19
  • 152
  • 213
Mike
  • 825
  • 2
  • 8
  • 10

4 Answers4

15

You could use iptables. If you're not already using it, you can use an open Accept configuration, but have a rule in place to do the counting.

For example, on RHEL your /etc/sysconfig/iptables file could look something like:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j INPUT
-A INPUT -s 10.10.1.1 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.10.1.1 -p tcp -m tcp --dport 80 -j ACCEPT

Where 10.10.1.1:80 is the host:port you want to count traffic to (you can't use a hostname). You can then check traffic counted with the command iptables -nvxL as root.

Example output:

Chain INPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       10.10.1.1            0.0.0.0/0              tcp spt:80


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
       0          0 INPUT      all  --  *      *       0.0.0.0/0            0.0.0.0/0       

Chain OUTPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.10.1.1              tcp dpt:80
brent
  • 3,481
  • 3
  • 25
  • 37
  • 8
    It's also completely legal to have a rule without a target, solely for counting purposes, eg iptables -A INPUT -d 1.2.3.4 -p tcp --dport 3456 . It won't do anything to the traffic, as there's no "-j" argument, but each matching packet will bump the counts. – MadHatter Oct 28 '10 at 20:42
10

I was about to suggest wireshark (for it's many 'conversation' features), but it is not a command-line tool. You could try tshark though, which is a command-line analyzer tool that is closes to wireshark. The output should have (somewhat) what you're looking for (example below):

tshark -R "ip.addr == 10.2.3.67" -z conv,ip -p -f "tcp port 22"

Result:

                                     |       <-      | |       ->      | |     Total     |
                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
10.2.3.23           <-> 10.2.3.67        42     15341      35      4890      77     20231
l0c0b0x
  • 11,697
  • 6
  • 46
  • 76
  • I get `tshark: -R without -2 is deprecated. For single-pass filtering use -Y.` and with `-2` I received `tshark: Live captures do not support two-pass analysis.` – Rohlik Dec 02 '21 at 11:43
7

There is also a tool called 'iftop' which displays bandwidth usage on an interface by host. I think iftop can do what you described but normally its interface is something like 'top'.

So for your example, I think that you can just create config file to provide your filter-code.

So here is my filter-code in my config file.

$ cat /tmp/conf
filter-code: port http and host google.com

Then, I ran the following to see the network traffice.

$ sudo iftop -c /tmp/conf

Not sure if this is the best option but certainly one way to achieve what you need. HTH.

istudy0
  • 211
  • 1
  • 1
  • 3
    You can also specify the filter on the command line without using a config file: `iftop -f 'port 80 and host google.com'` – gioele Jul 27 '15 at 14:27
  • 1
    Op 'd like the total transferred bytes, not the bandwidth.Can `iftop` show that? – arainone Aug 09 '19 at 07:11
3

You can also try "iptraf" it's lightweight and simple. It can filter by port and gives you high level info, no payload data, etc.