2

I am looking for a method in linux to log the amount of data transmitted (received and sent separately) for every single IP address to which the data was sent to or received from. These statistics would be running on the router, behind which is a private network. I am looking for statistics between the private network and the internet.

I am aware of tools like vnstat, iptraf, also iptables capabilities, but from what I understand, neither of these can do so per each IP address with which communication occurred. Port does not matter here.

Perhaps there is a smart way to parse tcpdump .pcap output? The application here would be to monitor anomalies from within a private network. I.e., if an unknown IP address seems to be receiving a large amount of data from within the network, it could mean an intrusion.

Fermion Portal
  • 133
  • 4

2 Answers2

1

Another very basic tool, with much less functionality, but solving exactly the topic question is 'darkstat'. Provides in/out bytes per IP address in addition to general data usage graphs.

Fermion Portal
  • 133
  • 4
0

Check out ntop. It can do what you want.

This is an image showing a screenshot of ntop for traffic analysis

dmourati
  • 24,720
  • 2
  • 40
  • 69
  • This is great, thanks! For anyone else interested in same problem as me, in the ntop config you should set "sticky hosts" ON in startup preferences and set hosts_purge settings (there are two) to 0 in the preferences in the admin panel. – Fermion Portal Sep 07 '14 at 19:08