2

I'm trying to get the ethernet NIC throughput rate / data transfer rate on a VPS in order to start a capture on Wireshark during DOS/DDOS attacks so I can analyze the nature of the packets.

I'm aware that I can use something called a ring buffer to limit the filesize of Wireshark files and just keep Wireshark running. However, I would like to only start capturing traffic once a specific network traffic threshold is reached as this would make it easier for me to separate the files before inspecting them.

I have looked at several command line tools such as iftop, vnstat and nload, which all do a nice job of providing output to the terminal.

However, can someone help me with a command in either one of those tools or another nice way to simply capture the DTR that would allow me to start wireshark capture? Else, is there an existing command in Tshark that allows this to happen?

I'm Root James
  • 202
  • 1
  • 12

2 Answers2

1

You can run TShark with these options:

tshark -i 1 -a duration:30 -q -z io,stat,0

Meaning:

-i 1 : Listen on your first interface. Adjust as needed for your desired interface. (You can use tshark -D to get a list of interfaces to choose from.)

-a duration:30 : autostop after 30 seconds

-q : Don't display the packets as they are captured; just display a summary at the end

-z io,stat,0 : Collect and display IO statistics at the end, using an interval of zero seconds. The zero interval means the statistics will be calculated over all packets.

Run the capture. It'll stop after 30 seconds (or you can end it early, typically with Ctrl+C) and you'll get a summary like this:

12645 packets captured

=====================================
| IO Statistics                     |
|                                   |
| Duration: 29.1 secs               |
| Interval: 29.1 secs               |
|                                   |
| Col 1: Frames and bytes           |
|-----------------------------------|
|                |1                 |
| Interval       | Frames |  Bytes  |
|-----------------------------------|
| 0.000 <> 29.1  |  12645 | 8694272 |
=====================================

You can then divide 8694272 bytes by 29.1 seconds to see a throughput of 298,772 bytes per second during that capture window.

To automate, run that however often you want -- maybe every five minutes -- and then parse the results with your favorite tool to pull out the duration and the total bytes. Do the division, and launch Wireshark if the throughput is over a designated threshold.

Doug Deden
  • 1,796
  • 6
  • 10
  • Thanks! However, I'm trying to script a solution that only begins capture during high throughput rate load, and then stops when the DTR load is stabilized. I would either use Wireshark cli alone if it has this option to passive monitor and then capture when I want it to, or will script a python solution that will passively monitor DTR and then start a Wireshark capture. – I'm Root James Jul 03 '19 at 19:17
  • I modified your answer slightly by adding a duration to the tshark command: tshark -i eno1 -a duration:5 -q -z io,stat,0 (duration is in seconds). Thanks for your answer! – I'm Root James Jul 12 '19 at 00:51
  • There is another problem with the above approach. The duration returned is not the same as the duration you requested in the command. Maybe the reported duration is only the interval during which any packets are being captured. Your example above, requests a 30 second capture, but the duration and interval are 29.1 seconds. When using 10 second interval, I get results roughly between 1 second and 7 seconds. That is not going to work for what I'm doing. Unless maybe you have some insight as to why the returned duration is so far off the requested duration. – I'm Root James Jul 12 '19 at 19:03
  • My guess is that tshark runs for 30 seconds, but it takes a little while to start up and shut down the capture, so the net duration of the captured packets is a bit less than what you ask for. (But it is sometimes longer than the requested duration, so there is something else going on.) You'll have to parse the duration from the output and use it as the denominator in your calculation. My testing has always resulted in a reported duration within one second of the requested duration -- so you could also run it for 60 seconds, and you'll be off by less than 2%. – Doug Deden Jul 12 '19 at 19:11
  • I posted a solution that I will use in Python that I will use to start a capture when the threshold is above average. I will set the capture command with duration of a few minutes. – I'm Root James Jul 12 '19 at 19:52
0

Here is a solution in Python that will parse Linux interface data for RX (received data). It seems to closely match the output of nload, however, it sometimes reports higher than the nload max by a multiple. 

import subprocess
import time

while True:
    interface = "eno1"
    duration = 1
    output = subprocess.check_output("ip -s link show dev %s" % interface, stderr=subprocess.STDOUT, shell=True)
    output_array = output.split("\n")
    rx_bytes_1 = int(output_array[3].split()[0])
    time.sleep(duration)
    output = subprocess.check_output("ip -s link show dev %s" % interface, stderr=subprocess.STDOUT, shell=True)
    output_array = output.split("\n")
    rx_bytes_2 = int(output_array[3].split()[0])
    rx_rate = round((rx_bytes_2 - rx_bytes_1) / (duration * 1024.0 * 1024.0),4)
    print "Throughput: " + str(rx_rate) + " Mbps."
I'm Root James
  • 202
  • 1
  • 12