How can I monitor total transferred network traffic on a given interface

2

1

I need to monitor the amount of traffic that has passed through a given interface (mobile broadband dongle), so that I am informed when the total reaches (or nears) a given amount.

I have practically free mobile broadband up to a not very generous limit, and would like to start a script each time I want to use the dongle, and have it either warn me when it nears my limit, or tell me the total when I quit the script.

All I need help on right now is using the right command to record the total transfer in human readable values, i.e. as simple as "You have transferred 12.8Mb since monitoring started". I don't care about speed, utilisation or anything except cumulative total.

Once I have a way of calculating the total transfer, I can make happily throw in some ipfw commands to firewall the interface up and prevent further transfer until I say so.

I am using Mac OS X 10.7, but want to use standard terminal commands in a bash script (netstat, tcpdump, whatever is preinstalled) and not use a downloaded tool (even if it does the job perfectly - I need it in a script so I can put my own logic around it how I want).

stuffe

Posted 2012-02-22T21:54:59.910

Reputation: 143

Answers

1

You can use the packet filter (PF) for this, which is part of OSX. First, create a rule that labels all traffic on the interface (en1 in this example - replace with your actual interface):

echo "pass on en1 label \"traffic-en1\"" | sudo pfctl -f-
sudo pfctl -E # enable PF

Now traffic is being counted and you can view the counters with sudo pfctl -sl:

traffic-en1 4701 69 13029 40 6292 29 6737

Feel free to convert them into a more human friendly formatting:

sudo pfctl -sl | awk '$1="traffic-en1" { printf "KBytes total: %d (in: %d, out: %d)\n", $4/1024, $6/1024, $8/1024 }'

Which should give you something like KBytes total: 192 (in: 95, out: 97).

You can reset the counter with sudo pfctl -z.

Note: OS X may complain about "No ALTQ support in kernel, ALTQ related functions disabled" when invoking pfctl - this is perfectly normal and safe to ignore.

Note 2: It's not recommended to play with firewall settings remotely, but in the worst case pfctl -d will disable the whole thing (if you locked yourself out somehow).

Ingmar Hupp

Posted 2012-02-22T21:54:59.910

Reputation: 435

This is great, thanks a lot. The best I had done was pulling the length field of each packet from tcpdump and manually trying to add them all up on the fly. That meant it was hard to both make the count, and act on it. Your method is superior in every way. I presume it captures all traffic, regardless of tcp/udp, and records actual packet length not MTU etc. – stuffe – 2012-02-23T11:30:21.893

1Yes, the example rule matches everything, but you can also make more specific rules. It counts actual bytes sent over the interface. The numbers output by pfctl -sl after the label specifically are: evaluations, packets total, bytes total, packets in, bytes in, packets out, bytes out – Ingmar Hupp – 2012-02-23T12:07:22.320

Asked: 2012-02-22T21:54:59.910

Viewed: 1 269 times

Active: 2012-02-23T11:16:57.677