[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Network performance analysis / sniffing.
Jeff, One way to do this may be to run tcpdump. Have it run for a specified period of time, writing the all packets out to a file in raw form (use the -w switch). After that is done, you should be able to read the raw file back into tcpdump (-r switch) and seperate it out by ports ( i.e, port 25 for smtp, port 80 for http, etc.). Take this and run it through wc -l to count the number of packets for that particular protocol type. Then run the entire raw file through the same way to get the total number of packets. You should be able to obtain the ration of packets from this. Note that this will really not tell how many bytes of data traversed your firewall (you could get this information from tcpdump, but may have to write a awk or perl script to obtain it), but it will tell the number of packets. You will have to set your sniffer to promiscous mode. So to summerize: 1 - run tcpdump to capture all traffic tcpdump -ni <your interface> -w <your output file> 2 - after this is done, count the number of packets for each protocol tcpdump -nr <your input file> port <protocol of interest> | wc -l 3 - then get the total number of packets tcpdump -nr <your input file> | wc -l Now just take the ratio of the two by dividing the count obtained in two by the count obtained by three. Any questions, just let me know. Thanks. ----- Original Message ----- From: "Jarmoc, Jeff" <[email protected]> To: <[email protected]> Sent: Wednesday, April 10, 2002 5:03 PM Subject: [FW-1] Network performance analysis / sniffing. > I'm hoping someone can help me with something that's only partly > firewall related. At times, the external interface of firewalls I'm > responsible for will become highly utilized. In going down the path of > looking for upgrades, management invariably asks the question, "What sort of > traffic is this interface passing?" Obviously, I can tell what traffic is > allowed by looking at my firewall rulebase and logs. What's more difficult, > is to tell how much of each type of traffic is allowed. > For example, I can presume that HTTP and SMTP are two of the major > protocols in use on my network. However, I can't reliably state the HTTP > accounts for X% of total utilization while SMTP accounts for Y%. And > therein lies my question. Does anyone know of a relatively simple way to > collect these sorts of statistics? My first thoughts are to possibly i) run > a sniffer near my firewall, and analyze it's captured data in order to > generate these statistics. My second thought is that maybe the firewall > logs already contain most of the information I'm looking for. What sorts of > solutions have other people implemented to answer these sorts of questions? > > Any and all ideas are appreciated greatly. > > Jeff Jarmoc - CCSA, CCNA, MCSE > Network Analyst - Grubb & Ellis > [email protected] > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|