Member Avatar for clife

Hi ,

I would like to monitor upload and download datas of devices connected to the router.

I am using the following iptables rules:

sudo iptables -N DMon
sudo iptables -A FORWARD
sudo iptables -A FORWARD -d 70.70.70.1/26 -j DMon
sudo iptables -A DMon -d 70.70.70.50
sudo iptables -A FORWARD -s 70.70.70.1/26 -j DMon
sudo iptables -A DMon -s 70.70.70.50

After this i am able to see the packets and bytes counters as below

sudo iptables -L DMon -n -v

Chain DMon (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1123  886K            all  --  *      *       0.0.0.0/0            10.10.10.50         
 1160  236K            all  --  *      *       10.10.10.50          0.0.0.0/0

to parse and display only ip address and bytes i am using the below expression.

sudo iptables -L DMon -n -v -x | awk '$1 ~ /^[0-9]+$/ { printf "IP:%s DLBytes:%d \n", $8, $2 }'

to be frank i am not good at iptables and awk, i got these details from site :

http://www.catonmat.net/blog/traffic-accounting-with-iptables/

My doubt is when i use the expression ( awk '$1 ~ /^[0-9]+$/ { printf "IP:%s DLBytes:%d \n", $8, $2 }' ) which is actually converting KBytes to Bytes , but when i convert the same value using formula XKBytes = 1024 * X Bytes, i am not getting the same values.

for example:

The Download data value from iptables( sudo iptables -L DMon -n -v) : 934K
The value printed using awk expression: 934336
The actual value is : 943 * 1024 = 965632

similarly for upload:
The Upload data value from iptables: 262K
The value printed using expression: 262183
The actual value is : 262 * 1024 = 268288

First of all, I dont understand why the expression to converting KBytes to Bytes , i dont see any conversion logic in expression.
Second is it possible to change the expression to check the value in bytes field if its having K or M, then multiply the value with 1024 or 1024 * 1024 etc , if just value then its Bytes.

Please help me out to solve this problem.

Thanks

  • 2 Contributors
  • 2 Replies
  • 330 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by clife

Recommended Answers

All 2 Replies

Member Avatar for rubberman

You might want to drop iptables and use pcap to capture network traffic in "promiscuous" mode, and then wireshark to filter and analyze it. That has worked well for me in the past.

FWIW, to convert KBytes to Bytes, multiply by 1024. Also, this line "The actual value is : 943 * 1024 = 965632" should be "The actual value is : 934 * 1024 = 956416". The nice thing about math is that everyone has a different answer, unless they agree on specific terms at the beginning... Also, the 934KBytes may be (and probably is) rounded off - up or down? Perhaps the awk answer is correct. In any case, Wireshark and pcap will give you exact answers if you need.

Member Avatar for clife

Actually i am not working with real router, i configured my PC as router.I also have multiple devices connected to my PC using siwtch on different interface.

Just to start, Can you give me some references for pcap and wireshark and how to capture data for multiple devices.

Thanks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.