Rob Miller wrote:
Hello,
We are trying to detect where burst of traffic is coming from. We've
used Ethereal to view all traffic over a period of time and find that
there are 15 second bursts of traffic occurring sporadically from one or
more of our network stations. Unfortunately There is no way to tell
where the traffic is coming from as it is buried among thousands of
other packets.
What we need is a monitor that measures traffic per second and if the
traffic is greater than a certain threshold, it captures that second's
worth of packets and puts it into file to be analyzed later. The
analysis would have some way of showing all the different sources of
traffic along with the total amount for each source.
Could you suggest some simplified way of analyzing our traffic from that
point of view.
dunno about simple, but if you've got Linux this is possible with
scripting. Personally, I'd write a bash script to run once a minute. Use
grep, sed and/or awk to grab the traffic load from /proc/net/dev and
compare it to the load you saw at the last run... if greater than your
threshold, then run tcpdump -w [file] -c [500 or so] -i [interface] and
mail yourself the resulting pcap file.
--
Jack at Monkeynoodle dot Org: It's a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!