Difference between revisions of "Network/Visualize pcap file data"
(Created page with "{{DISPLAYTITLE: Visualize pcap file data}} One nice day I given orders to produce network usage statistics to find eventual burst in the stream. However I was faced with two ...") |
(→Howto) |
||
| Line 18: | Line 18: | ||
======= |
======= |
||
Time |frames| bytes |
Time |frames| bytes |
||
000.000-001.000 62 5578 |
<span class="highlight">000.000-001.000</span> 62 5578 |
||
001.000-002.000 62 5386 |
001.000-002.000 62 5386 |
||
002.000-003.000 62 5692 |
002.000-003.000 62 5692 |
||
| Line 25: | Line 25: | ||
005.000-006.000 62 5838 |
005.000-006.000 62 5838 |
||
006.000-007.000 62 5912 |
006.000-007.000 62 5912 |
||
The only problem with the output above is that the time is relative to the start of the <tt>pcap</tt> file. Before passing the data to <tt>R</tt> it has to be properly massaged. |
The only problem with the output above is that the time is relative to the start of the <tt>pcap</tt> file. Before passing the data to <tt>R</tt> it has to be properly massaged. |
||
=== Convert the time with <tt>ruby</tt> === |
|||
My data captures are usually automated with a script that writes the start date and time into the filename to make it unique. The below <tt>ruby</tt> script assumes the file names being passed to it are in the form of <tt><String>-<span class="highlight">YYYY-MM-DD_hh-mm</span>.stats</tt> |
|||
[[Category: Network]] |
[[Category: Network]] |
||
Revision as of 23:01, 16 July 2012
One nice day I given orders to produce network usage statistics to find eventual burst in the stream. However I was faced with two problems. The network monitoring software was graphing the network flow every minute which was too coarse and the interface was connected to a switch where I had no control so a mirror port was out of question. The assignment was to collect data for a week and then look at the numbers.
I was unsure how to go about it so I did run a tcpdump on the hosts in question everyday for the time period required for monitoring. At that point in time I had no idea how to process the pcap dump data and I had not the faintest clue how to present it at the end of the week. After a lot of searching I finally came across a nifty feature in tshark allowing me to aggregate bandwidth on a per second basis. Below is a short recipe how to create the graphs.
Prerequisites
- capture file the wireshark suite understands. E.g. pcap or Solaris snoop among others.
- tshark
- ruby
- R
Howto
Aggregate traffic with tshark
To properly graph the data tshark needs to generate statistic on a per second basis. The below command will achive this.
tshark -q -z 'io,stat,1' -r <PcapFile> > <StatisticsFile>
The output is looking something like the excerpt below.
<<<<<<< <StatisticsFile> ======= Time |frames| bytes 000.000-001.000 62 5578 001.000-002.000 62 5386 002.000-003.000 62 5692 003.000-004.000 62 5968 004.000-005.000 62 5428 005.000-006.000 62 5838 006.000-007.000 62 5912
The only problem with the output above is that the time is relative to the start of the pcap file. Before passing the data to R it has to be properly massaged.
Convert the time with ruby
My data captures are usually automated with a script that writes the start date and time into the filename to make it unique. The below ruby script assumes the file names being passed to it are in the form of <String>-YYYY-MM-DD_hh-mm.stats