Wireshark mailing list archives

Want to monitor a port, count bytes transferred, record who transferred, nothing else

From: wireshark () timares com (Brian Excarnate)
Date: Fri, 20 Apr 2012 10:45:25 -0500

Hi,

I went through the man pages, searched Google, searched the FAQ, searchedthe Wiki, searched the mail list archives, and if I missed what I'mlooking for, just point me at it and perhaps suggest a useful searchstring.

I have several Linux servers, each serving several users their owndatabase, each database has its own port. I have root.

What I want to do is see who (which IP address) connects when, how muchis transferred (in and out), when they disconnect. Maybe more based onwhat things look initially, but that's the core of what I want.

I don't want to capture packets (for various reasons including load),which is where I have trouble figuring out how to get Wireshark to work.

So my first question is: Is there some other tool that is a betterchoice, and if so which?


Assuming Wireshark can do what I want (can it?):  How?

I'm not looking for fancy, in fact I prefer simple, and naturallysomething with minimal load on the box. A file with lines something likethis:


10.11.12.13     1334933001      11534336        698351616       1334934052
10.11.12.14     1334934053      1572864 1572864 1334935001
10.11.12.15     1334933000      76546048        456150656       1334937017

That is: IP, date +%s start time, bytes to server, bytes from server,date +%s end time. Presumably written as each connection closes. I'm OKwith counting in memory, but don't require it!


I'm OK with, but don't prefer, a file similar to:

OPEN    10.11.12.15     1334933000
OPEN    10.11.12.13     1334933001
CLOSE   10.11.12.13     1334934052      11534336        698351616
OPEN    10.11.12.14     1334934053
CLOSE   10.11.12.14     1334935001      1572864 1572864
CLOSE   10.11.12.15     1334937017      76546048        456150656

I found a program that sounded like it was written to do this, but whenit failed to compile for me I asked a programmer friend about it, andsaid something along the lines of "since he did foo, then it is bar, andyou shouldn't use it even if you could get it to compile".



Brian
--
As you read my email, keep in mind what Ryan North posits:
"Every day each of us says the dumbest thing we are going to say that day."
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Want to monitor a port, count bytes transferred, record who transferred, nothing else Brian Excarnate (Apr 20)
- Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Seth Hall (Apr 22)
  - Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Martin Visser (Apr 22)
    - Re: Want to monitor a port, count bytes transferred, record who transferred, nothing else Seth Hall (Apr 23)