wiki:Linux/NetworkPacketMonitoringWithAwk

Network Packet Monitoring With Awk

icmp-monitor is an awk script Download I knocked up to help a network administrator who wanted to analyse the output from a router SPAN port (Switched Port ANalyser), monitoring any active ICMP echo (ping) sessions. It can be useful on regular hosts too, especially if their interfaces are able to 'see' network traffic (such as a router, or PC attached to a hub).

Example:

sudo tcpdump -i wlan0 -n -l -O icmp | awk -v debug=1 -f icmp-monitor.awk
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
Adding session # 1 @ 10.254.251.51 > 10.254.251.49
Adding session # 2 @ 10.254.251.1 > 10.254.251.51
Adding session # 3 @ 10.254.251.49 > 10.254.251.51
08:41:22.095465 session #1 (10.254.251.51 > 10.254.251.49) requests=7 reqst-ID=85 reply-ID=-1 dropped=1 [dropped]
08:41:23.095460 session #1 (10.254.251.51 > 10.254.251.49) requests=8 reqst-ID=86 reply-ID=-1 dropped=2 [dropped]
08:41:24.095453 session #1 (10.254.251.51 > 10.254.251.49) requests=9 reqst-ID=87 reply-ID=-1 dropped=3 [dropped]
08:41:25.095456 session #1 (10.254.251.51 > 10.254.251.49) requests=10 reqst-ID=88 reply-ID=-1 dropped=4 [dropped]
08:41:26.095454 session #1 (10.254.251.51 > 10.254.251.49) requests=11 reqst-ID=89 reply-ID=-1 dropped=5 [dropped]
08:41:27.095453 session #1 (10.254.251.51 > 10.254.251.49) requests=12 reqst-ID=90 reply-ID=-1 dropped=6 [dropped]
08:41:28.095455 session #1 (10.254.251.51 > 10.254.251.49) requests=13 reqst-ID=91 reply-ID=-1 dropped=7 [dropped]
119 packets captured
119 packets received by filter
0 packets dropped by kernel
Session #1 (10.254.251.51 > 10.254.251.49) requests 24 dropped 29.1667%
Session #2 (10.254.251.1 > 10.254.251.51) requests 24 dropped 0%
Session #3 (10.254.251.49 > 10.254.251.51) requests 15 dropped 0%

Usage:

INTERFACE=eth0
DEBUG=1
sudo tcpdump -i $INTERFACE -n -l -O icmp | awk -v debug=$DEBUG -f icmp-monitor.awk

When setting a debug level, the recognised values are: 0-4

  • 0 = no debug output
  • 1 = new sessions
  • 2 = + function names
  • 3 = + summary for every packet
  • 4 = + raw tcpdump output

To stop the monitor cleanly send SIGINT to the tcpdump process. If you use Ctrl+C at the terminal it will also interrrupt awk, which will prevent it printing the final summary statistics.
e.g.

sudo kill -s INT $(pidof tcpdump)

Updates

2008-10-11 Added (source > destination) IP address report to summary statistics

Attachments