Network Packet Monitoring With Awk
icmp-monitor is an awk script I knocked up to help a network administrator who wanted to analyse the output from a router SPAN port (Switched Port ANalyser), monitoring any active ICMP echo (ping) sessions. It can be useful on regular hosts too, especially if their interfaces are able to 'see' network traffic (such as a router, or PC attached to a hub).
sudo tcpdump -i wlan0 -n -l -O icmp | awk -v debug=1 -f icmp-monitor.awk tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes Adding session # 1 @ 10.254.251.51 > 10.254.251.49 Adding session # 2 @ 10.254.251.1 > 10.254.251.51 Adding session # 3 @ 10.254.251.49 > 10.254.251.51 08:41:22.095465 session #1 (10.254.251.51 > 10.254.251.49) requests=7 reqst-ID=85 reply-ID=-1 dropped=1 [dropped] 08:41:23.095460 session #1 (10.254.251.51 > 10.254.251.49) requests=8 reqst-ID=86 reply-ID=-1 dropped=2 [dropped] 08:41:24.095453 session #1 (10.254.251.51 > 10.254.251.49) requests=9 reqst-ID=87 reply-ID=-1 dropped=3 [dropped] 08:41:25.095456 session #1 (10.254.251.51 > 10.254.251.49) requests=10 reqst-ID=88 reply-ID=-1 dropped=4 [dropped] 08:41:26.095454 session #1 (10.254.251.51 > 10.254.251.49) requests=11 reqst-ID=89 reply-ID=-1 dropped=5 [dropped] 08:41:27.095453 session #1 (10.254.251.51 > 10.254.251.49) requests=12 reqst-ID=90 reply-ID=-1 dropped=6 [dropped] 08:41:28.095455 session #1 (10.254.251.51 > 10.254.251.49) requests=13 reqst-ID=91 reply-ID=-1 dropped=7 [dropped] 119 packets captured 119 packets received by filter 0 packets dropped by kernel Session #1 (10.254.251.51 > 10.254.251.49) requests 24 dropped 29.1667% Session #2 (10.254.251.1 > 10.254.251.51) requests 24 dropped 0% Session #3 (10.254.251.49 > 10.254.251.51) requests 15 dropped 0%
INTERFACE=eth0 DEBUG=1 sudo tcpdump -i $INTERFACE -n -l -O icmp | awk -v debug=$DEBUG -f icmp-monitor.awk
When setting a debug level, the recognised values are: 0-4
- 0 = no debug output
- 1 = new sessions
- 2 = + function names
- 3 = + summary for every packet
- 4 = + raw tcpdump output
To stop the monitor cleanly send SIGINT to the tcpdump process. If you use Ctrl+C at the terminal it will also interrrupt awk, which will prevent it printing the final summary statistics.
sudo kill -s INT $(pidof tcpdump)
2008-10-11 Added (source > destination) IP address report to summary statistics