wiki:Linux/NetworkPacketMonitoringWithAwk

Version 6 (modified by tj, 9 years ago) (diff)

--

Network Packet Monitoring With Awk

icmp-monitor is an awk script Download I knocked up to help a network administrator who wanted to analyse the output from a router SPAN port (Switched Port ANalyser), monitoring any active ICMP echo (ping) sessions. It can be useful on regular hosts too, especially if their interfaces are able to 'see' network traffic (such as a router, or PC attached to a hub).

Usage:

INTERFACE=eth0
DEBUG=1
sudo tcpdump -i $INTERFACE -n -l -O icmp | awk -v debug=$DEBUG -f icmp-monitor.awk

When setting a debug level, the recognised values are: 0-4

  • 0 = no debug output
  • 1 = new sessions
  • 2 = + function names
  • 3 = + summary for every packet
  • 4 = + raw tcpdump output

To stop the monitor cleanly send SIGINT to the tcpdump process. If you use Ctrl+C at the terminal it will also interrrupt awk, which will prevent it printing the final summary statistics.
e.g.

sudo kill -s INT $(pidof tcpdump)

Attachments