Tracking per TCP flow network traffic load
Riccardo Manfrin
I need to track each TCP link traffic load (rate). I already have the
information regarding all opened TCP links, but I don't know what the
best way could be to retrieve traffic information to associate to those.
To do the job what I need is basically
a) to bind a packet to the correct flow, hence knowing the tuple:
[src_ip, src_port, dst_ip, dst_port, transport]
b) to know the packet size (optionally the timestamp would help too,
but I can generate that independently).
This having been said, what the best way to accomplish the task could
be? I was planning on using a tcpdump based sniffer but it looks pretty
much inefficient to export all packets to userspace, while data is
probably there to be grasped in some /proc subfolders or kernel structures.
I just need you to address me with the problem towards a
non-100%-load-CPU solution.
Thanks in advance and Merry Xmas,
R
Rainer Weikusat
> I need to track each TCP link traffic load (rate). I already have the
> information regarding all opened TCP links, but I don't know what the
> best way could be to retrieve traffic information to associate to
> those.
>
> To do the job what I need is basically
> a) to bind a packet to the correct flow, hence knowing the tuple:
> [src_ip, src_port, dst_ip, dst_port, transport]
> b) to know the packet size (optionally the timestamp would help too,
> but I can generate that independently).
The netfilter-code supports flow accounting in the conntrack table.
Provided 'connection tracking' is active (conntrack modules are
loaded), this can be enabled/ disabled by using the
/proc/sys/net/netfilter/nf_conntrack_acct
file, eg
printf 1 >/proc/sys/net/netfilter/nf_conntrack_acct
to enable. The data can be 'viewed' by looking at the content of
/proc/net/ip_conntrack
Somewhat dated by maybe useful:
http://www.free-it.org/archiv/talks_2005/paper-11076/paper-11076.html