Monday, February 15, 2010

Display top sources using tcpdump

If you need to know the top sources of traffic in real time, you can run the following command:

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Replace eth0 with the name of the interface that you are working on and change 20000 to a higher number if you want to capture more traffic.


Sample output:
tcpdump: listening on eth3c0
363 I 204.1.1.1
287 O 212.1.1.1
161 I 204.1.1.1
152 O 204.1.1.1
137 I 204.1.1.1
122 I 204.1.1.1
105 O 203.1.1.1
89 O 10.1.1.1
56 O 10.1.1.1

Posted by Jerome at 9:26 AM
Labels: ,

4 comments:

  1. Great Job, But still i am not sure what the sample output explains.
    ReplyDelete
  2. I apologize for the confusion. I accidentally omitted the last 2 octets of the IPs because they were in production environments. I hope my recent edit clarifies things.
    ReplyDelete
  3. from command prompt we have to run this command???
    ReplyDelete

Subscribe to: Post Comments (Atom)