Tuesday, October 6, 2015

Analyze Your Network Traffic By Source IP Address : The Network Analyzer Version 2

In my last article (Detect Sudden Increase In Your Network Traffic), I showed how we can create a simple tool which can alert us when the system is having a sudden increase in network traffic.

In this article, I will show, if a system is getting an abnormal network traffic, then how we can analyze the traffic even further to see if the traffic is coming from some particular IP addresses.

So, let's start.

Analyzing network traffic by source IP addresses

This time we would need something more than a simple shell script. We would need to take help of some scripting language which is much more powerful.

Let's first discuss the idea using which we would be analyzing network traffic. Then probably we can decide on what scripting language we can use here.

How to solve the problem

Our job is a simple one. We need to analyze the network traffic in the system for certain intervals. And in each interval, we need to report, how much traffic is coming from which IP.

To solve the purpose, we need to find a utility which will give us list of IP addresses from which packets are coming. We can redirect it to an output file. The next module will take the file as input and analyze and report how much traffic has come from each IP.

The tools and scripting language

There are a couple of tools which can give us list of IP addresses from which network packets are coming. Tcpdump and tshark are a few of them.

For our purpose, we would be using tshark.

For Linux, you can install the utility easily.

# sudo apt-get install tshark

If you type the following command in the terminal, it will give you list of IP addresses from which network traffic is coming in each 15 seconds interval.

# sudo tshark -i eth1 -T fields -e ip.src -a duration:15

As I said earlier, we would be redirecting it to a file. And the next module can take the file as input and report how many network packets have come from each IP address.

Now, we should be deciding on the scripting language.

Using shell script is definitely going to be cumbersome. Instead we can use Python here. There is a simple and nice data structure in Python called 'Dictionary'. That would help us a lot.

Now, our job looks much simpler now. Using Python, we will open the output file, read each line from the file, and insert the IP addresses in the dictionary. And if an IP address comes multiple times, we will simply increase the count.

The script

We can use the following shell script first, which would invoke the Python code :

while :
         sudo tshark -i eth1 -T fields -e ip.src -a duration:15 > ipfile
         python ip.py

This is really a short and simple one. It just uses the utility tshark, redirects its output to ipfile and calls the python program ip.py.

The Python code ip.py is given below :

with open("ipfile", "r") as f:
    dict = {}
    for line in f:
        line = line.rstrip();
        dict[line] = dict.get(line, 0) + 1;
for x in dict:
print 'IP : ', x, '\tcount : ', dict[x];

The Python code opens the file ipfile, reads each line, strips the newline character at the end of each line and gets the IP address. Then it inserts the IP address in the dictionary, increasing count for multiple entries.

Running the script

If we run the code above, it will give you report about network traffic coming from each IP address.

Here is a sample output:

# ./ip_analyzer.sh

Capturing on eth1
91 packets captured
IP : count : 5
IP : count : 3
IP : count : 42
IP : count : 29
IP : count : 2
IP : count : 1
IP : count : 1
IP : count : 3

The script will throw outputs in each 15 second interval.

So, hope you have enjoyed reading about this small experiment.

Please feel free to share your comments and suggestions.

No comments:

Post a Comment