Monitoring and Analyzing Network Packet Rates with tcpdump: A Practical Guide for Detecting High-Traffic Attacks


3 views

When dealing with network security, one common challenge is detecting sudden spikes in traffic that might indicate a DDoS attack or port saturation. The original script provided uses a simple method to monitor packet rates by comparing packet counters from /proc/net/dev.

interface=eth0
dumpdir=/tmp/

while /bin/true; do
  pkt_old=grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'
  sleep 1
  pkt_new=grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'

  pkt=$(( $pkt_new - $pkt_old ))
  echo -ne "\\r$pkt packets/s\\033[0K"

  if [ $pkt -gt 5000 ]; then
    echo -e "\\ndate Under attack, dumping packets."
    tcpdump -n -s0 -c 2000 -w $dumpdir/dump.date +"%Y%m%d-%H%M%S".cap
    echo "date Packets dumped, sleeping now."
    sleep 300
  fi
done

The main issue with this approach is that it only captures a fixed number of packets (2000) without considering the actual duration of the attack. As shown in the capinfos output, this can lead to inaccurate rate calculations when the attack duration is shorter than the capture time.

Here's a modified version that captures traffic for a fixed duration (5 seconds) when the threshold is exceeded:

interface=eth0
dumpdir=/tmp/
threshold=5000
capture_duration=5

while /bin/true; do
  pkt_old=$(grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }')
  sleep 1
  pkt_new=$(grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }')

  pkt=$(( pkt_new - pkt_old ))
  echo -ne "\\r$pkt packets/s\\033[0K"

  if [ $pkt -gt $threshold ]; then
    echo -e "\\n$(date) Under attack, capturing packets for $capture_duration seconds"
    timeout $capture_duration tcpdump -n -s0 -w $dumpdir/dump.$(date +"%Y%m%d-%H%M%S").cap
    echo "$(date) Packets dumped, sleeping now."
    sleep 300
  fi
done
  • Uses timeout instead of -c to limit capture duration
  • More accurate rate calculation as it captures the entire attack window
  • Configurable threshold and capture duration
  • Properly handles SIGTERM from timeout

After capturing, use capinfos to get precise statistics:

capinfos dump.20230101-120000.cap
File name:           dump.20230101-120000.cap
File encapsulation:  Ethernet
Number of packets:   12345
Capture duration:    5 seconds
Data bit rate:       12.34 Mbps

For more sophisticated monitoring, consider using iftop or ntopng for real-time traffic analysis. Here's a simple iftop command to monitor bandwidth:

iftop -i eth0 -n -B -t -s 5

This provides a real-time display of bandwidth usage per connection, which can be more effective for identifying specific attack patterns.

For high-volume networks, consider using ring buffer captures:

tcpdump -n -s0 -G 300 -W 10 -w $dumpdir/dump-%Y%m%d-%H%M%S.cap

This rotates capture files every 300 seconds, keeping the last 10 files.

When dealing with network security, monitoring packet rates is crucial to detect potential DDoS attacks or traffic spikes. The original script checks incoming packet rates by comparing /proc/net/dev values with a 1-second interval:

interface=eth0
dumpdir=/tmp/

while /bin/true; do
  pkt_old=grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'
  sleep 1
  pkt_new=grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'
  pkt=$(( $pkt_new - $pkt_old ))

The key improvement is capturing packets for a fixed duration rather than a fixed count. This provides better rate analysis:

if [ $pkt -gt 5000 ]; then
    echo -e "\ndate Under attack, dumping packets."
    timeout 5 tcpdump -n -s0 -w $dumpdir/dump.date +"%Y%m%d-%H%M%S".cap
    echo "date Packets dumped, sleeping now."
    sleep 300
fi

Use capinfos to get precise timing and rate information from the pcap file:

$ capinfos dump.20230101-120000.cap
Capture duration:    5 seconds
Data bit rate:       375747.94 bits/sec
Average packet rate: 46.19 packets/sec

For high-speed networks, consider these optimizations:

# Use buffer size and snapshot length
timeout 5 tcpdump -B 4096 -s 96 -w capture.pcap

# Filter specific traffic
timeout 5 tcpdump -n "tcp and port 80" -w http_traffic.pcap

For more precise rate measurement during capture:

tcpdump -n -l -tttt -i eth0 | awk '{
  if (last) {
    delay=$2-last
    total+=delay
    count++
    print 1/delay " packets/sec"
  }
  last=$2
}'

If you encounter corrupted capture files:

  • Use tcpdump -W 5 -C 100 for rotating capture files
  • Add -U flag for unbuffered output
  • Check kernel buffer settings with sysctl net.core.rmem_max