Set out tonight to find a way to log “network traffic” through the interfaces on my solaris box. What I was wanting was the actually amount of traffic going through the interfaces. First thought was to use netstat. But that only shows “packets” and the packets could be differing sizes. So I ended up using kstat. I wrote this simple little script to grab the interface names, and then use kstat to get the data out of the network module for each card:<\/p>\n
\r\n#!\/bin\/ksh\r\n#Get list of Ethernet Cards in machine:\r\nMyHOST="`hostname`"\r\nOS="`uname -r`"\r\nif [ ${OS} == "5.10" ] ; then\r\n MyETHERS="`\/usr\/sbin\/dladm show-dev | awk '{print $1}'`"\r\nelse\r\n MyETHERS="`\/usr\/sbin\/ifconfig -a | awk '{print $1}' | grep \\":\\" | awk -F':' '{print $1}' | sort -u | grep -v \\"^lo0\\"`"\r\nfi\r\nCOUNT=0\r\nwhile [ $COUNT -lt 800 ]; \r\n do\r\n for i in `echo $MyETHERS`\r\n do\r\n OBYTES="`\/usr\/bin\/kstat -p -c net -n $i -s obytes64 | awk '{print $2}'`"\r\n RBYTES="`\/usr\/bin\/kstat -p -c net -n $i -s rbytes64 | awk '{print $2}'`"\r\n SNAPTIME="`perl -e \\"print(time());\\"`"\r\n echo "${MyHOST},${i},${SNAPTIME},${OBYTES},${RBYTES}"\r\n OBYTES=\r\n RBYTES= \r\n SNAPTIME=\r\n done\r\n sleep 10\r\n COUNT="`expr $COUNT + 1`"\r\ndone\r\n<\/pre>\nYou have to be root to run this, but that is only because of the dladm command I am using on Solaris 10. If you don’t want to run it as root, then comment out the if statement and just leave the line that uses ifconfig. When you run it, it will produce an output like this:<\/p>\n
\ngonzo,elxl0,1252806095,37255837,715035
\ngonzo,rge0,1252806096,605012664015,863919572622
\ngonzo,elxl0,1252806106,37255837,715035
\ngonzo,rge0,1252806107,605012664377,863919573090\n<\/p><\/blockquote>\n
The output is formated as hostname, ethernet, time of the run, sending bytes, and receiving bytes. (The time is the epoch time.) The above script will only run 800 times, pausing 10 seconds between each run of the kstat. You can change how long it runs by changing the line:<\/p>\n
\r\nwhile [ $COUNT -lt 800 ]; \r\n<\/pre>\nJust change the 800 to some other number. The second item to change is the “interval” time and that is controled by the :<\/p>\n
\r\nsleep 10\r\n<\/pre>\nYou probably don’t want to run this every second. Every 10 is about right, as it will allow me to get the traffic with out much overhead.<\/p>\n
The second script I did, was a little php script (but can be done in probably any language, but I use php for just about everything. This script takes output from the file you created above (just run the above script, redirect it to a file) and gives you a human readable output.<\/p>\n
Note if you have more than one ethernet card active in your system, currently you will need to
\n“grep” out each card to it’s own file. If you have a bunch of machines, you should probably import the data from above in to a mysql db, and then modify this script to pull the info from it.<\/p>\n
Here is the script to just parse one network card:<\/p>\n
\r\n< ?php\r\ndate_default_timezone_set("EST");\r\n$fp=fopen("Netstat.csv",r);\r\nif ($fp) {\r\n $i=0;\r\n while (!feof($fp)) {\r\n $buffer=fgets($fp);\r\n if ($buffer) { \r\n list($hostname[$i],$ethernet[$i],$time[$i],$sending[$i],$receiving[$i]) = explode(",",$buffer);\r\n $newtime=date('r',$time[$i]);\r\n if ($i != 0 ) {\r\n $TDIFF=($time[$i]-$time[$i-1]);\r\n $SDIFF=($sending[$i]-$sending[$i-1])\/$TDIFF\/1024\/1024;\r\n $RDIFF=($receiving[$i]-$receiving[$i-1])\/$TDIFF\/1024\/1024;\r\n printf("%s|%s|%s|%3.3f|%3.3f\\n",$hostname[$i],$ethernet[$i],$newtime,$SDIFF,$RDIFF);\r\n $SDIFF="";\r\n $RDIFF="";\r\n $TDIFF="";\r\n }\r\n $i++;\r\n }\r\n }\r\n}\r\nfclose($fp);\r\n?>\r\n<\/pre>\nIn the above, I named my redirected output to be Netstat.csv. What the above script outputs will look like this:<\/p>\n
\ngonzo|rge0|Sat, 12 Sep 2009 15:44:38 -0500|0.000|0.000
\ngonzo|rge0|Sat, 12 Sep 2009 15:44:49 -0500|0.000|0.007
\ngonzo|rge0|Sat, 12 Sep 2009 15:45:04 -0500|6.677|0.065
\ngonzo|rge0|Sat, 12 Sep 2009 15:45:18 -0500|3.148|0.027
\ngonzo|rge0|Sat, 12 Sep 2009 15:45:41 -0500|5.377|0.076
\ngonzo|rge0|Sat, 12 Sep 2009 15:45:55 -0500|8.678|0.111
\ngonzo|rge0|Sat, 12 Sep 2009 15:46:16 -0500|9.499|0.117
\ngonzo|rge0|Sat, 12 Sep 2009 15:46:30 -0500|8.861|0.117
\ngonzo|rge0|Sat, 12 Sep 2009 15:46:46 -0500|9.183|0.120
\ngonzo|rge0|Sat, 12 Sep 2009 15:47:02 -0500|10.783|0.139
\ngonzo|rge0|Sat, 12 Sep 2009 15:47:15 -0500|7.103|0.093
\ngonzo|rge0|Sat, 12 Sep 2009 15:47:29 -0500|7.165|0.100
\ngonzo|rge0|Sat, 12 Sep 2009 15:47:44 -0500|6.995|0.095
\ngonzo|rge0|Sat, 12 Sep 2009 15:48:01 -0500|6.986|0.099
\ngonzo|rge0|Sat, 12 Sep 2009 15:48:15 -0500|5.678|0.069
\ngonzo|rge0|Sat, 12 Sep 2009 15:48:28 -0500|6.530|0.090
\ngonzo|rge0|Sat, 12 Sep 2009 15:48:53 -0500|3.477|0.046
\ngonzo|rge0|Sat, 12 Sep 2009 15:49:14 -0500|6.459|0.083
\ngonzo|rge0|Sat, 12 Sep 2009 15:49:31 -0500|7.754|0.105
\ngonzo|rge0|Sat, 12 Sep 2009 15:49:58 -0500|9.416|0.121
\ngonzo|rge0|Sat, 12 Sep 2009 15:50:10 -0500|10.854|0.139
\ngonzo|rge0|Sat, 12 Sep 2009 15:50:21 -0500|11.922|0.152
\ngonzo|rge0|Sat, 12 Sep 2009 15:50:31 -0500|12.556|0.165
\ngonzo|rge0|Sat, 12 Sep 2009 15:50:43 -0500|12.813|0.170
\ngonzo|rge0|Sat, 12 Sep 2009 15:50:54 -0500|14.783|0.188
\ngonzo|rge0|Sat, 12 Sep 2009 15:51:05 -0500|12.729|0.168
\ngonzo|rge0|Sat, 12 Sep 2009 15:51:16 -0500|12.018|0.148
\ngonzo|rge0|Sat, 12 Sep 2009 15:51:27 -0500|10.786|0.141
\ngonzo|rge0|Sat, 12 Sep 2009 15:51:38 -0500|13.566|0.167
\ngonzo|rge0|Sat, 12 Sep 2009 15:51:49 -0500|11.234|0.144
\ngonzo|rge0|Sat, 12 Sep 2009 15:52:01 -0500|12.914|0.165\n<\/p><\/blockquote>\n
The output is : hostname, ethernet, time of query,sending speed in Mbps, receiving speed in Mbps. As you can see from the above, I was copying some large amounts of data. <\/p>\n","protected":false},"excerpt":{"rendered":"
Set out tonight to find a way to log “network traffic” through the interfaces on my solaris box. What I was wanting was the actually amount of traffic going through the interfaces. First thought was to use netstat. But that only shows “packets” and the packets could be differing sizes. So I ended up using … <\/p>\n