我正在使用這個腳本實際檢查傳入資料包的速率,如果速率達到5mbps或更高,它就會被觸發.然後将資料包記錄到tcpdump檔案中.
interface=eth0
dumpdir=/tmp/
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt 5000 ]; then
echo -e "\n`date` Under attack, dumping packets."
tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
輸出類似于捕獲的2000個資料包.過濾器收到的XXX資料包和核心丢棄的XXX-(減号)2000.
現在我想知道的是,輸出檔案實際上并沒有告訴我攻擊的速度,如果它是300mbps還是什麼?那麼過濾器每秒收到的XXX資料包是多少?如果沒有,我該如何檢查,因為我的端口有時會飽和.
更新:
我使用程式通過上面的腳本從捕獲的檔案中捕獲統計資訊.這是我得到的:
[email protected]$:/tmp/dumps# capinfos dump.20130621-174506.cap
File name: dump.20130621-174506.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 2000
File size: 2065933 bytes
Data size: 2033909 bytes
Capture duration: 43 seconds
Start time: Fri Jun 21 17:45:06 2013
End time: Fri Jun 21 17:45:49 2013
Data byte rate: 46968.49 bytes/sec
Data bit rate: 375747.94 bits/sec
Average packet size: 1016.95 bytes
Average packet rate: 46.19 packets/sec
我相信攻擊可能隻持續了15-20秒,而捕獲的資訊是43秒,是以這裡的資料位速率可能已經從這個總時間平均得分.這裡可能有用的是,如果有人可以編輯上面的原始腳本而不是捕獲2000個資料包并丢棄其餘部分,則捕獲所有資料包,持續時間為5秒,當門檻值達到時.
更新:
在改變了上面提到的腳本之後,看起來檔案被損壞了,因為我在Wireshark中讀到它說“捕獲檔案似乎在資料包中間被縮短了.”這是capinfos的輸出:
capinfos: An error occurred after reading 3085 packets from `"dump.20130710-215413.cap": Less data was read than was expected.
在第二次嘗試時,隻有當我在腳本的控制台中按下Ctrl C時才能讀取該檔案:
capinfos dump.20130710-215413.cap
File name: dump.20130710-215413.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 18136
File size: 2600821 bytes
Data size: 2310621 bytes
Capture duration: 591 seconds
Start time: Wed Jul 10 21:54:13 2013
End time: Wed Jul 10 22:04:04 2013
Data byte rate: 3909.73 bytes/sec
Data bit rate: 31277.83 bits/sec
Average packet size: 127.41 bytes
Average packet rate: 30.69 packets/sec
注意捕獲持續時間為591秒.我相信’睡眠300’在這裡有一些事情要做,因為我看到了控制台輸出.此輸出使用’-c 2000’選項:
./Log.sh
10275 packets/s
Wed Jul 10 12:41:31 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2000 packets captured
100012 packets received by filter
98003 packets dropped by kernel
Wed Jul 10 12:42:34 MSD 2013 Packets dumped, sleeping now.
現在,這是使用’sleep 5’修改腳本後的輸出:
./Log.sh
24103 packets/s
Wed Jul 10 21:54:13 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Wed Jul 10 21:54:18 MSD 2013 Packets dumped, sleeping now.
1620 packets/[email protected]:~# 18136 packets captured
1850288 packets received by filter
1832106 packets dropped by kernel
^C
注意我按下Ctrl C來打破睡眠功能,我想這使得檔案的讀取成為可能.