Ethereal-dev: [Ethereal-dev] Advice on how to make a protocol grapher...
Good morning,
This mail may seem strange at first, but I will come to ethereal-related
matters shortly. What I need is mostly advice and a bit of help knowing
where to start.
I need a software that can capture packets on an interface, and graph,
over a long period of time (day, week, and why not, month), the amount
of data captured for a given protocol (or group of protocols). This
should allow me to answer questions like "at what times in day is HTTP
traffic higher ?" or "Are there broadcasts regularily, or do we see
peaks of broadcast traffic ?". The idea would be to capture packets,
count the number of bytes transfered within, say, 5 minutes, and use it
as one plot in the graph.
I searched for such a software on the internet, but failed. Ethereal and
some others give statistics like "SMTP is 38% of captured data", but
this is an average, it doesn't show you whether you have 100 bytes every
second or one big tranfert of 1,3 Mb at a time and nearly no data the
rest of the time... If you know a software that would make my needs,
please tell me (no need to reinvent the wheel).
I guess I may have to develop such a tool myself. My idea was to use
tethereal to grab the packets and decode them, pipe the results to a
script of my own that would make a MRTG-compatible output from these
data, and flush it into MRTG for graphing.
My problem is that tethereal output doesn't always give the packet size
(it does only when it cannot dissect the packet deeper than TCP - I
couldn't find the option in the man page to tweak the output to make my
needs). Though, I know it somehow gets the packet size, as it is shown
in the GUI version of ethereal...
I looked in the source but I'm a bit confuse about how and where I
should modify it to make something that works.
The solution I'm workin on right now is modifying tethereal to write
packet statistics to a shared memory, and then access this shared memory
from another program that will produce output for MRTG. I guess I'll
have to turn off packet writing to disk and "forget" the packet after it
has been processed (otherwise, when capturing for quite a number of
hours, the disk will fill up and the machine will eventually crash - I
tested this) but I'm not sure if tethereal will still work after that.
I know I'll have to write some code like "take the packet - look at the
type - attach to shared memory - find this packet type in the array -
add packet length to the counter - detach from shared memory", but I
don't know exactly where would be the best place to put that code (in
each decoder module ? Or can I put it only once, somewhere at
higher-level ?).
Another solution would be to change the format of the output to make it
give the packet size every time, and then make a script like I said
before. I would still have to disable disk output, and my concern is the
same as the one above : where should I change the output code (so many
files in ethereal source, and I'm a newbie to them...) ?
I insist on the fact that I need to count bytes (packets counting is
easier to implement but less meaningfull).
Any advice / ideas / help / other solutions are welcome.
Thanks a lot
Loïc
P.S. : Sorry for my English (this isn't my native language).
begin:vcard
n:Loïc;BARDON
x-mozilla-html:TRUE
org:SNR Roulements;DOI / Ilôt ST
adr:;;;ANNECY;;74 000;FRANCE
version:2.1
email;internet:Loic.Bardon@xxxxxx
title:Stagiaire
fn:BARDON Loïc
end:vcard
