tcpdump -i eth1 -nn -q -c 5000 | \
awk '
{
# 去掉目标端口末尾冒号
gsub(":", "", $5)
# 拆分源和目标
split($3, a, "."); split($5, b, ".")
src_ip = a[1]"."a[2]"."a[3]"."a[4]
src_port = (length(a) >= 5) ? a[5] : "0" # 没有源端口时记为0
dst_ip = b[1]"."b[2]"."b[3]"."b[4]
dst_port = (length(b) >= 5) ? b[5] : "0" # 没有目标端口时记为0
# 获取字节数,如果没有显示则默认 0
bytes_in_packet = ($7 ~ /^[0-9]+$/) ? $7 : 0
# 按 srcIP:srcPort -> dstIP:dstPort 累加
key = src_ip ":" src_port " -> " dst_ip ":" dst_port
flow[key] += bytes_in_packet
}
END {
for (k in flow) print flow[k], k
}' | sort -nr | head -n 20
sudo tcpdump -i eth1 -nn -q -c 5000 | \
awk '
{
gsub(":", "", $5)
split($3, a, "."); split($5, b, ".")
src_ip = a[1]"."a[2]"."a[3]"."a[4]
src_port = (length(a) >= 5) ? a[5] : "0"
dst_ip = b[1]"."b[2]"."b[3]"."b[4]
dst_port = (length(b) >= 5) ? b[5] : "0"
bytes_in_packet = ($7 ~ /^[0-9]+$/) ? $7 : 0
key = src_ip ":" src_port " -> " dst_ip ":" dst_port
flow[key] += bytes_in_packet
}
END {
for (k in flow) printf "%.2f MB\t%s\n", flow[k]/(1024*1024), k
}' | sort -nr | head
No comments to display
No comments to display