On Sat, Jan 28, 2006 at 02:20:30PM -0700, Byron Clark wrote: > On Sat, Jan 28, 2006 at 02:13:40PM -0700, Charles Curley wrote: > > On Sat, Jan 28, 2006 at 12:35:57PM -0700, Steve wrote: > > > Doh! Yeah, ok so I did miss the point. > > > > > > On 1/28/06, Byron Clark <[EMAIL PROTECTED]> wrote: > > > > On Sat, Jan 28, 2006 at 12:22:18PM -0700, Steve wrote: > > > > > I'm curious as to whats wrong with netstat for this purpose? > > > > > Or am I missing the point? > > > > > > > > I believe the original poster wanted to find how much bandwidth was > > > > being used by a process. While netcat will show you which ports a > > > > process is bound to, it will not show how much data is being sent over > > > > those ports. > > > > > > > > Not necessarily. Could you write a script to crunch Ethereal data and > > use netstat to divide the packets up by processes? > > Yes, as long as all the connections you care about are present in the > netstat output when you process the pcap data. That sure sounds like a > race to me. It may be good enough if you only care about long lived > connections, but I don't think it's possible to get a completely > accurate count of bandwidth usage with this method. >
There are three things you can do about this. You could run netstat from time to time while you collect packets with Ethereal, and collate the results. That should get most of the connections. Perhaps gathing statistics with netstat over a period of time would get you what you want. I have't tried it. Nothing. Ross was looking for a way to see which processes were eating up his bandwidth. I suspect that those processes would keep their connections open long enough to be detected. On the other tentacle, what if the bandwidth hog is using UDP? Netstat will detect sockets running over UDP, but I don't think it will detect pure UDP packet operations like the time protocol. Since UDP is not a good idea for large amounts of data (unless the program does its own connection maintenance on top of UDP, as SMB used to do), a lot of UDP traffic might suggest a rootkit. So maybe an Ethereal only exercise might be worthwhile. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
pgpmFXfVG652e.pgp
Description: PGP signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
