我正在使用这个脚本来实际检查传入数据包的速率,如果速率达到 5mbps 或更高,它就会被触发。然后将数据包记录到 tcpdump 文件中。
interface=eth0
dumpdir=/tmp/
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt 5000 ]; then
echo -e "\n`date` Under attack, dumping packets."
tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
输出类似于捕获的 2000 个数据包。过滤器收到的 XXX 个数据包和内核丢弃的 XXX-(减)2000 个数据包。
现在我想知道的是,输出文件实际上不会告诉我攻击的速度,比如它是 300mbps 还是什么?那么过滤器接收的XXX数据包是每秒吗?如果没有,我该如何检查,因为我的端口有时会饱和。
更新:
我使用一个程序通过上述脚本从捕获的文件中捕获统计信息。这是我得到的:
root@$:/tmp/dumps# capinfos dump.20130621-174506.cap
File name: dump.20130621-174506.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 2000
File size: 2065933 bytes
Data size: 2033909 bytes
Capture duration: 43 seconds
Start time: Fri Jun 21 17:45:06 2013
End time: Fri Jun 21 17:45:49 2013
Data byte rate: 46968.49 bytes/sec
Data bit rate: 375747.94 bits/sec
Average packet size: 1016.95 bytes
Average packet rate: 46.19 packets/sec
我相信攻击可能只持续了 15-20 秒,而捕获的信息是 43 秒,所以这里的数据比特率可能是从总时间中取平均值的。这里可能有帮助的是,如果有人可以编辑上面的原始脚本,而不是捕获 2000 个数据包并丢弃其余数据包,以在达到阈值时捕获所有数据包,例如 5 秒。
更新:
如上所述更改脚本后,当我在 Wireshark 中读取文件时,该文件似乎已损坏,其中显示“捕获文件似乎已在数据包中间被剪短”。这是 capinfos 的输出:
capinfos: An error occurred after reading 3085 packets from `"dump.20130710-215413.cap": Less data was read than was expected.
在第二次尝试中,只有当我在脚本的控制台中按下 Ctrl+C 时,我才能读取该文件:
capinfos dump.20130710-215413.cap
File name: dump.20130710-215413.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Linux cooked-mode capture
Number of packets: 18136
File size: 2600821 bytes
Data size: 2310621 bytes
Capture duration: 591 seconds
Start time: Wed Jul 10 21:54:13 2013
End time: Wed Jul 10 22:04:04 2013
Data byte rate: 3909.73 bytes/sec
Data bit rate: 31277.83 bits/sec
Average packet size: 127.41 bytes
Average packet rate: 30.69 packets/sec
注意捕获持续时间 591 秒。我相信 'sleep 300' 在这里有一些事情要做,因为正如我看到的控制台输出。此输出带有“-c 2000”选项:
./Log.sh
10275 packets/s
Wed Jul 10 12:41:31 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2000 packets captured
100012 packets received by filter
98003 packets dropped by kernel
Wed Jul 10 12:42:34 MSD 2013 Packets dumped, sleeping now.
现在这是使用“sleep 5”修改脚本后的输出:
./Log.sh
24103 packets/s
Wed Jul 10 21:54:13 MSD 2013 Under attack, dumping packets.
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Wed Jul 10 21:54:18 MSD 2013 Packets dumped, sleeping now.
1620 packets/sroot@nl:~# 18136 packets captured
1850288 packets received by filter
1832106 packets dropped by kernel
^C
请注意,我按 Ctrl+C 中断了睡眠功能,我猜这使读取文件成为可能。
capinfos是您要查找的内容:
$ capinfos ddos.cap
File name: ddos.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Packet size limit: file hdr: 65535 bytes
Number of packets: 1000000
File size: 189073212 bytes
Data size: 173073188 bytes
Capture duration: 2 seconds
Start time: Fri Jul 5 16:35:04 2013
End time: Fri Jul 5 16:35:07 2013
Data byte rate: 69839025.27 bytes/sec
Data bit rate: 558712202.18 bits/sec
Average packet size: 173.07 bytes
Average packet rate: 403523.08 packets/sec
SHA1: 34d758e6445061855ca4397729098f469f411fe3
RIPEMD160: 14f430231fc2962cd86ddb8edb8daf75a5d07af8
MD5: 5893809fb02d1a20997629a9a501842b
Strict time order: False
注意数据比特率。
这里可能有帮助的是,如果有人可以编辑上面的原始脚本,而不是捕获 2000 个数据包并丢弃其余数据包,以在达到阈值时捕获所有数据包,例如 5 秒。
这个怎么样:
tcpdump -n -s0 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap &
sleep 5 && pkill -HUP -f /usr/sbin/tcpdump