ipproto.d for IP Traffic Summary
This DTrace script provides a neat summary for both send and receive IP traffic, including the next level protocol:
#!/usr/sbin/dtrace -s
#pragma D option quiet
dtrace:::BEGIN
{
printf("Tracing... Hit Ctrl-C to end.\n");
}
ip:::send,
ip:::receive
{
this->protostr = args[2]->ip_ver == 4 ?
args[4]->ipv4_protostr : args[5]->ipv6_nextstr;
@num[args[2]->ip_saddr, args[2]->ip_daddr, this->protostr] = count();
}
dtrace:::END
{
printf(" %-28s %-28s %6s %8s\n", "SADDR", "DADDR", "PROTO", "COUNT");
printa(" %-28s %-28s %6s %@8d\n", @num);
}This script was run on a system with both IPv4 and IPv6 interfaces for several seconds:
# ./ipproto.d
Tracing... Hit Ctrl-C to end.
^C
SADDR DADDR PROTO COUNT
192.0.2.3/27 192.0.2.40/27 UDP 1
192.0.2.3/27 192.0.38/27 UDP 1
192.0.2.3/27 192.0.130/27 UDP 1
192.0.2.3/27 192.0.2.5/27 UDP 1
192.0.2.3/27 192.0.2.35/27 ICMP 1
192.0.2.20/27 192.0.70/27 UDP 1
192.0.2.5/27 192.0.2.3/27 UDP 1
192.0.2.35/27 192.0.2.3/27 ICMP 1
fe80::214:4fff:fe3b:76c8 ff02::1 ICMPV6 1
fe80::2e0:81ff:fe5e:8308 fe80::214:4fff:fe3b:76c8 ICMPV6 1
fe80::2e0:81ff:fe5e:8308 ff02::1:2 UDP 1
192.0.2.10/27 192.0.2.31/27 UDP 2
192.0.2.12/27 192.0.2.31/27 UDP 3
192.0.2.14/27 192.0.2.3/27 TCP 428
192.0.2.16/27 192.0.2.14/27 TCP 789The following fields are printed:
-
SADDR -
Source IP address
-
DADDR -
Destination IP address
-
PROTO -
IP next level protocol
-
COUNT -
Number of packets
The preceding output provides a quick summary of network activity with host address details; you can see that both 192.0.2.14/27 and 192.0.2.16/27 are swapping many packets via TCP.