How to automate measuring of bandwidth usage between two hosts

Question

I have an application that has a TCP client and a server. I set up the client and server on separate machines. Now I want to measure how much bandwidth is being consumed ( bytes sent and received during a single run of the application). I have discovered that wireshark is one such tool that can help me get this statistic. However, wireshark seems to be GUI dependent. What I wanted was a way to automate the measuring and reporting of this statistic. I dont care about the information about individual packets captured by wireshark. I dont need that information. Is there some way to run wireshark so that all it does is write to a file, the total bytes sent and received between two hosts while the application was running on both ends?

Also, is there a better way to capture this statistic ? Through netstat or /proc/dev/net or any other tool ?

Both my machines have ubuntu 10.04 or later running on them.

Answer 1

Bro is an appropriate tool to measure connection-oriented statistics. You can either record a trace of your application communication or analyze it in realtime:

bro -r <trace>
bro -i <interface>

Thereafter, have a look at the connection log (conn.log) in the same directory for the amount of bytes sent and received by the application. Specifically, you're interested in the TCP payload size, which conn.log exposes via the columns orig_bytes and resp_bytes. Here is an example:

bro-cut id.orig_h id.resp_h conn_state orig_bytes resp_bytes < conn.log | head 

which yields the following output:

192.168.1.102   192.168.1.1     SF      301     300
192.168.1.103   192.168.1.255   S0      350     0
192.168.1.102   192.168.1.255   S0      350     0
192.168.1.103   192.168.1.255   S0      560     0
192.168.1.102   192.168.1.255   S0      348     0
192.168.1.104   192.168.1.255   S0      350     0
192.168.1.104   192.168.1.255   S0      549     0
192.168.1.103   192.168.1.1     SF      303     300
192.168.1.102   192.168.1.255   S0      -       -
192.168.1.104   192.168.1.1     SF      311     300

Each row represents a single connection, transport-layer ports omitted. The last two columns represent the bytes sent by the originator (first column) and responder (second column). The column conn_state represents the connection status. Please refer to the documentation for all possible field values. Some important values are:

• S0: Connection attempt seen, no reply.
• S1: Connection established, not terminated.
• SF: Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
• REJ: Connection attempt rejected.