Wireshark-users: Re: [Wireshark-users] Number of connections to host IP address?
From: "Mathew Brown" <mathewbrown@xxxxxxxxxxx>
Date: Fri, 04 Dec 2009 04:25:03 -0800
Wireshark probably isn't the solution to this problem.  You're better
off looking at capturing netflow traffic.  Argus can help you out here -
http://qosient.com/argus/  Using Argus, you can capture netflow traffic
to your server over time.  ratop can give you real-time visibility into
the traffic going to your server including the amount of data
transferred.

On Fri, 04 Dec 2009 07:08 -0500, "Sheahan, John"
<John.Sheahan@xxxxxxxxxxxxx> wrote:
> My suggestion would be to write a simple script that logs into the server
> via ssh each hour, runs the netstat command, takes the output and greps
> for established connections, counts them and logs them.
> 
> I'd be happy to put one together if you think it would help you.
> 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Thursday, December 03, 2009 5:54 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Number of connections to host IP address?
> 
> Hi,
> 
> Sounds like a job for ntop maybe?
> 
> Thanks,
> Jaap
> 
> dkraut wrote:
> > I've been asked to find out if Wireshark has the ability to determine 
> > the active number of connections at a given time?  For example, If 
> > I perform a capture of all traffic to/from our DB server from 3pm to 
> > 4pm, is there anyway to tell how many active connections there 
> > were to the DB IP address at 3pm, 3:15pm, 3:30pm, etc.?
> >  
> > The problem we're trying to solve here is that there appear to be far 
> > too many connections to this server at certain times during the day and 
> > the server admins believe that someone is attacking the server in 
> > someway and have asked me to investigate for any anomalies 
> >  
> > Thanks! 
> >  
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
-- 
  Mathew Brown
  mathewbrown@xxxxxxxxxxx

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are