Intro
Sometimes you don’t have the tools you want but you have enough to make do. Such is the case with the command line utilities of the CLI of Checkpoint Gaia. It’s like a basic Linux. The company I consult for is beginning to hit some bandwidth limits and I wanted to understand overall traffic flow better. In the absence of any proper bandwidth monitors I used the netstat command and some approximations. Crude thouigh it may be it already gave me a much better idea about my traffic than I had going into this project.
The details
I call this BASH script netstats.sh
#!/bin/bash # for Gaia, not IPSO c=0 sleep=2 while /bin/true; do v[1]=`netstat -Ieth1-01 -e|grep RX|grep TX` n[1]="vlan 102 " v[2]=`netstat -Ieth1-05 -e|grep RX|grep TX` n[2]="vlan 103 200.78.39 " v[3]=`netstat -Ieth1-02 -e|grep RX|grep TX` n[3]="vlan 103 10.31.42" v[4]=`netstat -Ieth1-03 -e|grep RX|grep TX` n[4]="trunk for VPN " # interesting line: # RX bytes:4785585828883 (4.3 TiB) TX bytes:7150474860130 (6.5 TiB) date for i in {1..4}; do RX=`echo ${v[$i]}|cut -d: -f2|awk '{print $1}'` TX=`echo ${v[$i]}|cut -d: -f3|awk '{print $1}'` # echo "vlan ${n[$i]} RX,TX: $RX, $TX" if [ $c -gt 0 ]; then RXdiff=`expr $RX - ${RXold[$i]}` TXdiff=`expr $TX - ${TXold[$i]}` # observed scaling factor: 8.1 bits/byte RXrate=$(($RXdiff*81/$sleep/10000000)) TXrate=$(($TXdiff*81/$sleep/10000000)) echo "${n[$i]} RX,TX: $RXrate, $TXrate Mbps" fi # old values RXold[$i]=$RX TXold[$i]=$TX done c=$(( $c + 1 )) sleep $sleep done |
It’s pretty self-explanatory. I would just note that in the older IPSO OS you don’t have the ability to get the bytes transferred from netstat. Just the number of packets, which is an inherently cruder measure. The calibration of 8.1 bits per byte (there is overhead from the frames) is maybe a little crude but it’s what I measured over the source of a couple minutes.
A quick glance at Redhat or CentOS shows me that this same script, with appropriate modifications for the interface names (eth0, eth1, etc), would also work on those OSes.
IPSO
I really, really wanted some kind of measure for IPSO as well. So I tackled that as best I could. Here is that script:
#!/bin/bash # for IPSO, not Gaia c=0 while [ 1 -gt 0 ]; do # eth1-01: vlan 802; eth1-05: vlan 803 (144.29); eth1-02: vlan 803 (10.201.145) v[1]=`netstat -Ieth-s4p1|tail -1` n[1]="vlan 208.129.99 " v[2]=`netstat -Ieth-s4p2|tail -1` n[2]="vlan 208.156.254 " v[3]=`netstat -Ieth-s4p3|tail -1` n[3]="vlan 208.149.129 " v[4]=`netstat -Ieth-s4p4|tail -1` n[4]="trunk for Cisco and b2b" # interesting line: #Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll #eth-s4p1 16018 <Link> 0:a0:8e:c4:ff:f4 72780201 0 56423000 0 0 date for i in {1..4}; do RX=`echo ${v[$i]}|awk '{print $5}'` TX=`echo ${v[$i]}|awk '{print $7}'` # echo "vlan ${n[$i]} RX,TX: $RX, $TX" if [ $c -gt 0 ]; then RXdiff=$(($RX - ${RXold[$i]})) TXdiff=$(($TX - ${TXold[$i]})) # observed: .0043 mbits/packet RXrate=$(($RXdiff*43/100000)) # observed: .0056 mbits/packet TXrate=$(($TXdiff*56/100000)) echo "${n[$i]} RX,TX: $RXrate, $TXrate Mbps" fi # old values RXold[$i]=$RX TXold[$i]=$TX done c=$(( $c + 1 )) sleep 10 done |
The conversion to bits is probably only accurate to +/- 25%, because it depends a lot on the application, i.e., VPN concentrator versus proxy server. I just averaged all applications together because that’s the best I could do. I compared it to a Cisco router’s statistics.
Note that in Gaia cpview can also be run frmo the CLI. Then you can drill down to the specific interface information. I have compared my script to using cpview (which has a default update screen time of 2 seconds) and they’re pretty close. As far as I know there is no way to script cpview. And at the end of the day I suspect it is only doing the same thing my script does.
Conclusion
A script is provided which gives a measure of Mbps bandwidth usage by polling netstat periodically. It’s not exact, but even crude measures can help a network engineer.