Use iptables to monitor network usage.

Iptables is a powerful firewall/packet filtering framework inside Linux, and obviously used for firewalls on desktop, servers, and even embedded Linux devices such as most home internet routers. I was asked to write a script that could monitor and report network usage on one of our machines at work.

I took on the challenge and after searching package repositories and Google for cool Linux console apps that will report network usage, I came came across the idea of using iptables.. seeing as I love iptables, and it is installed by default on most machines it was the perfect solution for us.

The Idea
Iptables can be thought of a bunch of tables each containing some lists of rules called “chains”. There are some default chains which packets must progress through depending on the packets origin and destination. The main and default table that most people use is the ‘filter’ table, the default chains are:

  • INPUT – Packets coming to the machine from the network.
  • OUTPUT – Packets leaving your machine,
  • FORWARD – Packets passing through your machine, if your machine routes packets.

Each of these chains have a default policy, that is what should happen if there is no rules or no rules matching the packet, this is either:

  • ACCEPT – Allow the packet into the machine.
  • DROP – Drop the packet,

Now the default chains cannot be changed, the packets will work through one of those chains, we can add any rules we want to filter these packets. Netfilter/iptables tracks the amount of data running through chains. So if you want to track all your incoming network usage you can just use the INPUT chain, but if we want to track more specific traffic, we can create a custom chain, add a rule to pass the specific packets to this new chain, and thus monitor the specific traffic! Easy huh!

Before I go into the script and specific iptables configuration I’ll show you readers some useful itptables commands:

  • To see the manual page on iptables: man iptables
  • To list the rules on the default (filter) table: iptables -L
  • To list rules on other tables: iptables -t <tablename> -L

NOTE: If you add a -v you can see packet and byte counts.

Now we move onto what I did.

Network script and setup

I mentioned some iptables commands in the last section, so now I will describe the iptables command I use in the script for reporting:
iptables -L -n -x -v --line-numbers

The options mean:

  • -L = List the rules
  • -n = Do not do a DNS lookup, just show numbers
  • -x = use exact byte values, don’t convert to M or G, this is needed to ease the maths.
  • -v = verbose output, to actually show the counts
  • –line-numbers = The script inserts rules as to not disrupt other iptables rules that it doesn’t control so we need to know the rule number.

With the reporting explained let now talk about how we setup iptables, this is just the theory, the script actually sets it up for you, but as you will have different requirements you’ll need to know

In this example we will only be only worried about monitoring things going through a proxy, which we’ll call 192.168.1.10 and traffic not coming from our local network, not via the proxy (not on 192.168.1.0/24). As the we get the required byte counts from the rule on the INPUT chain, we can use 1 custom chain for both types of traffic. So the first step is to create the custom chain and then add rules to match these packets:

iptables -N DOWNLOADED

Then we add a rule for each of the traffic conditions we want to track:

# Proxy rule
iptables -I INPUT 1 -s 192.168.1.10 -j DOWNLOADED

# Not our network rule
iptables -I INPUT 1 ! -s 192.168.1.0/24 -j DOWNLOADED

The above rules break down like:

  • -I INPUT 1 = Insert into the INPUT chain at index 1 (1 based).
  • -s <ip address or network> = Source is from <ip address>, the ‘!’ means negate (read as ‘not’)
  • -j DOWNLOADED = Jump or push this packet over to the DOWNLOADED chain.

See simple huh… ok maybe not, it is quite easy once you’ve used iptables for a while. Anyway, now that we have iptables set up I can talk about the script.

When ever the machine is rebooted or the chains flushed the counts will be zero’d out again, and as the chains only store the totals we need to keep track of the previous values so we can do a calculation. So I log the entries as three values (columns) separated by tabs:

date proxy bytes non-network bytes

The report I then generate says to usage since last check and current total, but the current total since when? In stead of having to parse the file since the last flush/reboot I simply have another file storing the last run with the following structure, similar to the log but containing the date of the last reset.

date proxy bytes non-network bytes total start date

Anyway without further adieu I’ll now present my script, it contains the reporting, and I have my own function that makes the report counts human readable:

#!/usr/bin/env python

import sys
import os
import datetime
from send_email import send_email

# Global Variables
PROXY = "192.168.1.10"
NETWORK = "192.168.1.0/24"

IPTABLES_CUSTOM_CHAIN = "DOWNLOADED"
IPTABLES_CREATE_CHAIN = "iptables -N " + IPTABLES_CUSTOM_CHAIN
IPTABLES_DELETE_CHAIN = "iptables -X " + IPTABLES_CUSTOM_CHAIN 
IPTABLES_PROXY_RULE = "INPUT %s -s " + PROXY + " -j " + IPTABLES_CUSTOM_CHAIN
IPTABLES_NOT_NETWORK_RULE = "INPUT %s ! -s " + NETWORK + " -j " + IPTABLES_CUSTOM_CHAIN

IPTABLES_REPORT_CMD = "iptables -L -n -x -v --line-numbers"

# Result column indexes
TIMESTAMP_IDX = 0
PROXY_IDX = 1
NOT_NETWORK_IDX = 2
TOTAL_START_IDX = 3

# Format of the folling files: date     proxy bytes     non-network bytes
# NOTE: Seperated by tabs (\t)
LAST_RESULT = "/home/dpadmin/matt/bin/netmon.last"
RESULT_LOG = "/home/dpadmin/matt/bin/netmon.log"

# Email reporting variables
EMAIL_TO = ['email@address.goes.here']
EMAIL_FROM = 'email.from@address.goes.here'
EMAIL_SUBJECT = 'Network Usage Report - %s'
EMAIL_ATTACHMENTS = []
EMAIL_SERVER = 'localhost'
EMAIL_MSG = """Network usage between: %s and %s

Proxy Traffic:
  Usage: %s
  Current Total: %s

Non Network Traffic:
  Usage: %s
  Current Total: %s

Total since: %s
"""


def human_readable(bytes):
        if bytes < 1024:
                return str(bytes)
        for x in 'K', 'M','G':
                bytes /= 1024.0
                if bytes < 1024:
                        return "%.2f%s" % (bytes, x)
        if bytes > 1024:
                return "%.2f%s" % (bytes, 'G')

def make_human_readable(results):
        return (results[0], human_readable(results[1]), human_readable(results[2]))

def get_totals():
        timestamp = generate_timestamp()
        result = os.popen(IPTABLES_REPORT_CMD)
        proxy_bytes = 0 
        network_bytes = 0

        # Parse the output. 
        # 1. Find "Chain INPUT" that way we know we have the right chain.
        # 2. Look for 1 and 2 in the first column, as they are our rules.
        # 3. Find out which one is the proxy one.
        # 4. return totals.
        start = False
        for line in result:
                if line.startswith("Chain INPUT"):
                        start = True
                elif line.startswith("Chain"):
                        start = False
                elif start:
                        cols = line.split()
                        if len(cols) != 0:
                                if cols[0] == '1' or cols[0] == '2':
                                        # Found our rules
                                        if cols[8] == PROXY:
                                                proxy_bytes = int(cols[2])
                                        else:
                                                network_bytes = int(cols[2])

        return (timestamp, proxy_bytes, network_bytes)


def generate_timestamp():
        d = datetime.datetime.now()
        datestr = "%d/%.2d/%.2d-%.2d:%.2d:%.2d" % (d.year, d.month, d.day, d.hour, d.minute, d.second)
        return datestr

def get_last():
        if os.path.exists(LAST_RESULT):
                lstFile = file(LAST_RESULT).readlines()
                result = lstFile[0].strip().split()
                result[PROXY_IDX] = int(result[PROXY_IDX])
                result[NOT_NETWORK_IDX] = int(result[NOT_NETWORK_IDX])
                return tuple(result)
        else:
                timestamp = generate_timestamp()
                return (timestamp, 0, 0, timestamp)

def _cleanup_iptables():
        os.system("iptables -D %s" % (IPTABLES_PROXY_RULE % ("")))
        os.system("iptables -D %s" % (IPTABLES_NOT_NETWORK_RULE % ("")))
        os.system(IPTABLES_DELETE_CHAIN)

def start():
        # Incase the rules alread exist lets remove them
        _cleanup_iptables()

        # Now we can add them
        os.system(IPTABLES_CREATE_CHAIN)
        os.system("iptables -I %s" % (IPTABLES_PROXY_RULE % ("1")))
        os.system("iptables -I %s" % (IPTABLES_NOT_NETWORK_RULE % ("1")))

def stop():
        # Delete the rules TOTAL_START_IDX
        _cleanup_iptables()

def report():
        last = get_last()

        # Now we need to get the byte totals from iptables.
        new_totals = get_totals()

        reset_detected = False
        proxy_usage = 0
        not_network_usage = 0
        total_start = last[TOTAL_START_IDX]
        if last[PROXY_IDX] > new_totals[PROXY_IDX]:
                # Counters must have been reset.
                reset_detected = True
                proxy_usage = new_totals[PROXT_IDX]
                not_network_usage = new_totals[NOT_NETWORK_IDX]
                total_start = new_totals[TIMESTAMP_IDX]
        else:
                # Do the calc
                proxy_usage = new_totals[PROXY_IDX] - last[PROXY_IDX]
                not_network_usage = new_totals[NOT_NETWORK_IDX] - last[NOT_NETWORK_IDX]

        result = (new_totals[TIMESTAMP_IDX],proxy_usage, not_network_usage)
        result_str = "Timestamp: %s Proxied: %s Off Network: %s"

        # Write out the new last totals to the log and last.
        last_file = file(LAST_RESULT, 'w')
        tmp_list = []
        tmp_list.extend(new_totals)
        tmp_list.append(total_start)
        last_file.write("%s\t%d\t%d\t%s\n" % tuple(tmp_list))
        last_file.close()

        log = file(RESULT_LOG, 'a')
        log.write("%s\t%d\t%d\n" % new_totals)
        log.close()

        last = make_human_readable(last)
        new_totals = make_human_readable(new_totals)
        result = make_human_readable(result)


        print "Last Total - " + result_str % last
        print "New Total - " + result_str % new_totals
        print "New Usage - " + result_str % result

        if reset_detected:
                msg = " == RESET DETECTED! == \n"
        else:
                msg = ""

        # Send the email report
        msg += EMAIL_MSG % (last[TIMESTAMP_IDX],result[TIMESTAMP_IDX], result[PROXY_IDX], new_totals[PROXY_IDX], result[NOT_NETWORK_IDX], new_totals[NOT_NETWORK_IDX], total_start)
        send_email(EMAIL_FROM, EMAIL_TO, EMAIL_SUBJECT % (result[TIMESTAMP_IDX]), msg, EMAIL_ATTACHMENTS, EMAIL_SERVER)


def main(args):
        if len(args) == 0:
                # Run report
                report()
        elif str(args[0]).upper() == "CLEAR":
                stop()
        elif str(args[0]).upper() == "FLUSH":
                stop()
        elif str(args[0]).upper() == "STOP":
                stop()
        elif str(args[0]).upper() == "INITIATE":
                start()
        elif str(args[0]).upper() == "START":
                start()
        elif str(args[0]).upper() == "INITIALISE":
                start()
        elif str(args[0]).upper() == "REPORT":
                report()

if __name__ == "__main__":
        main(sys.argv[1:])

The send email code looks like:

import smtplib
import os
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email.Utils import COMMASPACE, formatdate
from email import Encoders

def send_email(send_from, send_to, subject, text, files=[], server="localhost"):
  assert type(send_to)==list
  assert type(files)==list

  msg = MIMEMultipart()
  msg['From'] = send_from
  msg['To'] = COMMASPACE.join(send_to)
  msg['Date'] = formatdate(localtime=True)
  msg['Subject'] = subject

  msg.attach( MIMEText(text) )

  for f in files:
    part = MIMEBase('application', "octet-stream")
    part.set_payload( open(f,"rb").read() )
    Encoders.encode_base64(part)
    part.add_header('Content-Disposition', 'attachment; filename="%s"' % os.path.basename(f))
    msg.attach(part)

  smtp = smtplib.SMTP(server)
  smtp.sendmail(send_from, send_to, msg.as_string())
  smtp.close()

The script will setup the iptables setup by:

network_monitor.py start
network_monitor.py initiate
network_monitor.py initialise

To clean up iptables:

network_monitor.py clear
network_monitor.py flush
network_monitor.py stop

and finally to report:

network_monitor.py report
network_monitor.py

If you wish to graph the log then using higher and higher totals might not be what you want, so here is another script which parses the totals log and turns each entry into the daily usage, in MB, rather then totals:

#!/usr/bin/env python

import sys
import os

OUT_FILE = "netmon_graph.dat"

def main(netmon_log):
        if not os.path.exists(netmon_log):
                print "Error %s doesn't exist!" % (netmon_log)
                sys.exit(1)

        inFile = file(netmon_log)
        outFile = file(OUT_FILE, 'w')

        outFile.write("%s\t%s\t%s\n" % ("Date", "Proxy", "Non-Network"))

        line = inFile.readline()
        lastProxyValue = 0
        lastNetValue = 0
        while len(line) > 0:
                #process
                cols = line.strip().split()
                if len(cols) == 3:
                        date = cols[0]
                        proxy = long(cols[1])
                        net = long(cols[2])

                        if proxy < lastProxyValue or net < lastNetValue:
                                lastProxyValue = 0
                                lastNetValue = 0

                        # Calc
                        newProxy = proxy - lastProxyValue
                        newNet = net - lastNetValue

                        lastProxyValue = proxy
                        lastNetValue = net

                        # Convert to MBs 
                        newProxy = float(newProxy) / 1024.0 / 1024.0
                        newNet = float(newNet) / 1024.0 / 1024.0

                        outFile.write("%s\t%.2f\t%.2f\n" % (date, newProxy, newNet))

                line = inFile.readline()

        inFile.close()
        outFile.close()

if __name__ == "__main__":
        main(sys.argv[1])

Happy network monitoring!