Denys Fedoryshchenko
3.5 KiB
Misc tricks for GlobalOS
trafw
Trafw allows to see bidirectional traffic statistics.
Usage: trafw interface1 "interface1 pcap filter" interface2 "interface2 pcap filter" timer
Example:
trafw ppp0 "inbound" ppp0 "outbound" 1
Will show inbound and outbound traffic on ppp0 every second.
iptop
Usage: iptop interface "pcap filter" packets (dst|src) [p|b]
Example:
iptop eth0 "inbound" 10000 dst
Show top 20 destination ip address by rate. (top consumers)
tcpdump and accel-cmd
To check user traffic you need to use tcpdump and accel-cmd.
To find out interface name of user you can use:
accel-cmd show sessions
pppoe-9 ~ # accel-cmd show sessions|more
ifname | username | calling-sid | ip | type | comp | state | uptime
---------+-----------------+-------------------+----------------+-------+------+--------+-------------
ppp185 | user1 | 6c:3b:6b:73:33:11 | 172.17.16.185 | pppoe | | active | 17.00:56:54
ppp305 | user2 | 50:0f:f5:40:22:22 | 172.17.17.49 | pppoe | | active | 17.00:56:53
ppp318 | user3 | 6c:3b:6b:c4:11:33 | 172.17.17.62 | pppoe | | active | 17.00:56:53
Which means that user1 is connected to ppp185 interface, user2 to ppp305 and user3 to ppp318. To check traffic of user1 you need to use:
tcpdump -ni ppp185 -vvv -c 100
Which means:
- -n - do not resolve ip addresses (we don't need it)
- -i ppp185 - listen on ppp185 interface
- -vvv - verbose output
- -c 100 - capture 100 packets and exit
pcap filters
You can use various pcap filters in trafw, iptop and tcpdump. For example if you want to see only traffic from subnet 8.8.8.0/24 and source port 53 you can use:
# to show total traffic for this filter
trafw ppp0 "src net 8.8.8.0/24 and src port 53" ppp0 "src net 8.8.8.0/24 and src port 53" 1
# to show top consumers of such traffic
iptop eth0 "src net 8.8.8.0/24 and src port 53" 10000 dst
# to capture such traffic and see each packet, only 100 packets
tcpdump -ni ppp185 -vvv -c 100 "src net 8.8.8.0/24 and src port 53"
More info, in articles:
https://iphelix.medium.com/packet-filtering-techniques-84fc3fc2ea3b
## restarting accel-pppd
If you need to restart accel-pppd you can use:
killall accel-pppd
then wait until process is killed, it might take up to few minutes on large pppoe.
To check if accel-pppd is running you can use:
ps aux|grep accel-pppd
If you see accel-pppd process you can start it with:
/usr/sbin/accel-pppd -c /etc/accel-ppp.conf -p /var/run/accel-ppp.pid -d
## Shell tricks
For example i want to filter all lines that begin with "fadi" in users list:
accel-cmd show sessions username|grep "^ fadi"
What does it mean and how it works?
* accel-cmd show sessions username - will show all sessions, but username field will be shown only
* | - pipe, it will pass output of previous command to next command
* grep "^ fadi" - will filter only lines that begin with " fadi", symbol ^ means beginning of line, space is needed to filter accel-specific output (it has space before username)
Now, for example i want to save this list and disconnect all users that begin with "fadi":
accel-cmd show sessions username|grep "^ fadi"|awk '{print $1}'|xargs -I {} accel-cmd terminate username {}
What does it mean and how it works?
* awk '{print $1}' - will print first field of each line, which is username, it will remove leading space
* xargs -I {} - will pass each line to next command, {} is placeholder for line(variable)
* accel-cmd terminate username {} - will disconnect user by username