Monitor number of bytes transferred to/from IP address on port

linux packet-analyzer tcpdump packet-capture tshark

You could use iptables. If you're not already using it, you can use an open Accept configuration, but have a rule in place to do the counting.

For example, on RHEL your /etc/sysconfig/iptables file could look something like:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j INPUT
-A INPUT -s 10.10.1.1 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.10.1.1 -p tcp -m tcp --dport 80 -j ACCEPT

Where 10.10.1.1:80 is the host:port you want to count traffic to (you can't use a hostname). You can then check traffic counted with the command iptables -nvxL as root.

Example output:

Chain INPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       10.10.1.1            0.0.0.0/0              tcp spt:80


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
       0          0 INPUT      all  --  *      *       0.0.0.0/0            0.0.0.0/0       

Chain OUTPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
    pkts      bytes target     prot opt in     out     source               destination     
 7133268 1057227727 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.10.1.1              tcp dpt:80

I was about to suggest wireshark (for it's many 'conversation' features), but it is not a command-line tool. You could try tshark though, which is a command-line analyzer tool that is closes to wireshark. The output should have (somewhat) what you're looking for (example below):

tshark -R "ip.addr == 10.2.3.67" -z conv,ip -p -f "tcp port 22"

Result:

                                     |       <-      | |       ->      | |     Total     |
                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
10.2.3.23           <-> 10.2.3.67        42     15341      35      4890      77     20231

There is also a tool called 'iftop' which displays bandwidth usage on an interface by host. I think iftop can do what you described but normally its interface is something like 'top'.

So for your example, I think that you can just create config file to provide your filter-code.

So here is my filter-code in my config file.

$ cat /tmp/conf
filter-code: port http and host google.com

Then, I ran the following to see the network traffice.

$ sudo iftop -c /tmp/conf

Not sure if this is the best option but certainly one way to achieve what you need. HTH.

Related

On Linux, how can I tell how many ephemeral ports are left available?
Best MySQL cache settings for 8gb RAM dedicated MySQL server using only InnoDB (5gb database)
Installing SSL on a Windows Server 2012 with IIS 8.0
Completely reset PostgreSQL to default?
How can I prepend to PATH while running Ansible's pip module?
Kubernetes always gives 503 Service Temporarily Unavailable with multiple TLS Ingress
What is the name of an IP prefix with prefix length 31? (i.e. contains only 2 IP addresses)
What are some good web based trouble ticket systems?
Kill all processes that are running for more than 5 minutes by a given user in linux bash script
How much swap is being used on windows?
Is there still a place for tape storage?
How do I take ownership of a folder when access is denied and the security tab is missing?