Monitor number of bytes transferred to/from IP address on port
You could use iptables. If you're not already using it, you can use an open Accept configuration, but have a rule in place to do the counting.
For example, on RHEL your /etc/sysconfig/iptables
file could look something like:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j INPUT
-A INPUT -s 10.10.1.1 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.10.1.1 -p tcp -m tcp --dport 80 -j ACCEPT
Where 10.10.1.1:80 is the host:port you want to count traffic to (you can't use a hostname). You can then check traffic counted with the command iptables -nvxL
as root.
Example output:
Chain INPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
pkts bytes target prot opt in out source destination
7133268 1057227727 ACCEPT tcp -- * * 10.10.1.1 0.0.0.0/0 tcp spt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7133268 packets, 1057227727 bytes)
pkts bytes target prot opt in out source destination
7133268 1057227727 ACCEPT tcp -- * * 0.0.0.0/0 10.10.1.1 tcp dpt:80
I was about to suggest wireshark (for it's many 'conversation' features), but it is not a command-line tool. You could try tshark though, which is a command-line analyzer tool that is closes to wireshark. The output should have (somewhat) what you're looking for (example below):
tshark -R "ip.addr == 10.2.3.67" -z conv,ip -p -f "tcp port 22"
Result:
| <- | | -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
10.2.3.23 <-> 10.2.3.67 42 15341 35 4890 77 20231
There is also a tool called 'iftop' which displays bandwidth usage on an interface by host. I think iftop can do what you described but normally its interface is something like 'top'.
So for your example, I think that you can just create config file to provide your filter-code.
So here is my filter-code in my config file.
$ cat /tmp/conf
filter-code: port http and host google.com
Then, I ran the following to see the network traffice.
$ sudo iftop -c /tmp/conf
Not sure if this is the best option but certainly one way to achieve what you need. HTH.