capstats - A tool to get some NIC statistics.

capstats is a small tool to collect statistics on the current load of a network interface, using either libpcap or the native interface for Endace’s. It reports statistics per time interval and/or for the tool’s total run-time.

Download

You can find the latest capstats release for download at http://www.bro.org/download.

Capstats’s git repository is located at git://git.bro.org/capstats.git. You can browse the repository here.

This document describes capstats 0.25. See the CHANGES file for version history.

Output

Here’s an example output with output in one-second intervals until CTRL-C is hit:

>capstats -i nve0 -I 1
1186620936.890567 pkts=12747 kpps=12.6 kbytes=10807 mbps=87.5 nic_pkts=12822 nic_drops=0 u=960 t=11705 i=58 o=24 nonip=0
1186620937.901490 pkts=13558 kpps=13.4 kbytes=11329 mbps=91.8 nic_pkts=13613 nic_drops=0 u=1795 t=24339 i=119 o=52 nonip=0
1186620938.912399 pkts=14771 kpps=14.6 kbytes=13659 mbps=110.7 nic_pkts=14781 nic_drops=0 u=2626 t=38154 i=185 o=111 nonip=0
1186620939.012446 pkts=1332 kpps=13.3 kbytes=1129 mbps=92.6 nic_pkts=1367 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
=== Total
1186620939.012483 pkts=42408 kpps=13.5 kbytes=36925 mbps=96.5 nic_pkts=1 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0

Each line starts with a timestamp and the other fields are:

pkts:Absolute number of packets seen by capstats during interval.
kpps:Number of thousands of packets per second.
kbytes:Absolute number of KBytes during interval.
mbps:Mbits/sec.
nic_pkts:Number of packets as reported by libpcap‘s pcap_stats() (may not match pkts)
nic_drops:Number of packet drops as reported by libpcap‘s pcap_stats().
u:Number of UDP packets.
t:Number of TCP packets.
i:Number of ICMP packets.
o:Number of IP packets with protocol other than TCP, UDP, and ICMP.
nonip:Number of non-IP packets.

Options

A list of all options:

capstats [Options] -i interface

   -i| --interface <interface>    Listen on interface
   -d| --dag                      Use native DAG API
   -f| --filter <filter>          BPF filter
   -I| --interval <secs>          Stats logging interval
   -l| --syslog                   Use syslog rather than print to stderr
   -n| --number <count>           Stop after outputting <number> intervals
   -N| --select                   Use select() for live pcap (for testing only)
   -p| --payload <n>              Verifies that packets' payloads consist
                                  entirely of bytes of the given value.
   -q| --quiet <count>            Suppress output, exit code indicates >= count
                                  packets received.
   -S| --size <size>              Verify packets to have given <size>
   -s| --snaplen <size>           Use pcap snaplen <size>
   -v| --version                  Print version and exit
   -w| --write <filename>         Write packets to file

Installation

capstats has been tested on Linux, FreeBSD, and MacOS. Please see the INSTALL file for installation instructions.

Copyright 2016, The Bro Project. Last updated on October 16, 2017. Created using Sphinx 1.5.2.