Rotating capture files using tcpdump

prafulnama · 04-06-2010, 11:43 AM

Hello,

Ideally, I would like to set up tcpdump to rotate log file every 1 hour and retain files for the lat 14 days but I don't think any combination of -C and -W would allow me to do that (Atleast I haven't been able to figure it out), so I am trying to rotate the files every X number of MB and retain the last 20 files. This seems to be fairly simple with the '-C X -W 20' option but I am having some trouble in customizing the names of the log files. I have tried '-w capture-$(date +%Y-%M-%d-%H:%M-)' thinking that each file would start with the current date and time but all files are using the date and time when the capture was started so the only difference is the number at the end (which is done by -W). I would appreciate any help in figuring out if I can customize the names of the file so that it has the date and time when the capture in started. In fact if I can do that, I dont need the numbers that '-W' appends at the end but I dont know how to get rid of them.

Any if any experts can help me figure out how to do what I originally intended to (Rotate every hour and retain 14 days worth of files), I'll be more than happy :-)

Thanks everyone!
-p

rweaver · 04-06-2010, 12:55 PM

Internally in tcpdump I don't believe there is a way to achieve what you want. I'd tend towards writing a script that stopped the running tcpdump and started a new one every hour. Maybe something like this (as a base, needs refined and error checked, tested, etc.)

Code:

#!/bin/bash
killall -9 tcpdump
/usr/sbin/tcpdump -w /var/log/tcpdump/capture_$(date +%Y-%M-%d-%H:%M:%S).log

Then add that to cron to run hourly.

paulndna · 08-13-2010, 09:12 PM

try

tcpdump -w capture_%Y-%m-%d-%H:%M:%S

konsolebox · 08-14-2010, 12:08 AM

Try this script:

Code:

#!/bin/bash

shopt -s extglob

# variables

CURRENTDATE=''
DDBLOCKSIZE=512
LOGDIR='/var/log/tcpdump'
MAINLOGFILE='main.log'
MAINLOGFILEMAXSIZE=20000000  ## in bytes
OLD=14
QUIT=false
TCPDUMP='/usr/sbin/tcpdump'
TCPDUMPCAPTUREFILEPREFIX='capture-'
TCPDUMPCAPTUREFILESUFFIX=''
TCPDUMPPID=0
TEMPDIR='/var/tmp'

# functions

function log {
	echo "[$(date '+%F %T')] $1" >> "$MAINLOGFILE"
	echo "$1"
}

function checktcpdump {
	[[ $TCPDUMPPID -ne 0 ]] && [[ -e /proc/$TCPDUMPPID ]] && kill -s 0 "$TCPDUMPPID" 2>/dev/null
}

function starttcpdump {
	log "Starting tcpdump..."

	CURRENTDATE=$(date +%F)

	"$TCPDUMP" -w "$LOGDIR/${TCPDUMPCAPTUREFILEPREFIX}${CURRENTDATE}${TCPDUMPCAPTUREFILESUFFIX}.log" &

	if [[ $? -ne 0 ]]; then
		TCPDUMPPID=0
		return 1
	fi

	TCPDUMPPID=$!

	disown "$TCPDUMPPID"

	checktcpdump
}

function starttcpdumploop {
	until starttcpdump; do
		log "Error: Failed to start tcpdump.  Waiting for 20 seconds before next attempt..."
		read -t 20 && QUIT=true
	done
}

function stoptcpdump {
	log "Stopping tcpdump..."
	kill "$TCPDUMPPID"
	checktcpdump && kill -s 9 "$TCPDUMPPID"
	TCPDUMPPID=0
	QUIT=true
}

function restarttcpdump {
	log "Restarting tcpdump..."
	checktcpdump && stoptcpdump
	starttcpdumploop
}

function catchsignals {
	log "Caught a signal..."
	QUIT=true
}

function main {
	local CAPTUREFILEPATTERN FILE MAINLOGFILEMAXBLOCKSIZE NEWDATE SIZE TEMPFILE

	CAPTUREFILEPATTERN="${TCPDUMPCAPTUREFILEPREFIX}[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]${TCPDUMPCAPTUREFILESUFFIX}.log"
	[[ $MAINLOGFILE != */* ]] && MAINLOGFILE=$LOGDIR/$MAINLOGFILE
	(( MAINLOGFILEMAXBLOCKSIZE = (MAINLOGFILEMAXSIZE / DDBLOCKSIZE) + ((MAINLOGFILEMAXSIZE % DDBLOCKSIZE) ? 0 : 1) ))

	log "Starting tcpdump manager script..."

	trap catchsignals SIGQUIT SIGINT SIGKILL SIGTERM

	mkdir -p "$LOGDIR"

	starttcpdumploop

	for (( I = 1;; I = (I + 1) % 20 )); do
		read -t 1 && break  ## we have to separate this from the next statement to ensure proper handling of signals

		[[ $QUIT = true ]] && break

		if [[ I -eq 0 ]]; then
			NEWDATE=$(date +%F)

			if [[ ! $NEWDATE = "$CURRENTDATE" ]]; then
				log "A new day has come."

				if read FILE; then
					log "Deleting $OLD-days old files..."

					while
						log "Deleting $FILE..."

						rm -f "$FILE"

						read FILE
					do
						continue
					done
				fi < <(exec find "$LOGDIR" -name "$CAPTUREFILEPATTERN" -daystart -ctime "+$OLD")   # or -mtime?

				restarttcpdump
			fi
		elif [[ I -eq 1 ]]; then
			SIZE=$(stat --printf=%s "$MAINLOGFILE")

			if [[ $SIZE == +([[:digit:]]) && $(( SIZE / DDBLOCKSIZE )) -gt MAINLOGFILEMAXBLOCKSIZE ]]; then
				echo "Reducing log data in $MAINLOGFILE..."

				TEMPFILE=$TEMPDIR/tcpdump-$RANDOM.tmp

				dd "bs=$DDBLOCKSIZE" "count=$MAINLOGFILEMAXBLOCKSIZE" "if=$MAINLOGFILE" "of=$TEMPFILE"

				cat "$TEMPFILE" > "$MAINLOGFILE"; rm -f "$TEMPFILE"  ## better than mv
			fi
		fi
	done

	checktcpdump && stoptcpdump

	log "Ending tcpdump manager script."
}

# start

main

I thought it was easy from the start but it took long. Please test it in a visible terminal before running in cron.

gagan_goku · 05-12-2011, 10:32 PM

use -G <num_seconds> -w 'trace_%Y%m%d-%H%M%S.pcap'