tcpdump script to parse "packers captured" details
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
tcpdump script to parse "packers captured" details
I want a script that would do as:-
a) gives me packet capture account for each time it runs.
b) be able to run at a particular time for specific period time duration (1 min).
c) for each time it runs it saves the time / day.
Is there a way where i can capture the details as seen in the screen shot below where is says "packets captured"
I would appreciate if i can get help over this.So far in what i tried I'm able to get packets information (raw) like in raw dump format. I;m particular interested in knowing its count.
...OTOH if you want somebody else to write something for you it helps to be polite. "Pretty please" and all that.
Quote:
Originally Posted by lazer00
gives me packet capture account for each time it runs.
It'll do that any time you kill tcpdump.
Quote:
Originally Posted by lazer00
be able to run at a particular time for specific period time duration (1 min).
tcpdump ('man tcpdump') can stop after counting n packets which helps if you have a constant volume of traffic. Else a simple cronjob could do ('man 5 crontab').
Quote:
Originally Posted by lazer00
for each time it runs it saves the time / day.
If you use a cronjob then AFAIK it'll be logged by the system anyway, else you could use 'logger' in your cronjob to log messages to syslog you can grep for later on.
...OTOH if you want somebody else to write something for you it helps to be polite. "Pretty please" and all that.
It'll do that any time you kill tcpdump.
tcpdump ('man tcpdump') can stop after counting n packets which helps if you have a constant volume of traffic. Else a simple cronjob could do ('man 5 crontab').
If you use a cronjob then AFAIK it'll be logged by the system anyway, else you could use 'logger' in your cronjob to log messages to syslog you can grep for later on.
i like to apologize for my impatient behavior.
tcpdump -i eth0 | awk 'END {print NR}'
This command gives me count of packets as per filters defined in tcpdump command. I want this command to run for specific interval can i do this in a script or a cron job
I want this command to run for specific interval can i do this in a script or a cron job
Save the script below as say "/usr/local/bin/sniffer.cron" and make it owned by root only, with octal access rights 0500:
Code:
#!/bin/sh
# Need help
__help() { echo "$0 [ stop|start ]" 1>&2; exit 1; }
# Not enough args to run properly
[ $# -ne 1 ] && __help
# See what we're called with
case "$1" in
start) # Start sniffer as root, under a different argv[0] and make it drop rights
/bin/doexec /usr/sbin/tcpdump /sniffer -n -nn -f -q -i eth0 -Z nobody -w /dev/null 2>&1 | awk '/packets.captured/ {print $1}'
;;
stop) # End run, first "friendly", then strict:
/usr/bin/pkill -15 -f /sniffer >/dev/null 2>&1|| { sleep 3s; /usr/bin/pkill -9 -f /sniffer >/dev/null 2>&1; }
;;
*) # Superfluous but show we only accept these args
__help
;;
esac
exit 0
Now in /etc/crontab or root's ('man 5 crontab') use it as '/usr/local/bin/sniffer.cron start;' and '/usr/local/bin/sniffer.cron stop;'. Other ways to run it are using 'at' ('man at') for instance: 'echo "/usr/local/bin/sniffer.cron start"|/usr/bin/at now;' or 'echo "/usr/local/bin/sniffer.cron stop"|/usr/bin/at 1am tomorrow;', HTH.
Save the script below as say "/usr/local/bin/sniffer.cron" and make it owned by root only, with octal access rights 0500:
Code:
#!/bin/sh
# Need help
__help() { echo "$0 [ stop|start ]" 1>&2; exit 1; }
# Not enough args to run properly
[ $# -ne 1 ] && __help
# See what we're called with
case "$1" in
start) # Start sniffer as root, under a different argv[0] and make it drop rights
/bin/doexec /usr/sbin/tcpdump /sniffer -n -nn -f -q -i eth0 -Z nobody -w /dev/null 2>&1 | awk '/packets.captured/ {print $1}'
;;
stop) # End run, first "friendly", then strict:
/usr/bin/pkill -15 -f /sniffer >/dev/null 2>&1|| { sleep 3s; /usr/bin/pkill -9 -f /sniffer >/dev/null 2>&1; }
;;
*) # Superfluous but show we only accept these args
__help
;;
esac
exit 0
Now in /etc/crontab or root's ('man 5 crontab') use it as '/usr/local/bin/sniffer.cron start;' and '/usr/local/bin/sniffer.cron stop;'. Other ways to run it are using 'at' ('man at') for instance: 'echo "/usr/local/bin/sniffer.cron start"|/usr/bin/at now;' or 'echo "/usr/local/bin/sniffer.cron stop"|/usr/bin/at 1am tomorrow;', HTH.
Thank you! You just made my job a whole lot easier now.
I have a few queries regarding which requires your help.
First, Im using backtrack 5 and the directories listed by you
/bin/doexec /usr/sbin/tcpdump
These are not present in exact same location. I cannot find doexec and tcpdump at the location specified in script. Though on execution i got no error but does the files names or location effect the results. Does the command doexec comes in ubuntu as then i can test the script there.?
Secondly, if i like run the script 3 times a day using cron would i be able to see the output like packets capture details somewhere or i have to redirect its to a file?
Thank you once again. I appreciate what you have done here.
I cannot find doexec and tcpdump at the location specified in script. Though on execution i got no error but does the files names or location effect the results.
If, as root, 'locate doexec' doesn't turn up then forget about that. 'locate tcpdump' should show you where it resides so change the "/path/to/" in the lines:
Secondly, if i like run the script 3 times a day using cron would i be able to see the output like packets capture details somewhere or i have to redirect its to a file?
'man tcpdump' tells you to write pcaps to file with "-w". Using something like
will store logs in /var/log/ as file name starting with "pcap" and attaching the date in YYYYMMDDhhmm format.
Quote:
Originally Posted by lazer00
Thank you once again. I appreciate what you have done here.
This isn't as much about the solution as it is about knowing where to find information. Searching LQ, reading manual pages and practicing shell scripting may take up time but may help you finish admin chores faster and more efficiently, meaning you have more time for interesting tasks...
If, as root, 'locate doexec' doesn't turn up then forget about that. 'locate tcpdump' should show you where it resides so change the "/path/to/" in the lines:
will store logs in /var/log/ as file name starting with "pcap" and attaching the date in YYYYMMDDhhmm format.
This isn't as much about the solution as it is about knowing where to find information. Searching LQ, reading manual pages and practicing shell scripting may take up time but may help you finish admin chores faster and more efficiently, meaning you have more time for interesting tasks...
You do have a lot of patience for newbie like me.
I got all of your above points and made changes accordingly. However, in previous post i failed to clarify that i meant by packets capture was not 'details' (poor explanation of term on my side) but as to grab the caption("packets captured") from output as it appears in the screen shot above. Like in short i want to have numeric value of number of packets captured in given time. Thats it. No raw details required.
in short i want to have numeric value of number of packets captured in given time.
That's what the '| awk '/packets.captured/ {print $1}';' should accomplish.
Quote:
Originally Posted by lazer00
when i test (above code) on command prompt it doesn't shows anything
See 'man tcpdump' for options. Ensure you run from the command line as root. Remove "-Z nobody" or replace nobody with another unprivileged user name, replace "-i eth0" with the right ethernet device name. The rest should work. Else post the output of running your tcpdump command (kill it after a few seconds) but without piping it through awk.
Please view the screen shot (given in link below). First is your command. Second is something that i just figured it out. I can get mine to work though it works different it just counts the number of records (NR) output to a screen. But i want yours to work cause later it would be helpful in doing "other stuff"...
OK, but then you've actually got to type what I responded with. Calling it as '| awk '/packets.captured/ {print $1}';' awk selects only lines containing the string "packets captured" and then prints the first space separated value.
OK, but then you've actually got to type what I responded with. Calling it as '| awk '/packets.captured/ {print $1}';' awk selects only lines containing the string "packets captured" and then prints the first space separated value.
Yes but when i try to use your command it gives tcpdump syntax error. Here is the screen shot I have a gut feeling em doing something terribly stupid in here http://postimage.org/image/2knwvo350/
This code runs perfectly on manual testing. But when i couple it with cron it just doesn't do anything. No output file is created.
No idea why but you changed the code and put a she bang line in twice (need only one: remove '#!/bin/sh'). Check the locations of the binaries and supply a path to the directory you're saving files in. If nothing works change the '#!/bin/bash' line to '#!/bin/bash -vx', run it via cron and check your (root?) email. Cron send email, on output and error.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I'm missing something?
