Rotating capture files using tcpdump
Hello,
Ideally, I would like to set up tcpdump to rotate log file every 1 hour and retain files for the lat 14 days but I don't think any combination of -C and -W would allow me to do that (Atleast I haven't been able to figure it out), so I am trying to rotate the files every X number of MB and retain the last 20 files. This seems to be fairly simple with the '-C X -W 20' option but I am having some trouble in customizing the names of the log files. I have tried '-w capture-$(date +%Y-%M-%d-%H:%M-)' thinking that each file would start with the current date and time but all files are using the date and time when the capture was started so the only difference is the number at the end (which is done by -W). I would appreciate any help in figuring out if I can customize the names of the file so that it has the date and time when the capture in started. In fact if I can do that, I dont need the numbers that '-W' appends at the end but I dont know how to get rid of them. Any if any experts can help me figure out how to do what I originally intended to (Rotate every hour and retain 14 days worth of files), I'll be more than happy :-) Thanks everyone! -p |
Internally in tcpdump I don't believe there is a way to achieve what you want. I'd tend towards writing a script that stopped the running tcpdump and started a new one every hour. Maybe something like this (as a base, needs refined and error checked, tested, etc.)
Code:
#!/bin/bash |
try
tcpdump -w capture_%Y-%m-%d-%H:%M:%S |
Try this script:
Code:
#!/bin/bash |
use -G <num_seconds> -w 'trace_%Y%m%d-%H%M%S.pcap'
|
I think this is exactly what I’m looking for but I have a question about functionality.
Quote:
It appears this script is a perfect fit for what I need... but I have a question. Q: Does this rotate the "main.log" file or the tcpdump output? I am looking for something that will rotate the output of the tcpdump file based on size. So when it reaches a max size the script will start a new tcpdump output with a new name (assuming more than one a day get created)... as in -- if 'x.pcap' exists then add a suffix like a,b,c... * Also, it appears i'll need to add the specifics of the tcpdump arguments manually within the code "$TCPDUMP" (manually add arguments here) -w "$LOGDIR/${TCPDUMPCAPTUREFILEPREFIX}${CURRENTDATE}${TCPDUMPCAPTUREFILESUFFIX}.log" & |
I added [TCPARGS="-npi eth1 -Xs 1500"] to the variables and inserted $TCPARGS after the TCPDUMP call:
"$TCPDUMP" $TCPARGS -w "$LOGDIR/${TCPDUMPCAPTUREFILEPREFIX}${CURRENTDATE}${TCPDUMPCAPTUREFILESUFFIX}.log" & and I get.. Starting tcpdump... tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1500 bytes so that seems to work as needed :) * Any help in rotating the tcpdump output based on size would be great - thanks! |
I have gone with a stripped down command/script for now:
tcpdump -npi eth1 -Xs 1500 -C 100 -w /tmp/dump.pcap and a cron job: * */1 * * * find /tmp/ -name "*.pcap*" -mmin +59 -exec rm {} \; The problem of course is that I have to go stop the cron job and kill the pid for the tcpdump - when and if an event happens. This is just a temporary measure in order to track an inconsistent problem... but if anyone has any better options that will give file rotation, log reporting and can be managed more easily than this one (as I have this running on all 4 of the boxes involved)... please do share - thanks! |
Quote:
Quote:
Quote:
Code:
TCPDUMPARGS=("arg with space 1" "arg 2" "...") |
I updated the script. This time a new filename for the logfile is used every time a new session is started. Note that tcpdump doesn't seem to allow appending of output to a logfile from previous session.
Code:
#!/bin/bash For rotation of logfiles based from size you need to use -C of tcpdump. Also, make sure LOGDIR is writeable both by running user and tcpdump (user) - if tcpdump runs with its own user. You can do this by setting 777 to directory, setting 770 with tcpdump, or anything applicable as group, or changing its ownership to tcpdump or tcpdump:tcpdump. |
Thanks Konsolebox -
I have bash version 3.2.25(1) Will the readarray problem show up when starting/restaring the script? It created today's file with a '.0.log' but when I restart the script it overwrites it. > Oct 11 11:16 capture-2012-10-11.log > Oct 12 10:47 capture-2012-10-12.0.log |
Quote:
I have now modified the script. I tested this with bash 3.2 as well. Please try it again. Code:
#!/bin/bash |
And this is yet another version for it. This one's more flexible and lighter performance-wise.
Code:
#!/bin/bash |
you're awesome! - that did it:
- capture-2012-10-13.0.log (capture started) - capture-2012-10-13.0.log1 (capture rolled over based on file size) - capture-2012-10-13.1.log (capture stopped and restarted) - capture-2012-10-13.2.log (capture stopped and restarted) - main.log I think I'll use a cron job to start this script '@reboot' if that works... and will continue to use a cron job to clean off logs older than x number of hours. Thanks so much for your help!! |
Welcome :)
|
Hi,
today I found your nice script and tried to use it on my machine, but it does not work for me and I don't understand why. When I run the script, tcpdump gets started, but after about a minute, it get stopped by the script. This is the output from the main.log file: Code:
[2014-07-02 00:47:08] Starting tcpdump manager script... Can you please help me with this issue? |
@mbrauni Hi. On what system do you use this? It could be a tcpdump problem or perhaps something related to date command especially if you're on mac. find may act differently as well.
P.S. I just found out: The newer version has a typo: Code:
CURRENTDATE=CURRENTDATE=... |
And this is yet another version for it. This one's more flexible and lighter performance-wise.
Hi Consolebox,
I have gone through your script and it has written some time back. I have requirement of running tcpdump 24 hours captured into the same file for 24 hours packets. Next days packets it has to be captured in nex date's file. Acutally its working but problem is tcpdump is for some reason stopping after 2 hours. Do you know why. If you could help it will be great help. I am running following version Linux. Linux 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux [bash-3.2-32.el5] Thanks, Anand. |
Run for 60 seconds and quit?
First off konsolebox, this script is really great. Thank you.
I've learned a bunch just from working with and getting to understand it. I had an issue with temporary blindness finding clearly stated variables... Found what was needed just after posting (TCPDUMPCHECKINTERVALS=180). |
@mbrauni, @anandpu70, @keith.evans
I reformatted the code to make it more readable. I also found some issues: (1) CURRENT_DATE should have been not set as a local variable. What happens is the date value set to it is lost after start_tcpdump() exits which makes [[ ${NEW_DATE} != "${CURRENT_DATE}" ]] always valid. (2) stop_tcpdump() should have not been setting QUIT to true. It makes the script end quickly when stop_tcpdump() or restart_tcpdump() is called. I now have the script placed in Github. Please check it for all updates. https://github.com/konsolebox/script...dump-master.sh |
Great newer version, thanks and some updates/enhancements
Thank you again konsolebox for this excellent script. I had some requirements that I needed to satisfy since I don't have root on production and not managing that environment wanted to ensure I didn't blow it up as I can't monitor the progress and the systems are very high traffic. Below I list the changes/updates made and provide the updated code (using your newest version).
Primary additions: updated logging for no-out when cron, min and max number capture files max disk space for capture file, added make dir function for non-root access to capture files after, capture file extension configurable, and prompt for pre-set protos with default selection. Code:
#!/bin/bash |
All times are GMT -5. The time now is 04:52 AM. |