run tcp dump in continuous loop

Red Squirrel · 03-03-2009, 08:34 PM

I want to loop tcpdump something like this:

Code:

file="aov`date +%m`.cap"

while true
do
tcpdump -c 10 -w ${file} port 2593
done

The only issue with this is it does not seem to append to the file. How would I go about making it append data?

Basically I want to run this indefinably on my server as I have lot of problems with people hacking (Game server) so I want to try and read the packets and detect what people are doing to exploit the game. Speed hacking, etc...

So what is the best way to loop this?

anomie · 03-03-2009, 08:50 PM

Why not just keep tcpdump running indefinitely, then? In other words, why are you grabbing 10 packets at a time in a loop?

Red Squirrel · 03-03-2009, 09:05 PM

Well 10 was just an example, but what I want to do is have separate log files so I can download them without stopping the process. I would probably save filenames like cap-mar0309-3.cap or something, so it would be by hour.

anomie · 03-03-2009, 10:09 PM

This isn't perfect, but one idea is to simply let this run:
# tcpdump -A -w dump-output

Then from time to time you could check it (without stopping it) using:
# tcpdump -r dump-output

---

If you really want separate dump files, then you could move something like this into your while loop:

Code:

file="aov`date +%s`.cap"

The files are likely to be unique that way (so nothing should get overwritten). See the date(1) manpages for formats if you haven't already.

Red Squirrel · 03-03-2009, 11:01 PM

I thought of doing that, though I was hoping to have them by date then unix time stamp. Though I was thinking if I forget about this I'll end up using up all the disk space, so decided to just go with a big rotation instead. Think this should go for a few days especially if I add a filter:

tcpdump -C 500 -W 25 -nn -s 0 -w logs/aovcap &