[SOLVED] Using bash script to purge rotating tcpdump files

merixon · 10-20-2010, 10:40 AM

Hi there,

I'm trying to figure out a way of writing a script that would keep the last three versions of tcpdump files.

Due to the version of tcpdump I must use -C and cannot use -G.

Using -C generates a new file after X MB's have been written and adds a .x after each new one.

The problem is that these files are filling up the disk too quickly. The main part of the script will kill tcpdump when a certain condition is met but in the meantime I need to purge and only keep say the three last iterations of the dump file.

So for example, there is dump.pcap.1, dump.pcap.2, dump.pcap.3, dump.pcap.4 and dump.pcap.5. I'd like the script to look at the datestamps and delete dump.pcap.1 and dump.pcap2 since the other three are the three newest files.

Can anyone think of a way of comparing files based on dump.pcap.*, check the dates and only keep the three 'youngest' files?

I think I've described what I'm after, but if I'm unclear - please post follow-up queries.

I'm thankful for any help.

Thanks in advance, Mike

GrapefruiTgirl · 10-20-2010, 10:57 AM

Here's a little chunk of code I use to clean all but the single newest logfile out of a certain directory. I accumulate a new logfile for every time I start my window manager, and deleting old ones manually was horrible.

You'll want to change the search path (/home/sasha/.i3) to whatever directory you have your files in.
You'll want to change the -name "argument" to match your filenames, maybe "dump\.pcap\..*" would work.
And, since you wish to save the last 3 files instead of only one, change the -1 in the `head` command, to a -3.

Code:

#!/bin/sh

case $1 in

demo)
find /home/sasha/.i3 -maxdepth 1 -name "logfile-*" -printf "%T+ %f\n" | sort | head -n -1 | awk '{print $NF}' | xargs -I {} echo rm -f {}
;;

real)
find /home/sasha/.i3 -maxdepth 1 -name "logfile-*" -printf "%T+ %f\n" | sort | head -n -1 | awk '{print $NF}' | xargs -I {} rm -vf {}
;;

*)
echo "This script clears away all but the newest i3 logfile in /home/sasha/.i3"
echo "It takes one of two arguments: 'demo' or 'real'"
echo "demo: shows what files will be deleted, but don't really delete them."
echo "real: actually deletes the files."
;;

esac

So, when you run it, give it either the "demo" option, or the "real" option.

If you have problems, post the code as you have adjusted it to suit your needs, and tell us what's not working.

Good luck!

merixon · 10-20-2010, 11:03 AM

Celine,

That worked like a charm, exactly what I was after.

You are a star, I certainly owe you one for that one!

// Mike

GrapefruiTgirl · 10-20-2010, 11:06 AM

No problem, glad it helped

For the record, here's a slightly simplified version (less code) if you're interested:

Code:

#!/bin/sh

do_it () {
find /home/sasha/.i3 -maxdepth 1 -name "logfile-*" -printf "%T+ %f\n" | sort | head -n -1 | awk '{print $NF}' | xargs -I {} $ecko rm -vf {}
}

case $1 in

demo)
ecko='echo'
do_it
;;

real)
ecko=''
do_it
;;

*)
echo "This script clears away all but the newest i3 logfile in /home/sasha/.i3"
echo "It takes one of two arguments: 'demo' or 'real'"
echo "demo: shows what files will be deleted, but don't really delete them."
echo "real: actually deletes the files."
;;

esac

So same thing, I just put the main guts of it into a function. Tested and works here.

Anyhow, whichever you use, glad it works.
If you haven't yet, you can mark this thread [SOLVED] using Thread Tools above the first post.

Have a good day!

merixon · 10-20-2010, 11:18 AM

You're glad it works? That's nothing compare to happy I am right now.

Consider this one marked as resolved now.

Thanks again, Mike

forrestt · 10-20-2010, 11:19 AM

Or a bit less code:

Code:

rm `ls -tr dump.pcap* | head -n -3`

HTH

Forrest