Thursday, February 3, 2011

How can I capture traffic with tcpdump and a sliding window or sort of "logrotate"?

Hi,

I want to capture some traffic with tcpdump for troubleshooting. The problem is, the error is not reproducible. To not fill up the hole disks with captures, I would like to capture the traffic with some sort of sliding window.

Let's say I write the capture to a file and when the file reaches a size of 1GB it will drop the oldest packets and write the new ones. This way I would only get the traffic for some hours but hopefully enough to have the right packets when the user calls.

I couldn't find an option for tcpdump. Has someone an idea how to solve this?

From serverfault Christian

  • The -c option can help you with this:

       -c     Exit after receiving count packets.

    So this would get you a circular traffic.dmp file: 

    while :
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic.dmp
done

    If you dropped it in a for loop you could get a series of files:

    for file in 1 2 3 4 5
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic${file}.dmp
done

    . Just adjust the numbers after you figure out some number that is not to big for your disk to capture a few hours worth of packets.

    -C also looks interesting:

       -C     Before writing a raw packet to a  savefile,  check  whether  the
          file  is  currently  larger than file_size and, if so, close the
          current savefile and open a new one.  Savefiles after the  first
          savefile  will  have the name specified with the -w flag, with a
          number after it, starting at 1 and continuing upward.  The units
          of  file_size  are  millions  of  bytes  (1,000,000  bytes,  not
          1,048,576 bytes).
    Christian : Thanks davey. With a larger number of small files, I should get very close to a sliding window. I hope the merge will work when I have to cancel recording while writing file x from x+20. The option '-W filecount' sounds very promising. This should get me to the sliding window. I should have read more of the man page before asking.
    From davey

  • If you insist on using tcpdump, davey's answer is the right one. However, there are other capture packets, producing pcap files, with more options for this sort of work. Let's mention:

    • tshark, part of the Wireshark program. Its -a ("Stop writing to a capture file after it reaches a size of value kilobytes") and -b ("When the first capture file fills up, TShark will switch writing to the next file and so on") options seem particularily interesting

    • pcapdump, part of the pcaputils package. See the configuration options interval= (move to the next file after N seconds of capture) and filefmt= (pattern to generate the name of the capture files).

    From bortzmeyer
Posted by Ku XI at 8:44 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)