Running a Rotating Tcpdump

Yes, tcpdump has an option to roll files over, and keep X number of files...

 

 

If you RTFM, you'll see that

 

 

-C = specify a maximum file size to write to

 

-W = Maximum number of files to keep... The files are used in a rotating buffer

 

-G = Can be used to specify only write to a number of files then exit (With a 0 status)

 

 

-w is used to specify the file template name.

 

 

H

Another couple of options:

http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ActionOnLog.html

Perl script that runs as a daemon to watch a log file (like tail in the background), and runs a command when a certain message is found. Smart enough to keep working when log files get rotated, etc. Very handy when you need to run a command to start gathering debugging data or recover from failure that is indicated by a log message.

ringdump.pl (attached)

start of config section for the script:

!/usr/bin/perl
 VERSION v0.9b
use strict;
 tcpdump settings
my %SETTINGS    = (
        external => { filter => "port 443" },
        internal => { filter => "port 80" },
        lo0 => { filter => "port 80" },
);
my $SNAPLEN = 4352;
 script settings
 free space checking
my $FREE_SPACE_CHECK_INTERVAL = 1;     check free space every this number of seconds
my $MIN_FREE_SPACE            = 5;     minimum percent space left on parition
my $CAPTURE_LOCATION          = $ARGV[0];
 file rotation settings
my $CAPTURES_TO_ROTATE        = 4;     tcpdump capture files to rotate
my $DESIRED_CAPTURE_SIZE      = 15;     megabytes per capture file before rotating
my $OVERLAP_DURING_ROTATE     = 5;     seconds to overlap previous capture while starting a new one
my $CAPTURE_CHECK_INTERVAL    = 1;     how often (seconds) to check the size of capture files for rotating
 trigger settings - time (run tcpdumps for x seconds)
my $TRIGGER                  = "time-based";
my $TIME_TO_CAPTURE           = 300;
 trigger settings - log-message (stop tcpdump when log message is received)
my $TRIGGER                   = "log-message based";
my $LOG_FILE                  = "/var/log/messages";
my $LOG_MESSAGE               = "no space in response line";
my $FOUND_MESSAGE_WAIT        = 5;     how many seconds to gather tcpdumps after we match the log message
 misc
my $IDLE_TIMER                = 5;       if ! receiving log entries, how long before checking if log is rotated
my $MAX_ROTATED_LINES         = 10000;   max lines to read from file we're re-reading because it's been rotated
my $PID_FILE                  = "/var/run/ring_dump.pid";
my $DEBUG                     = 0;       0/1

Aaron

If you are running the tcpdump as root (not that you SHOULD ) you might need the -Z root in with the other rotating commands. I just ran into this last night.

 

 

-R

where is the attachment ringdump.pl (attached)??

I found it with a quick search here: https://devcentral.f5.com/wiki/advdesignconfig.ringdump.ashx

Hi guys Does anyone have script ringdump-1-227589569.pl which is working??? I would need (just the part with tcpdump) it for reverse debugging on some customer installations.

 

The whole script is published here https://github.com/vincentmli/F5-iControl-Perl/blob/master/ringdump-1-227589569.pl

 

Thanks

 

i prefer Hamish option or icall to ringdump.

 

Run tcpdump on event by Brent Blood

 

https://devcentral.f5.com/wiki/iCall.Run_tcpdump_on_event.ashx