For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Jun 02, 2010

Running a Rotating Tcpdump

I am trying to track down a touch and go issue. I want to be able to setup a tcpdump on my ASM that will run continously and rotate every x minutes or as the file grows to x size. Does anyone have a...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 02, 2010
Another couple of options:

http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ActionOnLog.html

Perl script that runs as a daemon to watch a log file (like tail in the background), and runs a command when a certain message is found. Smart enough to keep working when log files get rotated, etc. Very handy when you need to run a command to start gathering debugging data or recover from failure that is indicated by a log message.

ringdump.pl (attached)

start of config section for the script:


!/usr/bin/perl
 VERSION v0.9b
use strict;
 tcpdump settings
my %SETTINGS    = (
        external => { filter => "port 443" },
        internal => { filter => "port 80" },
        lo0 => { filter => "port 80" },
);
my $SNAPLEN = 4352;
 script settings
 free space checking
my $FREE_SPACE_CHECK_INTERVAL = 1;     check free space every this number of seconds
my $MIN_FREE_SPACE            = 5;     minimum percent space left on parition
my $CAPTURE_LOCATION          = $ARGV[0];
 file rotation settings
my $CAPTURES_TO_ROTATE        = 4;     tcpdump capture files to rotate
my $DESIRED_CAPTURE_SIZE      = 15;     megabytes per capture file before rotating
my $OVERLAP_DURING_ROTATE     = 5;     seconds to overlap previous capture while starting a new one
my $CAPTURE_CHECK_INTERVAL    = 1;     how often (seconds) to check the size of capture files for rotating
 trigger settings - time (run tcpdumps for x seconds)
my $TRIGGER                  = "time-based";
my $TIME_TO_CAPTURE           = 300;
 trigger settings - log-message (stop tcpdump when log message is received)
my $TRIGGER                   = "log-message based";
my $LOG_FILE                  = "/var/log/messages";
my $LOG_MESSAGE               = "no space in response line";
my $FOUND_MESSAGE_WAIT        = 5;     how many seconds to gather tcpdumps after we match the log message
 misc
my $IDLE_TIMER                = 5;       if ! receiving log entries, how long before checking if log is rotated
my $MAX_ROTATED_LINES         = 10000;   max lines to read from file we're re-reading because it's been rotated
my $PID_FILE                  = "/var/run/ring_dump.pid";
my $DEBUG                     = 0;       0/1

Aaron