Forum Discussion
Martin_Kaiser_1
Nimbostratus
NimbostratusRunning long-living tcpdumps on BigIP
Hi guys,
I'm not quite sure if this is the right forum to post the question, but I couldn't find a more suitable one...
I often need the possibility to monitor specific client connections to virtual servers for a long time (in order to capture sporadic errors). tcpdump on the BigIp comes in very handy, although its major drawback is that you need to keep open the SSH connection to the Big IP all the time, which is not possible for me in most cases (especially when waiting for an reoccurring error many hours or even several days).
On a "normal" linux system, I would use 'screen' in order to make any program run in the background even after disconnecting from the host. Unfortunately, screen is not available on BigIP systems. Furthermore, I'm having concerns regarding performance when running tcpdump in the background for a long time.
Anybody here with a good idea how to cope with such issues? Any shared experience is appreciated. Thanks a lot in advance!
Greetings
Martin
HamishCirrocumulus
screen? Never used it.
The best (Gold plated) way would probably be to setup a service. Then you can start it with 'services xxx (start|stop|status), and use chkconfig to enable/disable the auto running of the service on boot. That may be more than you need.
If you're happy to kick off the tcpdump manually, use nohup, and kick the task off in the background (With &). e.g.
nohup tcpdump -i -s 2000 -w /var/tmp/mydumpfile -C "filter" &
That'll run a copy of tcpdump, detatched in the background, and nohup will ensure that when you logout, it won't get a hang-up signal... So it'll basically run forever. And will roll the dumpfile over to a new one when it reaches MB (That's decimal millions, not ^2).
That leaves you with one problem... Number of files... I've seen versions of tcpdump that'll let you specify a number of files to keep, but I don't think LTM's tcpdump does that. So you either want to run a small job in under cron to clean-up, or use a script to kickoff tcpdump AND cleanup files... If you don't mind losing a few packets between files, you could also run tcpdump in a loop (From a script - Or from direct typing if you're confident :), with -c , it'll exit after packets, and you can cleanup and run another copy of tcpdump...
6 of one... Half dozen of the other... There'll be a few more ways to skin the cat too... That's Unix for you :) I love it...
YMMV...
No cats were harmed in the typing of this email...
:)
H- HamishApologies... The website seems to have removed a few words... The actual command should be
nohup tcpdump -i -s 2000 -w /var/tmp/mydumpfile -C "filter" &
H - HamishSigh... And even code protected blocks don't seem to be immune...
- HamishDoh! I lie!!!
tcpdump on BigIP DOES have the limit on the number of files... Use the -W count option... Making the commandnohup tcpdump -i interface -s 2000 -w /var/tmp/mydumpfile -C size -W filecount "filter" &
(I've left out the problematic angle brackets this time... Only the ampersand is a challenge for me now 🙂
H 
RiverFishAltostratus
Is it possible to create a cron job to run that command at a specific time?
- Hamish
Sure is... Just add an entry into the crontab file for the user you want to run it. or put it in a more complex script and just call the script.
H
RiverFish_95049Unfortunately I've never created a cron job, could you break it down for me please? Let's say I wanted the tcpdump job to kick off at 10:30 PM and run until 3:00 AM.
nitassEmployee
>Unfortunately I've never created a cron job Schedule Tasks on Linux Using Crontab http://kvz.io/blog/2007/07/29/schedule-tasks-on-linux-using-crontab/ it is just tcpdump and killall commands. you are aware that W option will overwrite old file, aren't you? e.g. [root@ve11a:Active:In Sync] config crontab -l cron tab for root 1-59/10 * * * * /usr/bin/diskmonitor MAILTO="" 51 * * * * /usr/bin/copy_rrd save 27 21 * * * /usr/sbin/tcpdump -nni 0.0:nnn -s0 -C 1 -W 10 -w /var/tmp/test 30 21 * * * killall tcpdump [root@ve11a:Active:In Sync] config ls -l /shared/tmp/|grep test -rw-r--r-- 1 pcap pcap 1000011 Nov 23 21:29 test0 -rw-r--r-- 1 pcap pcap 1000028 Nov 23 21:29 test1 -rw-r--r-- 1 pcap pcap 1000171 Nov 23 21:29 test2 -rw-r--r-- 1 pcap pcap 710416 Nov 23 21:30 test3 -rw-r--r-- 1 pcap pcap 1000020 Nov 23 21:29 test4 -rw-r--r-- 1 pcap pcap 1000147 Nov 23 21:29 test5 -rw-r--r-- 1 pcap pcap 1000119 Nov 23 21:29 test6 -rw-r--r-- 1 pcap pcap 1000237 Nov 23 21:29 test7 -rw-r--r-- 1 pcap pcap 1000086 Nov 23 21:29 test8 -rw-r--r-- 1 pcap pcap 1000256 Nov 23 21:29 test9
- RiverFish
Unfortunately I've never created a cron job, could you break it down for me please? Let's say I wanted the tcpdump job to kick off at 10:30 PM and run until 3:00 AM.
- nitass>Unfortunately I've never created a cron job Schedule Tasks on Linux Using Crontab http://kvz.io/blog/2007/07/29/schedule-tasks-on-linux-using-crontab/ it is just tcpdump and killall commands. you are aware that W option will overwrite old file, aren't you? e.g. [root@ve11a:Active:In Sync] config crontab -l cron tab for root 1-59/10 * * * * /usr/bin/diskmonitor MAILTO="" 51 * * * * /usr/bin/copy_rrd save 27 21 * * * /usr/sbin/tcpdump -nni 0.0:nnn -s0 -C 1 -W 10 -w /var/tmp/test 30 21 * * * killall tcpdump [root@ve11a:Active:In Sync] config ls -l /shared/tmp/|grep test -rw-r--r-- 1 pcap pcap 1000011 Nov 23 21:29 test0 -rw-r--r-- 1 pcap pcap 1000028 Nov 23 21:29 test1 -rw-r--r-- 1 pcap pcap 1000171 Nov 23 21:29 test2 -rw-r--r-- 1 pcap pcap 710416 Nov 23 21:30 test3 -rw-r--r-- 1 pcap pcap 1000020 Nov 23 21:29 test4 -rw-r--r-- 1 pcap pcap 1000147 Nov 23 21:29 test5 -rw-r--r-- 1 pcap pcap 1000119 Nov 23 21:29 test6 -rw-r--r-- 1 pcap pcap 1000237 Nov 23 21:29 test7 -rw-r--r-- 1 pcap pcap 1000086 Nov 23 21:29 test8 -rw-r--r-- 1 pcap pcap 1000256 Nov 23 21:29 test9