Forum Discussion
AltocumulusTCPDUMP - How to view an existing tcpdump from a new ssh session?
Im having a difficult time coming up with some simple verbage to explain what the question is so I will explain it in context...
Q1: If I were to start a tcpdump session on my ltm and leave for the evening... how do I quit the tcpdump session in the morning?
Q2: Is there a linux command to let anyone know that there is an existing tcpdump session running on that box?
5 Replies
shaggy_121467Cumulonimbus
If you are running tcpdump from CLI, the following commands should help. I expect that tcpdump from the UI would also show up in either the UI or using "ps". When running tcpdump in the background, you should always limit filesystem space that the capture files will consume by using the -C (limit capture file-size) and -W (limit the number of files created to the specified number, and begin overwriting files from the beginning) flags. I also suppressed all of my standard and error output to a log file (/shared/tmp/tcpdump-errors.log).
- Start tcpdump in background and send stdout and stderr messages to log file:
[user@bigip01:Active:In Sync] shared tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10 &> /shared/tmp/tcpdump-errors.log &
[1] 4222
- See if tcpdump is running:
[user@bigip01:Active:In Sync] shared ps -e | grep tcpdump
4222 pts/1 S 0:01 tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10
4265 pts/1 S+ 0:00 grep tcpdump
- Stop tcpdump process:
[[user@bigip01:Active:In Sync] shared kill 4222
[1]+ Done tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10 >&/shared/tmp/tcpdump-errors.log
- See if tcpdump is running:
[[user@bigip01:Active:In Sync] shared ps -e | grep tcpdump
4301 pts/1 S+ 0:00 grep tcpdump
- Check messages/error log file:
[[user@bigip01:Active:In Sync] shared tail /shared/tmp/tcpdump-errors.log
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
20480 packets captured 20480 packets received by filter 0 packets dropped by kernel
fubarSUSHIAwesome! Thank you so much Shaggy!
shaggyNimbostratus
If you are running tcpdump from CLI, the following commands should help. I expect that tcpdump from the UI would also show up in either the UI or using "ps". When running tcpdump in the background, you should always limit filesystem space that the capture files will consume by using the -C (limit capture file-size) and -W (limit the number of files created to the specified number, and begin overwriting files from the beginning) flags. I also suppressed all of my standard and error output to a log file (/shared/tmp/tcpdump-errors.log).
- Start tcpdump in background and send stdout and stderr messages to log file:
[user@bigip01:Active:In Sync] shared tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10 &> /shared/tmp/tcpdump-errors.log &
[1] 4222
- See if tcpdump is running:
[user@bigip01:Active:In Sync] shared ps -e | grep tcpdump
4222 pts/1 S 0:01 tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10
4265 pts/1 S+ 0:00 grep tcpdump
- Stop tcpdump process:
[[user@bigip01:Active:In Sync] shared kill 4222
[1]+ Done tcpdump -ni 0.0 -w /shared/tmp/temporary.pcap -C100 -W10 >&/shared/tmp/tcpdump-errors.log
- See if tcpdump is running:
[[user@bigip01:Active:In Sync] shared ps -e | grep tcpdump
4301 pts/1 S+ 0:00 grep tcpdump
- Check messages/error log file:
[[user@bigip01:Active:In Sync] shared tail /shared/tmp/tcpdump-errors.log
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
20480 packets captured 20480 packets received by filter 0 packets dropped by kernel
- fubarSUSHIAwesome! Thank you so much Shaggy!
- What_Lies_Bene1
Cirrostratus
Someone correct me if I'm wrong but this still requires that the user's terminal remains connected doesn't it?
To avoid this, see the suggestions in the 'Running tcpdump As A Process (Unattended Captures)' section of this post: http://packetpushers.net/masterclass-tcpdump-basics/
