ringdump
Problem this snippet solves:
loop a tcpdump until a log message is seen
Code :
# Updated: 10/16/06
#!/usr/bin/perl
## VERSION v0.9b
use strict;
################
# tcpdump settings
##########
my %SETTINGS = (
external => { filter => "port 443" },
internal => { filter => "port 80" },
lo0 => { filter => "port 80" },
);
my $SNAPLEN = 4352;
################
# script settings
######
# free space checking
my $FREE_SPACE_CHECK_INTERVAL = 1; # check free space every this number of seconds
my $MIN_FREE_SPACE = 5; # minimum percent space left on parition
my $CAPTURE_LOCATION = $ARGV[0];
# file rotation settings
my $CAPTURES_TO_ROTATE = 4; # tcpdump capture files to rotate
my $DESIRED_CAPTURE_SIZE = 15; # megabytes per capture file before rotating
my $OVERLAP_DURING_ROTATE = 5; # seconds to overlap previous capture while starting a new one
my $CAPTURE_CHECK_INTERVAL = 1; # how often (seconds) to check the size of capture files for rotating
# trigger settings - time (run tcpdumps for x seconds)
#my $TRIGGER = "time-based";
my $TIME_TO_CAPTURE = 300;
# trigger settings - log-message (stop tcpdump when log message is received)
my $TRIGGER = "log-message based";
my $LOG_FILE = "/var/log/messages";
my $LOG_MESSAGE = "no space in response line";
my $FOUND_MESSAGE_WAIT = 5; # how many seconds to gather tcpdumps after we match the log message
# misc
my $IDLE_TIMER = 5; # if ! receiving log entries, how long before checking if log is rotated
my $MAX_ROTATED_LINES = 10000; # max lines to read from file we're re-reading because it's been rotated
my $PID_FILE = "/var/run/ring_dump.pid";
my $DEBUG = 0; # 0/1
####################################################
# END OF THINGS THAT SHOULD NEED TO BE CONFIGURED
####################################################
########
# set defaults
###
$SNAPLEN ||= 4352;
$TRIGGER ||= "time";
$CAPTURE_LOCATION ||= "/var/tmp";
$TIME_TO_CAPTURE ||= 60;
$FREE_SPACE_CHECK_INTERVAL ||= 5;
$CAPTURES_TO_ROTATE ||= 3;
$DESIRED_CAPTURE_SIZE ||= 10;
$OVERLAP_DURING_ROTATE ||= 5;
$CAPTURE_CHECK_INTERVAL ||= 5;
$MIN_FREE_SPACE ||= 5;
$LOG_FILE ||= "/var/log/messages";
$LOG_MESSAGE ||= "FAILED";
$FOUND_MESSAGE_WAIT ||= 5;
$IDLE_TIMER ||= 5;
$PID_FILE ||= "/var/run/ring_dump.pid";
$DEBUG ||= 0;
unless (-d $CAPTURE_LOCATION) {
print "$CAPTURE_LOCATION isn't a directory, using /mnt instead\n\n";
$CAPTURE_LOCATION = "/mnt";
}
if (! -r $LOG_FILE) {
die "Can't read \"$LOG_FILE\", EXIT\n";
}
# insert code to find tcpdump instead of relying on path HERE:
my $tcpdump = "/usr/sbin/tcpdump";
######
# misc global variable declaration
##########
my($answer, $interface, $pid, $tail_child, $F_LOG);
my($current_size, $current_inode, $last_size, $last_inode);
my @child_pids;
my $ppid = $$;
my $min_megabytes = $CAPTURES_TO_ROTATE * $DESIRED_CAPTURE_SIZE;
$current_size = $current_inode = $last_size = $last_inode = 0;
$|++;
###########
# functions
#######
# exit function that does does necessary child handling
sub finish {
$_ = shift();
if (defined($_) && $_ ne "") {
print;
}
foreach $interface (keys( %SETTINGS )) {
push(@child_pids, $SETTINGS{$interface}{pid});
}
$DEBUG && print "INTERRUPT: sending SIGINT and SIGTERM to: ", join(" ", @child_pids), "\n";
kill(2, @child_pids);
sleep(1);
kill(15, @child_pids);
$DEBUG && print "INTERRUPT: done, unlink pidfile and exit\n";
unlink($PID_FILE);
exit(0);
}
$SIG{INT} = sub { finish(); };
# report usage on CAPTURE_LOCATION's MB free from df
sub free_megabytes {
my $partition = shift();
$partition ||= $CAPTURE_LOCATION;
my $free_megabytes;
$DEBUG && print "free_megabytes(): capture partition is $partition\n";
open(DF, "df $partition|");
# discard the first line;
$_ = ;
# parse the usage out of the second line
$_ = ;
$free_megabytes = (split)[3];
$free_megabytes = int($free_megabytes / 1024);
close(DF);
$DEBUG && print "free_megabytes(): finished reading df, output is: $free_megabytes\n";
$free_megabytes;
}
# report usage on CAPTURE_LOCATION's % usage from df
sub free_percent {
my $partition = shift();
$partition ||= $CAPTURE_LOCATION;
my $free_percent;
$DEBUG && print "free_percent(): capture partition is $partition\n";
open(DF, "df $partition|");
# discard the first line;
$_ = ;
# parse the usage out of the second line
$_ = ;
$free_percent = (split)[4];
chop($free_percent); ## chop off '%'
$free_percent = (100 - $free_percent);
close(DF);
$DEBUG && print "free_percent(): finished reading df, output is: $free_percent\n";
$free_percent;
}
# simple sub to send SIGHUP to syslogd
sub restart_syslogd () {
if (-f "/var/run/syslog.pid") {
open(PIDFILE, ";
chomp;
kill(1, ($_));
1;
}
# simple wrapper to start tcpdumps, assuming obvious globals
sub start_tcpdump {
my $interface = shift();
my $capture_file = shift();
my $filter = shift();
my @cmd = ("$tcpdump", "-s$SNAPLEN", "-i$interface", "-w$capture_file", "$filter");
$DEBUG || open(STDERR, ">/dev/null");
$DEBUG && print "start_tcpdump(): about to start: ", join(" ", @cmd), "\n";
exec($cmd[0], @cmd[1..$#cmd]) ||
print "start_tcpdump(): FAILED to start: ", join(" ", @cmd), ", command not found\n";
$DEBUG || close(STDERR);
exit(1);
}
# sub to see how much space a given capture file is using (to decide to rotate or not)
sub capture_space ($) {
my $capture_file = shift();
my $size = ( stat($capture_file) )[7];
$DEBUG && print "capture_space(): size of $capture_file is $size\n";
# return size of argument in megabytes, but don't divide by zero
if ($size == 0) {
return 0;
} else {
return ($size / 1048576);
}
}
# gives user the option to create a MFS
sub create_mfs () {
if (-d $CAPTURE_LOCATION) {
$DEBUG && print "create_mfs(): directory $CAPTURE_LOCATION exists\n";
} else {
mkdir($CAPTURE_LOCATION, oct(0755)) || die "FAILED to create $CAPTURE_LOCATION\n";
print "Capture directory ($CAPTURE_LOCATION) did not exist, so it was created\n";
}
# figure out the partition CAPTURE_LOCATION is on. This is cheap... fixme
my $partition = $CAPTURE_LOCATION;
$partition =~ s!(/[A-z0-9]*)/{0,1}.*!$1!g;
open(MOUNT, "mount|") || die "FAILED to run \"mount\": !$\n";
while () {
next unless ((split())[2] =~ /^$partition$/);
$DEBUG && print "create_mfs(): partition: $partition is already mounted, return\n";
# return 1 if it's already mounted
return 1;
}
close(MOUNT);
print "Mount a Memory File System (MFS) on ${CAPTURE_LOCATION}? [y/n]: ";
my $answer = ;
if (lc($answer) =~ "y") {
print "Enter size of MFS in blocks (200000 = 100M), or just press enter for 100M: ";
chomp (my $mfs_size = );
$mfs_size = 200000 if ($mfs_size eq "");
print "Allocating $mfs_size blocks to $CAPTURE_LOCATION for MFS\n";
system("mount_mfs -s $mfs_size $CAPTURE_LOCATION");
if (($? >> 8) != 0) {
print "an error occurring trying to mount the MFS filesystem, exit status: $?\n";
0;
} else {
print "MFS file system established\n\n";
1;
}
}
}
sub fork_to_background ($) {
my $cmd = shift();
my $pid = fork();
if ($pid == 0) {
exec($cmd) || die "exec() failed: $!\n";
} else {
return($pid);
}
}
sub popen_read ($) {
my $cmd = shift();
my $child;
$DEBUG && print "Background: \"$cmd\"\n";
pipe(READLOG, WRITELOG);
select(READLOG); $|++; select(WRITELOG); $|++; select(STDOUT);
## dup STDOUT and STDERR
open(T_STDOUT, ">&STDOUT");
open(T_STDERR, ">&STDERR");
## redir STDOUT to pipe for child
open(STDOUT, ">&WRITELOG");
open(STDERR, ">&WRITELOG");
$child = fork_to_background($cmd);
## close STDOUT, STDERR and FILE
close(STDOUT); close(STDERR);
## re-open STDOUT as normal and close dup
open(STDOUT, ">&T_STDOUT"); close(T_STDOUT);
open(STDERR, ">&T_STDERR"); close(T_STDERR);
return($child, \*READLOG);
}
sub open_log ($$) {
my $LOG_FILE = shift();
my $lines = shift();
if (defined($F_LOG) && defined(fileno($F_LOG)) ) {
$DEBUG && print "Killing child before closing LOG\n";
kill(15, $tail_child);
waitpid($tail_child, 0);
$DEBUG && print "Closing LOG\n";
close($F_LOG);
}
$DEBUG && print "Opening \"$LOG_FILE\"\n";
($tail_child, $F_LOG) = popen_read("tail -n $lines -f $LOG_FILE");
push(@child_pids, $tail_child);
1;
}
## check to see if log is rotated, returns true if rotated
sub is_rotated ($) {
my $LOG_FILE = shift();
$DEBUG && print "enter is_rotated()\n";
($current_inode, $current_size) = (stat($LOG_FILE))[1,7];
if (($last_size != 0) && ($last_size > $current_size)) {
$DEBUG && print "File is now smaller. File must have been rotated\n";
$last_size = $current_size;
$last_inode = $current_inode;
open_log($LOG_FILE, $MAX_ROTATED_LINES) || die "open_log $LOG_FILE failed: $!\n";
return(1);
} elsif (($last_inode != 0) && ($last_inode != $current_inode)) {
$DEBUG && print "Inode changed. File must have been rotated\n";
$last_inode = $current_inode;
$last_size = $current_size;
open_log($LOG_FILE, $MAX_ROTATED_LINES) || die "open_log $LOG_FILE failed: $!\n";
return(1);
}
($last_inode, $last_size) = ($current_inode, $current_size);
0;
}
###########
# MAIN
########
if (free_megabytes() < $min_megabytes) {
print "free space on $CAPTURE_LOCATION is below ${min_megabytes}MB, you must create a Memory File System or choose another location to gather tcpdumps\n";
goto MUST_MFS;
}
######### GET USER INPUT ###############
if (free_percent() < $MIN_FREE_SPACE) {
print "free space on $CAPTURE_LOCATION is below ${MIN_FREE_SPACE}%, you must create a Memory File System or choose another location to gather tcpdumps\n";
MUST_MFS:
# require the user to create a MFS if they don't have enough free space
exit(1) unless (create_mfs());
} else {
create_mfs();
}
if (free_percent() < $MIN_FREE_SPACE || free_megabytes() < $min_megabytes) {
print "it appears the Memory File System is in place, but there is still insufficient space, exiting\n";
exit(1);
}
print "capturing to $CAPTURE_LOCATION using the following interfaces and filters:\n";
foreach $interface (keys( %SETTINGS )) {
system("ifconfig $interface >/dev/null 2>&1");
if ( ($? >> 8) != 0) {
$DEBUG && print "couldn't ifconfig $interface, removing from list\n";
delete( $SETTINGS{$interface} );
} else {
print " $interface: $SETTINGS{$interface}{filter}\n";
}
}
print "does this look right? [y/n]: ";
$answer = ;
exit unless lc($answer) =~ "y";
####### DAEMONIZE #############
chdir("/");
exit unless (fork() == 0);
# kill old self, write pid file
if (-f $PID_FILE) {
open(PIDFILE, "<$PID_FILE");
kill(15, );
close(PIDFILE);
}
open(PIDFILE, ">$PID_FILE");
syswrite(PIDFILE, $$);
close(PIDFILE);
########### START PROCESSING ###############
foreach $interface (keys( %SETTINGS )) {
my $filter = $SETTINGS{$interface}{filter};
$pid = fork();
$SETTINGS{$interface}{rotate_number} = 1;
if (!defined($pid)) {
print "fork() failed! exiting\n";
exit 1;
}
if ($pid == 0) {
start_tcpdump(
$interface,
"$CAPTURE_LOCATION/${interface}.dump.$SETTINGS{$interface}{rotate_number}",
$filter
);
exit 1;
} else {
$SETTINGS{$interface}{pid} = $pid;
print "started tcpdump as pid $pid on \"$interface\" filtered as \"$filter\"\n";
}
}
######
# fork off a process to keep an eye on free space
########
$pid = fork();
if ($pid == 0) {
while (1) {
my $sleep_return = sleep($FREE_SPACE_CHECK_INTERVAL);
$DEBUG && ($sleep_return != $FREE_SPACE_CHECK_INTERVAL) && print "WARN: free_percent() loop: sleep returned $sleep_return instead of $FREE_SPACE_CHECK_INTERVAL !\n";
if (free_percent() < $MIN_FREE_SPACE) {
print "WARN: free space is below ${MIN_FREE_SPACE}%, killing main script\n";
kill(2, $ppid);
sleep(1);
kill(15, $ppid);
print "WARN: sent SIGTERM to $ppid (main script), exiting\n";
exit 1;
} else {
$DEBUG && print "free_percent(): space is fine, continue\n";
}
}
} else {
push(@child_pids, $pid);
$DEBUG && print "started free_percent watcher as: $pid\n";
}
######
# fork off a process to rotate capture files as necessary
########
$pid = fork();
if ($pid == 0) {
my $capture_file;
while (1) {
my $sleep_return = sleep($CAPTURE_CHECK_INTERVAL);
$DEBUG && ($sleep_return != $CAPTURE_CHECK_INTERVAL) && print "WARN: start_tcpdump() loop: sleep returned $sleep_return instead of $CAPTURE_CHECK_INTERVAL !\n";
foreach $interface (keys( %SETTINGS )) {
if (capture_space("$CAPTURE_LOCATION/${interface}.dump.$SETTINGS{$interface}{rotate_number}") >= $DESIRED_CAPTURE_SIZE) {
if ($SETTINGS{$interface}{rotate_number} == $CAPTURES_TO_ROTATE) {
print "reached maximum number of captures to rotate: $CAPTURES_TO_ROTATE, starting over at 1\n";
$SETTINGS{$interface}{rotate_number} = 1;
} else {
$SETTINGS{$interface}{rotate_number}++;
}
print "rotating capture file: ${interface}.dump, new extension .$SETTINGS{$interface}{rotate_number}\n";
$pid = fork();
if ($pid == 0) {
start_tcpdump(
$interface,
"$CAPTURE_LOCATION/${interface}.dump.$SETTINGS{$interface}{rotate_number}",
$SETTINGS{$interface}{filter},
);
exit 0;
}
push(@child_pids, $pid);
# get some overlap in the two files
sleep($OVERLAP_DURING_ROTATE);
# kill the old tcpdump
kill(2, $SETTINGS{$interface}{pid});
$DEBUG && print "sent SIGINT to $interface: $SETTINGS{$interface}{pid}, new pid $pid\n";
# record the new pid
$SETTINGS{$interface}{pid} = $pid;
} else {
$DEBUG && print "capture file doesn't need to be rotated yet: ${interface}.dump\n";
}
}
# Reap any zombies from old tcpdumps
$DEBUG && print "start_tcpdump() loop: \@child_pids = (", join(' ', @child_pids), ")\n";
while (1) {
use POSIX ":sys_wait_h";
my $child = waitpid(-1, WNOHANG);
if (defined $child and $child > 0) {
# remove PID from @child_pids
@child_pids = grep {$_ != $child} @child_pids;
$DEBUG && print "start_tcpdump() loop: reaped child PID $child\n";
} else {
# no one to reap
last;
}
}
}
} else {
push(@child_pids, $pid);
$DEBUG && print "started capture file watcher as: $pid\n";
}
################
# watch triggers (time or log based)
####################
$SIG{TERM} = sub { finish(); };
if (lc($TRIGGER) =~ /time/) {
print "time-based trigger, will capture for $TIME_TO_CAPTURE seconds\n";
sleep($TIME_TO_CAPTURE);
print "captured for $TIME_TO_CAPTURE seconds, stopping tcpdumps\n";
} elsif (lc($TRIGGER) =~ /log/) {
print "log-based trigger, waiting for \"$LOG_MESSAGE\" in \"$LOG_FILE\"\n";
# creates global $F_LOG filehandle of $LOG_FILE
open_log($LOG_FILE, 0) || finish("open_log $LOG_FILE failed: $!\n");
# flush syslogd's buffers (avoid never getting the message due to "last message repeated....")
restart_syslogd() || finish("Restarting syslogd failed, EXIT\n");
# tail -f the log and wait for message
while (1) {
# reap any zombies during each loop
my $return;
while (1) {
use POSIX ":sys_wait_h";
my $child = waitpid(-1, WNOHANG);
if (defined $child and $child > 0) {
$DEBUG && print "log trigger loop: reaped child PID $child\n";
} else {
# no one to reap
last;
}
}
eval {
$SIG{ALRM} = sub { die("ALRM\n"); };
alarm($IDLE_TIMER);
$_ = <$F_LOG>;
alarm(0);
};
if ($@) {
# this only occurs if we're idle for $IDLE_TIMER seconds because no new log entries are occuring
$@ = undef;
is_rotated($LOG_FILE);
next;
}
$DEBUG && print "in LOG reading loop, current line: \"$_\"\n";
if (/$LOG_MESSAGE/) {
$DEBUG && print "Current line matches: \"$LOG_MESSAGE\"\n";
last;
}
$DEBUG && print "no match, next\n";
}
print "received log message, sleeping $FOUND_MESSAGE_WAIT seconds then stopping tcpdumps\n";
sleep($FOUND_MESSAGE_WAIT);
}
# figure out current tcpdump child_pids and push them onto the list
foreach $interface (keys( %SETTINGS )) {
push(@child_pids, $SETTINGS{$interface}{pid});
}
# kill all tcpdumps + free space watcher + capture file rotator -- doesn't return
finish();
0;
Published Mar 12, 2015
Version 1.0
CodeCentral_194
Cirrostratus
CirrostratusCodeCentral_194Cirrostratus
Cirrostratus1 Comment
swo0sh_gt_13163Altostratus
Is it possible to break down the procedure to use this script to run the ringdump?