Run tcpdump on event

Problem this snippet solves:

This example shows how to trigger an iCall script using a log message as the trigger. In particular, it shows how to watch for messages about pool members failing their monitors, and then running tcpdump to capture some packets sent to that pool member in order to help troubleshoot later.

How to use this snippet:

Implementation Details

This iCall script requires v11.4 or higher.

Code :

1. create the following iCall script:

modify script tcpdump {
    app-service none
    definition {
        set date [clock format [clock seconds] -format "%Y%m%d%H%M%S"]
        foreach var { ip port count vlan } {
            set $var $EVENT::context($var)
        }
        exec tcpdump -ni $vlan -s0 -w /var/tmp/${ip}_${port}-${date}.pcap -c $count host $ip and port $port
    }
    description none
    events none
}

2. create an event handler for it that looks like the following:

sys icall handler triggered tcpdump {
    script tcpdump
    subscriptions {
        tcpdump {
            event-name tcpdump
        }
    }
}

3. modify /config/user_alert.conf to contain entries that looks like the
following:

alert local-http-10-2-80-1-80-DOWN "Pool /Common/my_pool member /Common/10.2.80.1:80 monitor status down" {
   exec command="tmsh generate sys icall event tcpdump context { { name ip value 10.2.80.1 } { name port value 80 } { name vlan value internal } { name count value 20 } }"
}

You will need one of these stanzas for each pool member that you want to monitor
in this method - or to modify the example to act on different events and
different objects.
Published Mar 09, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment