메뉴 닫기

tcpdump 파일 로테이트 옵션 (-G)

tcpdump

 

시스템내 모니터링 스크립트를 작성하다  tcpdump에 재미있는 옵션이 있어서 설명해드립니다.
아실만한분들도 계시겠지만 저는 잘안쓰는 옵션이었기에 모니터링시 적절히 이용하면 좋을거 같아서 남깁니다.

MAN 페이지내에서 옵션설명
-G      초단위로 파일이 순환생성
If  specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have the name specified by -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file will overwrite the previous.
 
-w     파일로 저장
Write the raw packets to file rather than parsing and printing them out.  They can later be printed with the -r option.  Standard output is used if file is “-”.
This  output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.
Use the -U flag to cause packets to be written as soon as they are received.
See pcap-savefile(5) for a description of the file format.
 
-W     최대 파일갯수
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting  files  from  the  beginning,  thus  creating  a ‘rotating’ buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
 
-Z   권한생성
 If  tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root
 
-C    파일사이즈
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new  one.   Savefiles  after the  first  savefile  will  have  the  name  specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
 
 
테스트 OS :  CentOS 6.X x86
:: test.pcap 파일명으로 5초단위로 로테이트 파일생성 (덮어쓰기)
# tcpdump -nn net 115.68 -G 5 -w test.pcap
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: aaa: Permission denied
 
# ls -l aaa  
-rw-r–r–   1 tcpdump tcpdump   80299 Sep 11 13:29 test.pcap
※ 원인은 생성된 파일 권한이 tcpdump 권한으로 생성되어있기 때문
 
생성된 파일을 root 유저권한으로 5초단위로 파일명 test.pcap 로 캡쳐 (5초주기로 덮어쓰기)
# tcpdump -nn net 115.68 -G 5 -w test.pcap -Z root
 
 
Example 1)
5초단위로 끈어서 시간명으로 파일생성
# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root
 
# ls -al trace_2014-09-11*
-rw-r–r– 1 root root 130470 Sep 11 13:36 trace_2014-09-11_13:35:55.pcap
-rw-r–r– 1 root root 128020 Sep 11 13:36 trace_2014-09-11_13:36:00.pcap
-rw-r–r– 1 root root 169068 Sep 11 13:36 trace_2014-09-11_13:36:05.pcap
-rw-r–r– 1 root root 141378 Sep 11 13:36 trace_2014-09-11_13:36:10.pcap
-rw-r–r– 1 root root 111066 Sep 11 13:36 trace_2014-09-11_13:36:15.pcap
-rw-r–r– 1 root root 116596 Sep 11 13:36 trace_2014-09-11_13:36:21.pcap
-rw-r–r– 1 root root  80460 Sep 11 13:36 trace_2014-09-11_13:36:26.pcap
-rw-r–r– 1 root root  87421 Sep 11 13:36 trace_2014-09-11_13:36:31.pcap
-rw-r–r– 1 root root 169819 Sep 11 13:36 trace_2014-09-11_13:36:37.pcap
-rw-r–r– 1 root root  96685 Sep 11 13:36 trace_2014-09-11_13:36:42.pcap
-rw-r–r– 1 root root  73052 Sep 11 13:36 trace_2014-09-11_13:36:47.pcap
 
 
Example 2)
5초단위로 끈어서 시간명으로 파일생성하되 촤대 파일갯수는 5개
# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root -W 5
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5
 
# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C2918 packets captured
2918 packets received by filter
0 packets dropped by kernel
 
# ls -al trace_2014-09-11*
-rw-r–r–  1 root    root      70984 Sep 11 13:39 trace_2014-09-11_13:39:15.pcap
-rw-r–r–  1 root    root      63027 Sep 11 13:39 trace_2014-09-11_13:39:20.pcap
-rw-r–r–  1 root    root     105150 Sep 11 13:39 trace_2014-09-11_13:39:25.pcap
-rw-r–r–  1 root    root      92381 Sep 11 13:39 trace_2014-09-11_13:39:30.pcap
-rw-r–r–  1 root    root      60955 Sep 11 13:39 trace_2014-09-11_13:39:36.pcap
 
 
Example 3)
파일사이즈단위로 끈어서 저장 (1M 단위로 끈어서 저장)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root
 
# ls -al packet.pcap*
-rw-r–r– 1 root root 1000986 Sep 11 13:54 packet.pcap
-rw-r–r– 1 root root 1000230 Sep 11 13:54 packet.pcap1
-rw-r–r– 1 root root 1000063 Sep 11 13:54 packet.pcap2
-rw-r–r– 1 root root 1000988 Sep 11 13:54 packet.pcap3
-rw-r–r– 1 root root 1001466 Sep 11 13:54 packet.pcap4
-rw-r–r– 1 root root 1000023 Sep 11 13:54 packet.pcap5
-rw-r–r– 1 root root 1000261 Sep 11 13:54 packet.pcap6
-rw-r–r– 1 root root 1001266 Sep 11 13:54 packet.pcap7
-rw-r–r– 1 root root 1001003 Sep 11 13:54 packet.pcap8
 
 
Example 4)
파일사이즈단위로 끈어서 저장하며 최대 파일 갯수는 3개 (파일이 3개만 생성되고 멈추는게 아니고 파일갯수만 3개로 지정되면서 계속해서 덮어쓰기)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root -W 3
 
 [polldaddy rating=”7739789″]  

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 항목은 *(으)로 표시합니다