Each time, when I manually run tcpdump, I have to use Ctrl+C to stop it. Now I want to schedule my tcpdump with cronjob and I only need it to run for 1 and half hours. Without manually running Ctrl+C or kill command, how can it be stopped automatically? Here is the command I am testing:
tcpdump -i eth0 'port 8080' -w myfile
I can schedule another cronjob to kill the tcpdump process, but it seems not a good idea.
You can combine -G {sec} (rotate dump files every x seconds) and -W {count} (limit # of dump files) to get what you want:
tcpdump -G 15 -W 1 -w myfile -i eth0 'port 8080'
would run for 15 seconds and then stop. Turn 1.5 hours into seconds and it should work.
you could use timeout
timeout 5400 tcpdump -i eth0 'port 8080' -w myfile
You could do it like this:
tcpdump -i eth0 'port 8080' -w myfile &
pid=$!
sleep 1.5h
kill $pid
The approach that worked best for me on Ubuntu 14.04
sudo -i
crontab -e
and then add the line
30 17 * * * /usr/sbin/tcpdump -G 12600 -W 1 -s 3000 -w /home/ubuntu/capture-file.pcap port 5060 or portrange 10000-35000
Notes
-G flag indicate number of second for dump to run, this example runs daily from 5:30 PM to 9:00 PM
-W is the number of iterations tcpdump will execute
Cron job will not be added until you save and exit the file
This example is for capturing packets of an Asterisk phone server
You can use
watch tcpdump -i eth0 'port 8080' -w myfile
This will run every 2 seconds.
Related
I have created a simple bash script to start capturing traffic from all interfaces I have in my Linux machine (ubuntu 22), but this script should stop capturing traffic 2 hours after the machine has reboot. Below is my bash script
#!/bin/bash
cd /home/user/
tcpdump -U -i any -s 65535 -w output.pcap &
pid=$(ps -e | pgrep tcpdump)
echo $pid
sleep 7200
kill -2 $pid
The script works fine if I run it, but I need to have it running after every reboot.
Whenever I run the script, it works without problem
user#linux:~$ sudo ./startup.sh
[sudo] password for user:
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 65535 bytes
1202
35 packets captured
35 packets received by filter
0 packets dropped by kernel
but when I set it in the crontab as
#reboot /home/user/startup.sh
it does not start at reboot. I used ps -e | pgrep tcpdump to make sure if the script is running but there is not an output, it seems that it is not starting the script after the reboot. I don't know if I need to have root permissions for that. Also, I checked the file permission, and it has
-rwxrwxr-x 1 user user 142 Nov 4 10:11 startup.sh
Any suggestion on why it is not starting the script at the reboot?
Suggesting to update your script:
#!/bin/bash
source /home/user/.bash_profile
cd /home/user/
tcpdump -U -i any -s 65535 -w output.pcap &
pid=$(pgrep -f tcpdump)
echo $pid
sleep 7200
kill -2 $pid
Suggesting to inspect crontab execution log in /var/log/cron
The problem here was that even though the user has root permission, if an script needs to be run in crontab at #reboot, crontab needs to be modified by root. That was the only way I found to run the script. As long as I am running tcpdump, this will require root permission but crontab will not start it at the boot up if it is not modified by sudo.
I am conducting penetration testing. I am trying to increment the packet number without manually exit outing the ping and pinging again. I tried with "sleep 5," but the ping doesn't end after 5 seconds. I have to do ^C and then the incremental command executes. Any suggestion? My host and attacker are in a separate virtual machine.
for i in {1..10000}; do sudo hping3 -c $i -d 120 -S -w 64 -p <port_number>--flood --rand-source <ip_address> --traceroute; date ; sleep 5;done
Edit: For those who are facing the same problem- use timeout
For my case: for i in {1..1000}; do sudo timeout 60 hping3 -c $i -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.189.135 --tr-stop; date ; sleep 1;done.
I have a DNS server and I want to capture DNS traffic to get all the IPs which use my DNS server.
For this I start using following tcpdump command and capture them to a file:
tcpdump -n -i eth0 dst port 53 >> dns_data.log
But the file size is high when I run this for long time. How can I capture this to a compress file? I tried below command but its not working.
tcpdump -n -i eth0 dst port 53 | bzip2 -c >> dns_data.bz2
Try something like tcpdump -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -z gzip
-G N means rotate every N (3600) seconds.
-z command means run command(gzip) after rotation.
I am not sure if this is even possible. But I am using this command to get network throughput.
ifstat -t -S -i wlan0
Run just like that it updates inline on the console but when I pipe it, it appends a new line to the file.
ifstat -t -S -i wlan0 >> /tmp/transfer.txt
Time wlan0
HH:MM:SS KB/s in KB/s out
21:33:35 4.27 201.47
21:33:36 4.20 178.88
21:33:37 4.41 190.76
21:33:38 4.32 186.61
21:33:39 5.07 177.42
21:33:40 4.15 182.87
21:33:41 5.70 180.93
21:33:42 4.21 194.71
21:33:43 3.80 181.35
21:33:44 3.86 185.57
21:33:45 3.92 189.78
21:33:46 4.08 195.29
etc...
OK I understand using this will overwrite the file.But only after I run it the first time.Not DURING the execution of the app.
ifstat -t -S -i wlan0 >> /tmp/transfer.txt
I really do not need to keep a log of all the transfer rates and only interested in writing that one line on every update while the application is running. Instead of appending lines during executions, I want it to create a new file or overwrite it every second.
Technically you're not piping, but redirecting output.
Looks like you want to use > instead of >>?
For obtaining just the last line while ifstat is executing you could extract it in a 2nd file like this:
while true; do tail -1 /tmp/transfer.txt > /tmp/transfer2.txt; sleep .5; done
To overwrite the file each time with out keeping a log.
while true; do ifstat -t -i wlan0 1 1 | tail -1 > /tmp/transfer.txt; sleep .5; done;
You can try one of the following (I do not have your version of ifstat, so I cannot verify this on my own system).
while /bin/true; do ifstat -t -i wlan0 1 > tmp/transfer.txt; sleep 1; done
or perhaps just
ifstat -t -i wlan0 > tmp/transfer.txt
So, don't use the -S flag since this does not work when redirecting to file.
At my company, some commands are allowed to run with sudo, such as tcpdump. Others not.
I expect run tcpdump for a while, and then stop it.
When I run tcpdump, and I could abort that with Ctrl+C
I wrote a shell script like this -
#!/bin/sh
sudo tcpdump -ieth1 -w ~/dump.bin
sleep 5
kill -2 $!
it doesn't really work. The process of tcpdump is run as root, and current user is a normal account.
My question is: is there any way to do the equivalent of ctrl c in bash script?.
EDIT:
ps:As my company's security policy, I cannot run kill as root.
Try the -Z option to tcpdump. It instructs tcpdump to drop root privileges and run as the user specified in the argument.
sudo tcpdump -Z $USER -ieth1 -w ~/dump.bin
Now try killing that process.
Simply run kill through sudo as well:
sudo kill -2 $!
This way the kill process will have the privilege to send signals to a process that runs as root.
For programs that don't have special switches like -Z and in case you can alter sudoers file, this is a solution:
sudo myprogram &
sleep 5
sudo pkill myprogram
All I have to do is to allow to run pkill myprogram passwordless by using visudo and adding this line:
myuser ALL=(ALL) NOPASSWD:/bin/pkill myprogram
This is less dangerous that lo let sudo kill any program.
The timeout command also terminates a program after so long. sudo timeout 5 tcpdump -ieth1 -w ~/dump.bin should accomplish the same thing as the script.
sudo tcpdump -Z root -w ~/dump.bin -n -i eth0 -G 300 -W 1
G - Timeout Seconds (After timeout period the comman gets killed automatically)
Z - drop root and runs as user privilege
W - Number files to be saved (as a splitted file)
sudo tcpdump -ieth1 -w ~/dump.bin
will block your script, you need to put it into the background:
sudo tcpdump -ieth1 -w ~/dump.bin &
.
This and the answer from Blagovest should do it.