Linux using tcpdump to achieve automatic capture of 24 hours

Install tcpdump
Code is as follows # yum install tcpdump

There is a comment #diy in the script, indicating that the next line needs to be customized.

Scripts are placed in the home directory; crontab writes:

* */6 * * * /bin/bash /home/monitor_dump.sh

* */6 * * * /bin/bash /home/monitor_disk.sh

Determine the time interval in crontab according to the size of the disk space and the size of the traffic

It takes time to add crontab Execution, for execution now, executable: nohup sh /home/monitor_dump.sh &

vi common commands

# vi /etc/crontab

insert enters edit state

ESC enters command state

:wq saves exit

:q exits

After modifying, execute crontab /etc/crontab

Main_dump.sh (the main program for capturing packets)

Pass the infinite loop detection every 1 minute, let the program continue to capture packets; considering that the result of capturing packets may be too large, the analysis tool can not open the analysis, so each The packet size limit is about 100M;

and set the previous packet to be completed, with an interval of 5 seconds, start the next round of packet capture;

Daily packet is placed /Data The date named directory is: /data/2010-03-08, and is compressed and stored. The command format of the package is: [email protected]; where yyyy-mm-dd indicates the date, the first One hhmmss indicates the time, minutes and seconds at which the packet is captured, and the second hhmmss indicates the hour, minute and second when the packet is captured.
Code is as follows #!/bin/bash #script name:/home/main_dump.sh while : do STIME=`date +%F"@"%H%M%S` DATE_DIR=`date +%F` If [ ! -d /data/$DATE_DIR ];then mkdir -p /data/$DATE_DIR fi #diy #unit:byte;100MB MAXSIZE=100000000 #diy DUMPPID=`ps -ef| Grep "tcpdump -i eth0"| Grep pcap| Awk '{print $2}'` if [ ! "$DUMPPID" ];then #diy /usr/sbin/tcpdump -i eth0 host 113.105.152.180 -w /data/$DATE_DIR/$STIME.pcap -s 0 & ; fi sleep 1 #diy DUMPPID=`ps -ef| Grep "tcpdump -i eth0"| Grep pcap| Awk '{print $2}'` PACKSIZE=`ls -l /data/$DATE_DIR| Grep "$STIME.pcap"| Awk '{print $5}'` while [ "$PACKSIZE" -lt "$MAXSIZE" ];do PACKSIZE=`ls -l /data/$DATE_DIR| Grep "$STIME.pcap"| Awk '{print $5}'` sleep 1m done kill -9 $DUMPPID ETIME=`date +%H%M%S` mv /data/$DATE_DIR/$STIME.pcap /data/$DATE_DIR/$STIME-$ETIME .pcap gzip /data/$DATE_DIR/*.pcap sleep 5 done

monitor_dump.sh (monitoring the capture script)

To ensure that the main program can run healthfully, schedule the monitor_dump via the crontab program. Sh;

Monitoring the main program of the capture is normal operation, if it is not running, start it;
Code is as follows #!/bin/bash #script name:/home/monitor_dump.sh DATE_DIR=` Date +%F` STIME=`date +%F"@"%H%M%S` MAINDUMP=`ps -elf| Grep maindump| Grep -v grep` #diy DUMPPID=`ps -ef| Grep "tcpdump -i eth0"| Grep pcap` #check main programme status if [ ! "$MAINDUMP" ];then /bin/bash /home/maindump.sh fi if [ ! "$DUMPPID" ];then #diy /usr/sbin/tcpdump - i eth0 host 113.105.152.180 -w /data/$DATE_DIR/$STIME.pcap -s 0 & fi

​​monitor_disk.sh (monitor hard disk space)

Monitor disk free space when disk When the usage rate is greater than or equal to 30% (can be set), the data packet captured on the earliest day will be deleted automatically to ensure the free space of the disk;
The code is as follows #!/bin/bash #script name:/home/monitor_disk .sh #diy FREEDISK=`df -h| Grep "/dev/sda3"| Awk '{print $5}'| Awk -F % '{print $1}'` HEADMOST=`ls -l /data| Grep ^d| Awk '{print $NF}'| Sort| Head -n 1` #check free disk status #diy if [ "$FREEDISK" -ge "30" ];then rm -rf /data/"$HEADMOST" fi