u2ucap: circular trace, stop when event detected
May 1st, 2017
Comments off
This script is part of a series of scripts that perform packet capture between two endpoints. In this case the endpoints are two UNIX/LINUX machines. The script was tested with the “source endpoint” as a Redhat machine and a “target endpoint” as an Ubuntu machine. The circular traces are started on each machine and stopped whenever an event is detected. In this case the event is to monitor a file for a particular string.
Requirements: tcpdump
# Author: Garland R. Joseph, garland.joseph@gmail.com # Date: May 2017 # # This script is offered as is. It is designed to # run a circular trace using tcpdump on UNIX systems. # # You will either have to manually enter the password # for the root account on the remote system or setup # ssh keys from prompt-less access. # # Default file size is 2 x 1 GB per endpoint. # # The traces will stop once a key string SEARCH_STRING is # found in LOG_FILE. # # Note: Some UNIX systems line LINUX Fedora will # result in permsission denied when using # tcpdump -W and -C options and writing to / or /root. # # Tested on Source endpoint Redhat and Target endpoint Ubuntu. # ----- # # Defaults # USAGE="u2ucap [-v] [ -c capture_file ] [ -w secs ] -h remote_host -l log_file -s search_string" DEBUG=false CAPTURE_FILE="/tmp/capture" SLEEP_TIME="5" #seconds SEARCH_STRING="" LOG_FILE="" REMOTE_HOST="" TCPDUMPCMD="tcpdump -C 1 -W 2 -w ${CAPTURE_FILE}" # # Process command line arguments # while getopts ":vc:w:l:s:h:" opts do case ${opts} in v) DEBUG=true ;; c) CAPTURE_FILE=${OPTARG} ;; w) SLEEP_TIME=${OPTARG} ;; s) SEARCH_STRING=${OPTARG} ;; l) LOG_FILE=${OPTARG} ;; h) REMOTE_HOST=${OPTARG} ;; ":") echo "Please specify a value for ${OPTARG}" ; exit ;; \?) echo "${OPTARG} is not a valid switch" ; echo "${USAGE}" ; exit;; esac done # # Insure required values have been specified, check for existence of # log file, getops should handle case of no values for -l and -s. # A sanity check in the event getopts varies per unix # if [[ -z ${SEARCH_STRING} || -z ${LOG_FILE} || -z ${REMOTE_HOST} ]] then echo ${USAGE} exit fi if ! [[ -f ${LOG_FILE} ]] then echo "File ${LOG_FILE} does not exist" exit fi # # Start trace on remote host # ssh root@${REMOTE_HOST} ${TCPDUMPCMD} 2>/dev/null 1>/dev/null & REMOTE_PID=`ssh root@${REMOTE_HOST} ps -aef | egrep tcpdump | egrep -v grep | awk '{print $2}'` ${DEBUG} && echo "${0}-I-REMOTE_PID, remote pid is ${REMOTE_PID}." # # Start trace on this host # #${TCPDUMPCMD} 2>/dev/null 1>/dev/null & exec ${TCPDUMPCMD} 2>/dev/null 1>/dev/null & LOCAL_PID=$! ${DEBUG} && echo "${0}-I-LOCAL_PID, local pid is ${LOCAL_PID}." # # Monitor log file # old_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}` (( new_count=old_count )) (( i = 0 )) while (( old_count == new_count )) do (( i++ )) ${DEBUG} && echo "${0}-F-SLEEP, sleeping ${SLEEP_TIME}, iteration ${i}." sleep ${SLEEP_TIME} new_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}` done # # At this point, search string has been found, stop traces # ###${DEBUG} && set -x kill ${LOCAL_PID} ssh root@${REMOTE_HOST} kill ${REMOTE_PID} ####${DEBUG} && set +x # # Verbose only reminders # ####${DEBUG} && echo "Consult files ${CAPTURE_FILE} on local and remote host." exit