Archive

Posts Tagged ‘ubuntu’

u2ucap: circular trace, stop when event detected

May 1st, 2017 Comments off

This script is part of a series of scripts that perform packet capture between two endpoints.  In this case the endpoints are two UNIX/LINUX machines.  The script was tested with the “source endpoint” as a Redhat machine and a “target endpoint” as an Ubuntu machine.  The circular traces are started on each machine and stopped whenever an event is detected.  In this case the event is to monitor a file for a particular string.

Requirements: tcpdump

# Author: Garland R. Joseph, garland.joseph@gmail.com
#   Date: May 2017
#
# This script is offered as is.  It is designed to
# run a circular trace using tcpdump on UNIX systems.
#
# You will either have to manually enter the password
# for the root account on the remote system or setup
# ssh keys from prompt-less access.
#
# Default file size is 2 x 1 GB per endpoint.
#
# The traces will stop once a key string SEARCH_STRING is
# found in LOG_FILE.
#
# Note:   Some UNIX systems line LINUX Fedora will
#         result in permsission denied when using
#         tcpdump  -W and -C options and writing to / or /root.
#
#         Tested on Source endpoint Redhat and Target endpoint Ubuntu.
# -----

#
# Defaults
#

USAGE="u2ucap [-v]  [ -c capture_file ] [ -w secs ] -h remote_host -l log_file -s search_string"
DEBUG=false
CAPTURE_FILE="/tmp/capture"
SLEEP_TIME="5"   #seconds
SEARCH_STRING=""
LOG_FILE=""
REMOTE_HOST=""
TCPDUMPCMD="tcpdump -C 1 -W 2 -w ${CAPTURE_FILE}"

#
# Process command line arguments
#

while getopts ":vc:w:l:s:h:" opts
do
 case ${opts} in
   v) DEBUG=true ;;
   c) CAPTURE_FILE=${OPTARG} ;;
   w) SLEEP_TIME=${OPTARG} ;;
   s) SEARCH_STRING=${OPTARG}  ;;
   l) LOG_FILE=${OPTARG} ;;
   h) REMOTE_HOST=${OPTARG} ;;
   ":") echo "Please specify a value for ${OPTARG}" ; exit ;;
  \?) echo "${OPTARG} is not a valid switch" ; echo "${USAGE}" ; exit;;
 esac
done

#
# Insure required values have been specified, check for existence of
# log file, getops should handle case of no values for -l and -s.
# A sanity check in the event getopts varies per unix
#

if [[ -z ${SEARCH_STRING} || -z ${LOG_FILE} || -z ${REMOTE_HOST} ]]
then
 echo ${USAGE}
 exit
fi

if ! [[ -f ${LOG_FILE} ]]
then
 echo "File ${LOG_FILE} does not exist"
 exit
fi

#
# Start trace on remote host
#

ssh root@${REMOTE_HOST} ${TCPDUMPCMD} 2>/dev/null 1>/dev/null &
REMOTE_PID=`ssh root@${REMOTE_HOST} ps -aef | egrep tcpdump | egrep -v grep | awk '{print $2}'`
${DEBUG} && echo "${0}-I-REMOTE_PID, remote pid is ${REMOTE_PID}."
#
# Start trace on this host
#
#${TCPDUMPCMD} 2>/dev/null 1>/dev/null &
exec ${TCPDUMPCMD} 2>/dev/null 1>/dev/null &
LOCAL_PID=$!
${DEBUG} && echo "${0}-I-LOCAL_PID, local pid is ${LOCAL_PID}."

#
# Monitor log file
#

old_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}`
(( new_count=old_count ))
(( i = 0 ))
while (( old_count == new_count ))
do
   (( i++ ))
   ${DEBUG} && echo "${0}-F-SLEEP, sleeping ${SLEEP_TIME}, iteration ${i}."
   sleep ${SLEEP_TIME}
   new_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}`
done

#
#  At this point, search string has been found, stop traces
#

###${DEBUG} && set -x
kill ${LOCAL_PID}
ssh root@${REMOTE_HOST} kill ${REMOTE_PID}
####${DEBUG} && set +x

#
# Verbose only reminders
#

####${DEBUG} && echo "Consult files ${CAPTURE_FILE} on local and remote host."

exit