Skip to content

rotateSnoop

30/01/2013

I was recently asked to set up snoop so that it would create fifty 50MB files and keep doing so by deleting the oldest one, once the new one was created.  I said, sure tcpdump is your man for that job so I logged in ran the tcpdump command and what would you know but solaris doesn’t support tcpdump.  Now I could go off and upload the tcpdump command but I work in a very bureaucratic organisation and that would involve a lot of paperwork and sign off so I decided to use the already present snoop command and cross breed it with my script from my post keep an eye on that to allow me to do something approximating the relevant tcpdump command.

Below is the text of the script I have running at the moment on two of our boxes.  You can also find the code in my pastebin.com site.

 

#!/bin/ksh
# Author        :bonstechblog
# Filename      : rotateSnoop
# Description   : This script runs a snoop trace and outputs a new file
#                 every 130000 packets.  It also keeps check of the number
#                 of output files and deletes the oldest once over that
#                 number.
#
#
# Created       :
#       VER     DATE            ORIGINATOR      DESCRIPTION
#       1.0     23/01/2013      bonstechblog   First version
while :;
do
 nice snoop -d e1000g1 -c 210000 -o /opt/`hostname`Snoop_`date +%Y%m%d%H%M%S`.cap udp > /dev/null 2>&1
 fileCount=$( ls -al /opt/`hostname`Snoop*|/bin/wc -l )
 if [ $fileCount -gt 50 ]
 then
  rm $( ls -alt /opt/`hostname`Snoop*|tail -1|awk ‘{print$NF}’ )
 fi
done
exit

You will have to have root permissions to run snoop.  How it works is that it uses the script keep an eye on that to continually loop through the commands I’ve put in the while loop.  I’ve taken out the sleep command as I don’t need it.  The snoop itself is niced to stop it from potentially hogging all the resources on the box.   -d e1000g1 is the device, -c 210000 is the maximum number of packets that the snoop instance will take, I found through trial and error that this created trace files of approximately 50MB for the trace I was running.  But you should experiment to find out your file size.  -o identifies where it’s outputting the trace file to and finally udp specifies that only udp packets be snoop’d as I was only concerned with radius protocol traffic at the time but you should alter the snoop to do what you require.

When the snoop hits 210000 packets it stops snooping, the rest of the script is concerned with keeping the number of snoop files below fifty in number and deleting the last one if over.  Finally the while command loops again and kicks off a new snoop command to a new output file and it’ll do this forever until you ctrl-c or kill it.

I run this script in the background and whilst I’m logged out by doing the following

nohup ./rotateSnoop &

If you don’t understand anything here drop me a comment I’ll get back to you eventually I promise, or remember google is your friend (sorta, maybe in limited circumstances)

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: