# Description ------------- maindump. sh (the main program for packet capturing) uses the endless loop detection every one minute to allow the program to continuously capture packets. considering that the packet capturing results may be too large, the analysis tool cannot open the analysis, therefore, the size of each packet is limited to about 100 MB. the packet capture interval is set to 5 seconds before the next packet is captured ---------------
Maindump. sh (main program for packet capture)
Every one minute, the program continuously captures packets through the endless loop detection. considering that the packet capture result may be too large, the analysis tool cannot open the analysis, so the size of each packet is limited to about 100 MB;
The previous packet capture interval is set to 5 seconds to start the next round;
The daily data packet is placed under/data directory named by date such as:/data/2010-03-08, and compressed storage, the package command format is: yyyy-mm-dd@hhmmss-hhmmss.pcap.gz; here, yyyy-mm-dd indicates the date, the first hhmmss indicates the start time, minute, and second, and the second hhmmss indicates the end time, minute, and second of the packet capture.
Monitor_dump.sh (monitoring packet capture script), monitor_disk.sh (monitoring hard disk space)
To ensure the healthy operation of the packet capture main program, the crond program is used to schedule monitor_dump.sh;
The main program for monitoring packet capture is normal. if it is not running, start it;
Monitor the free space of the disk. when the disk usage is greater than or equal to 30% (configurable), the data packets captured on the first day are automatically deleted to ensure the free space of the disk;
Note # diy in the script, indicating that the next line needs to be customized.
All scripts are stored in the home directory; write in crontab:
**/6 ***/bin/bash/home/monitor_dump.sh
**/6 ***/bin/bash/home/monitor_disk.sh
Determine the time interval in crontab based on the disk space size and traffic size.
Since crontab is added, it takes time to execute it. for the current execution, you can execute: nohup sh/home/monitor_dump.sh &
# End of description --------------
------------------------------------------------------------
#! /Bin/bash
# Script name:/home/monitor_dump.sh
DATE_DIR = 'date + % F'
STIME = 'date + % F "@" % H % M % s'
MAINDUMP = 'PS-elf | grep maindump | grep-v grep'
# Diy
DUMPPID = 'PS-ef | grep"Tcpdump-I eth0 "| grep pcap'
# Check main programme status
If [! "$ MAINDUMP"]; then
/Bin/bash/home/maindump. sh
Fi
If [! "$ DUMPPID"]; then
# Diy
/Usr/sbin/tcpdump-I eth0 host 113.105.152.180-w/data/$ DATE_DIR/$ STIME. pcap-s 0 &
Fi
-----------------------------------------------------------
#! /Bin/bash
# Script name:/home/monitor_disk.sh
# Diy
FREEDISK = 'df-h | grep "/dev/sda3" | awk '{print $5}' | awk-F % '{print $1 }''
HEADMOST = 'ls-l/data | grep ^ d | awk '{print $ NF}' | sort | head-n1'
# Check free disk status
# Diy
If ["$ FREEDISK"-ge "30"]; then
Rm-rf/data/"$ HEADMOST"
Fi
------------------------------------------------------------
#! /Bin/bash
# Script name:/home/maindump. sh
While:
Do
STIME = 'date + % F "@" % H % M % s'
DATE_DIR = 'date + % F'
If [! -D/data/$ DATE_DIR]; then
Mkdir-p/data/$ DATE_DIR
Fi
# Unit: byte; 100 MB
# Diy
MAXSIZE = 100000000
# Diy
DUMPPID = 'PS-ef | grep "tcpdump-ieth0" | grep pcap | awk '{print $2 }''
If [! "$ DUMPPID"]; then
# Diy
/Usr/sbin/tcpdump-I eth0 host 113.105.152.180-w/data/$ DATE_DIR/$ STIME. pcap-s 0 &
Fi
Sleep 1
# Diy
DUMPPID = 'PS-ef | grep "tcpdump-ieth0" | grep pcap | awk '{print $2 }''
PACKSIZE = 'ls-l/data/$ DATE_DIR | grep "$ STIME. pcap" | awk '{print $5 }''
While ["$ PACKSIZE"-lt "$ MAXSIZE"]; do
PACKSIZE = 'ls-l/data/$ DATE_DIR | grep "$ STIME. pcap" | awk '{print $5 }''
Sleep 1 m
Done
Kill-9 $ DUMPPID
ETIME = 'date + % H % M % s'
Mv/data/$ DATE_DIR/$ STIME. pcap/data/$ DATE_DIR/$ STIME-$ ETIME. pcap
Gzip/data/$ DATE_DIR/*. pcap
Sleep 5
Done