Using tcpdump to realize 24-hour automatic grasping package under Linux

Install Tcpdump

The code is as follows	Copy Code
# yum Install tcpdump

There is a comment #diy in the script, which means that the next line needs to be custom modified.
The scripts are placed in the home directory; Crontab writes:
* */6 * * * */bin/bash/home/monitor_dump.sh
* */6 * * * */bin/bash/home/monitor_disk.sh
Determine the time interval in the crontab, depending on the size of the disk space and the size of the traffic
Due to the addition of crontab time to execute, in order to execute now, executable: Nohup sh/home/monitor_dump.sh &
VI Common Commands
# Vi/etc/crontab
Insert INTO edit state
ESC enters command state
: Wq Save Exit
: Q exit
To perform crontab/etc/crontab after modification
main_dump.sh (main program of grasping package)
Every 1 minutes through the dead cycle detection, so that the program constantly to grasp the package; Considering that the result of the grab may be too large. Analysis tools cannot open analysis, so each packet size limit is about 100M;
and set the previous bag grasp, interval of 5 seconds, began to carry out the next round grab bag;
Daily packets are placed under/data as a date-named directory such as:/data/2010-03-08, and compressed storage, the package's command format is: yyyy-mm-dd@hhmmss-hhmmss.pcap.gz, where yyyy-mm-dd represents the date, The first HHMMSS said to start scratching the time of the second, the second HHMMSS means the end of the bag to the seconds.

The code is as follows

Copy Code

#!/bin/bash #script name:/home/main_dump.sh While: Todo Stime= ' date +%f ' @ "%h%m%s" Date_dir= ' Date +%f ' if [!-d/data/$DATE _dir];then Mkdir-p/data/$DATE _dir Fi #diy #unit: BYTE;100MB maxsize=100000000 #diy Dumppid= ' ps-ef|grep ' tcpdump-i eth0 ' |grep Pcap|awk ' {print $} ' if [! "$DUMPPID"];then #diy /usr/sbin/tcpdump-i eth0 host 113.105.152.180-w/data/$DATE _dir/$STIME. Pcap-s 0 & Fi Sleep 1 #diy Dumppid= ' ps-ef|grep ' tcpdump-i eth0 ' |grep Pcap|awk ' {print $} ' Packsize= ' ls-l/data/$DATE _dir|grep ' $STIME. Pcap ' |awk ' {print $} ' While ["$PACKSIZE"-lt "$MAXSIZE"];d o Packsize= ' ls-l/data/$DATE _dir|grep ' $STIME. Pcap ' |awk ' {print $} ' Sleep 1m Done Kill-9 $DUMPPID Etime= ' Date +%h%m%s ' mv/data/$DATE _dir/$STIME. pcap/data/$DATE _dir/$STIME-$ETIME. Pcap gzip/data/$DATE _dir/*.pcap Sleep 5 Done

monitor_dump.sh (Surveillance grab script)
In order to ensure the healthy operation of the bag main program, the CRONTAB program is used to dispatch monitor_dump.sh;
The main program of monitoring and grasping package is the normal operation, if not run, then start it;

code is as follows

copy code

#!/bin/bash #script name:/home/monitor_dump.sh date_dir= ' date +%f ' stime= ' date +%f ' @ '%h%m%s ' maindump= ' PS- Elf|grep maindump|grep-v grep ' #diy dumppid= ' ps-ef|grep ' tcpdump-i eth0 ' |grep pcap ' #check main Progra Mme Status If [! "$MAINDUMP"];then    /bin/bash/home/maindump.sh fi If [! "$DUMPPID"];then #diy    /usr/sbin/tcpdump-i eth0 host 113.105.152.180-w/data/$DATE _dir/$ Stime.pcap-s 0 Fi

monitor_disk.sh (monitor hard disk space)
Monitoring the disk's free space, when the disk usage is greater than or equal to 30% (can be set), will automatically delete the earliest day caught in the packet, to ensure that the disk free space;

The code is as follows	Copy Code
#!/bin/bash #script name:/home/monitor_disk.sh #diy freedisk= ' df-h|grep '/dev/sda3 ' |awk ' {print $} ' |awk-f% ' {print '} ' Headmost= ' ls-l/data|grep ^d|awk ' {print $NF} ' |sort|head-n 1 ' #check free disk status #diy If ["$FREEDISK"-ge "];then" rm-rf/data/"$HEADMOST" Fi