I was trying to track down the cause of some iptables log messages. I wanted a packet dump while the problem was occurring but the symptom appears sporadically with 15 minute or so gaps. There’s a lot of traffic flowing through the system in question so if I leave tcpdump running I’ll too much traffic to sort through. What I needed was a means of starting tcpdump when the log messages appear. Luckily for me the messages appear over 10-20 seconds and I was pretty sure I could miss a couple as long as I grabbed some of them I’d get some insight.
I realized I could just have tail follow the logs and stop when a line appeared so tcpdump could run. I had to run tcpdump as sudo and my sudo token my expire before tcpdump was started so I wrote a script to run as sudo:
#!/bin/bash
tail -n0 -f /var/log/syslog|grep -l WINDOW
tcpdump -nvv -s0 -c 1000 -w /tmp/blarg.pcap -p host 10.2.3.4 and not proto ether \\arp
The -n0 option to tail has it reading 0 lines of the log file. I had the log entries in the log from earlier and I didn’t want grep to match on those. I gave tcpdump -s0 so it would capture whole packets and -c 1000 to only capture 1000 packets.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.