Networking :: Rotating Capture Files Using Tcpdump?
Apr 6, 2010
I would like to set up tcpdump to rotate log file every 1 hour and retain files for the lat 14 days but I don't think any combination of -C and -W would allow me to do that (Atleast I haven't been able to figure it out), so I am trying to rotate the files every X number of MB and retain the last 20 files. This seems to be fairly simple with the '-C X -W 20' option but I am having some trouble in customizing the names of the log files. I have tried '-w capture-$(date +%Y-%M-%d-%H:%M-)' thinking that each file would start with the current date and time but all files are using the date and time when the capture was started so the only difference is the number at the end (which is done by -W). if I can customize the names of the file so that it has the date and time when the capture in started. In fact if I can do that, I dont need the numbers that '-W' appends at the end but I dont know how to get rid of them.
View 4 Replies
ADVERTISEMENT
Oct 20, 2010
writing a script that would keep the last three versions of tcpdump files.Due to the version of tcpdump I must use -C and cannot use -G. Using -C generates a new file after X MB's have been written and adds a .x after each new one. The problem is that these files are filling up the disk too quickly. The main part of the script will kill tcpdump when a certain condition is met but in the meantime I need to purge and only keep say the three last iterations of the dump file. So for example, there is dump.pcap.1, dump.pcap.2, dump.pcap.3, dump.pcap.4 and dump.pcap.5. I'd like the script to look at the datestamps and delete dump.pcap.1 and dump.pcap2 since the other three are the three newest files. comparing files based on dump.pcap.*, check the dates and only keep the three 'youngest' files?
View 5 Replies
View Related
Apr 27, 2010
What is the syntax to capture packets from multiple host through tcpdumptcpdump ip host host1|host2|host3|host3
View 3 Replies
View Related
Mar 29, 2010
I can't get my apache2 log files to rotate on an Ubuntu 8.04 64-bit server install.
Does anybody know of logrotate creates an error log somewhere by default?
Here's my /etc/logrotate.d/apache2 file if someone has any insight if I am doing something wrong.
/var/log/apache2/*.log /var/log/apache2/portal/*.log {
weekly
missingok
rotate 52
nocompress
[Code].....
View 9 Replies
View Related
Oct 10, 2010
how I should go about rotating files that end with a date stamp. This is the configuration I have to rotate my Apache access files, but it is not working:
/var/log/httpd/access_log.* {
compress
daily
rotate 1
copytruncate
missingok
notifempty
}
The files are created with a date extension like the ones below:
[Code]....
View 6 Replies
View Related
Oct 25, 2010
I am trying to configure logrotate on APP/DB servers.As per my backup policy,logs will compress in daily basis and and will be moved to a Central storage device.
My tomcat generate several application logs with date extension as well as .log extension.For eg app.log,app.log.2010-10-23-14,catalina.out,catalina.2010-10-25.log etc.
Currently my tomcat logrotation /etc/logrote.d/
#cat /etc/logroate.d/tomcat/
/usr/local/tomcat/logs/*log {
[code]....
But its rotating logs only with .log extension..ie app.log.2010-10-23-14 (with date extension) is not rotating.If i put "*" instead of "*log",its rotating all files including rotated files. How can i rotate files which is having date extension.Also i dont want to keep rotated logs for more than 3 days.
View 1 Replies
View Related
Jul 3, 2011
I recently installed UBuntu 11.04 and dual booting it with WIndows 7, I really like linux and considering removing W7 and only have Ubuntu But the problem is I can only connect when using an ethernet cable, when it comes to wirelesss, I type my password, yet a ring keep rotating and it never connects. My laptop is HP-G62
View 3 Replies
View Related
Dec 7, 2010
I am trying to create a dump log using tcpdump. I want display the top 10 ip addresses sorted numerically showing how many times the ips are hitting the server. I'm getting frustrated because It's not working how I'd like it to.
View 1 Replies
View Related
Feb 16, 2011
Is there a way to do multiple interfaces in tcpdump? I have found that when using "-i any", not all packets are captured (compared to "-i eth0" on a machine with only one interface). I need to monitor traffic on some machines with as many as 6 interfaces, and get these packets that "-i any" misses. When I give the "-i" option multiple times, it seems to only use the last one.
View 3 Replies
View Related
Oct 18, 2010
I'm trying to capture packets to a file with the -w option but the file is empty yet if I use the '-w -' option to put data on stdout I see plenty of captured packets.I'm using CentOS 5.5 x86
Code:
[root@server ~]# tcpdump -v -i eth0 -w dump -s0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
[code]....
View 2 Replies
View Related
May 27, 2010
I'm running NetWare SLES 10 sp3 with OES2 sp2. I was working with the folks at Novell to resolve an iPrint Print Manager problem.
During the process they wanted to perform a packet capture using tcpdump. While logged in as the root user the error no suitable device was found, and I received no data at all. This server is running on a VMWare Center. On other SLES 10 sp3 systems (residing on that same VMWre Center), tcpdump captures packets just fine. I inherited all of these servers, so I wasn't here during the initial build, but I'd make the guess that they were configured similarly. On a Server that I built recently, tcpdump works fine. On two of my Servers it does not, and gives the mentioned error.
It's not that big a deal, otherwise the Servers are communicating and working just fine. But, I'd like to get it working just because it's supposed to work. Students are off for the summer, so I have time to play.
View 5 Replies
View Related
Jan 24, 2011
The only window that's open is the terminal running this command, no pidgin, skype, samba, torrent or anything I can think of is using the network yet there is ***** load of output from tcpdump. I was hoping to use this to check where certain applications connect to and what messages they send but when I'm doing nothing there is already more output than I can go through. Running tcpdump for less than 10 seconds gives me the following output:
Code:
16:13:22.015683 IP ns.hihkptt.net.cn.domain > desk.local.56598: 46887 1/2/2 (166)
16:13:22.016251 IP ns.hihkptt.net.cn.domain > desk.local.60099: 21168 1/2/2 (166)
16:13:22.016743 IP ns.hihkptt.net.cn.domain > desk.local.42325: 50346 1/2/2 (166)
16:13:22.034733 IP ns.hihkptt.net.cn.domain > desk.local.41441: 63658 1/2/0 (134)
16:13:22.035215 IP ns.hihkptt.net.cn.domain > desk.local.42865: 37537 1/2/0 (134)
16:13:22.036124 IP ns.hihkptt.net.cn.domain > desk.local.35006: 7520 1/2/0 (134)
16:13:22.036569 IP ns.hihkptt.net.cn.domain > desk.local.38480: 51322 1/2/0 (134)
16:13:22.066006 ARP, Reply 192.168.0.1 is-at 00:b0:0c:02:60:9c (oui Unknown), length 46 .....
View 2 Replies
View Related
Nov 21, 2010
I am trying dump some packets using tcpdump and it does not seem to be working.
System is fedora12
TCPDUMP v4.1
Libpcap v1.0
I even rolled my own,
TCPDUMP v4.1.1
libpcap v1.1.1
View 1 Replies
View Related
Feb 16, 2010
I have configured NFS Server on CentOS 5.2 with IBM Web Server,which is having AIX 5.3 The IBM Web Server can upload all data onto NFS Server. Now, Today i was having slow response on IBM Web Server & by measuring the NFS, i found below error while running "tcpdump" command on CentOS Server.
tcpdump -n -i eth1 | grep 2049
18:36:37.237451 IP 10.100.19.241.2049 > 10.100.19.88.1758143293: reply ok 1448 read [|nfs]
18:36:37.237476 IP 10.100.19.241.2049 > 10.100.19.88.539981409: reply ERR 1448
18:36:37.237481 IP 10.100.19.241.2049 > 10.100.19.88.796287348: reply ERR 1448
[code]....
I have changed Network Card in CentOS. All LAN is on Gigabit Network. Also I have changed the Network Cable(Patch Cord). But,still no response.
View 3 Replies
View Related
Mar 30, 2011
I have a linux box with two interfaces: eth0 is a builtin and eth1 is a USB-LAN.
There is an IP configured on eth1.
eth0 is up but no IP is configured. This interface is used for sniffing with tcpdump.
The problem is that eth0 frequently stops receiving packets -- my tcpdump captures are empty, and if I look at the interface stats with ifconfig, I can see that no packets are received.
If I bounce the interface (ifconfig eth0 down; ifconfig eth0 up), it starts receiving packets again.
View 1 Replies
View Related
May 20, 2010
I am running a test to determine when packet drops occur. I'm using a Spirent TestCenter through a switch (necessary to aggregate Ethernet traffic from 5 ports to one optical link) to a server using a Myricom card.While running my test, if the input rate is below a certain value, ethtool does not report any drop (except dropped_multicast_filtered which is incrementing at a very slow rate). However, tcpdump reports X number of packets "dropped by kernel". Then if I increase the input rate, ethtool reports drops but "ifconfig eth2" does not. In fact, ifconfig doesn't seem to report any packet drops at all. Do they all measure packet drops at different "levels", i.e. ethtool at the NIC level, tcpdump at the kernel level etc?nd am I right to say that in the journey of an incoming packet, the NIC level is the "so-called" first level, then the kernel, then the user application? So any packet drop is likely to happen first at the NIC, then the kernel, then the user application? So if there is no packet drop at the NIC, but packet drop at the kernel, then the bottleneck is not at the NIC?
View 1 Replies
View Related
May 6, 2010
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
View 3 Replies
View Related
Feb 21, 2011
How to convert Tcpdump output file to a Pcap format? Is there such way?
This is what i mean:
tcpdump -i eth0 >> test.out
Now i want to convert test.out to Pcap so It's readable via Wireshark.
View 5 Replies
View Related
Jan 11, 2011
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site [URL]..witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?).
MY QUESTION IS: How can i feed the Opnet Guru with the flows data collected with the
Code:
tcpdump
with its different options?
NOTE: in the Opnet Guru invironment there is an object called the profile that is beeing used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.. i hope i was clear enough..
View 3 Replies
View Related
May 19, 2010
I have a question regarding packet drops. I am running a test to determine when packet drops occur. I'm using a Spirent TestCenter through a switch (necessary to aggregate Ethernet traffic from 5 ports to one optical link) to a server using a Myricom card. While running my test, if the input rate is below a certain value, ethtool does not report any drop (except dropped_multicast_filtered which is incrementing at a very slow rate). However, tcpdump reports X number of packets "dropped by kernel". Then if I increase the input rate, ethtool reports drops but "ifconfig eth2" does not.
In fact, ifconfig doesn't seem to report any packet drops at all. Do they all measure packet drops at different "levels", i.e. ethtool at the NIC level, tcpdump at the kernel level etc? And am I right to say that in the journey of an incoming packet, the NIC level is the "so-called" first level, then the kernel, then the user application? So any packet drop is likely to happen first at the NIC, then the kernel, then the user application? So if there is no packet drop at the NIC, but packet drop at the kernel, then the bottleneck is not at the NIC?
View 1 Replies
View Related
Feb 19, 2010
I have set the iptables INPUT policy to DROP. As I have expected tcpdump wasn't showing any packages... for a while. Suddenly it begun to show UDP syslog packages being sent by a remote host. It is conform with the configuration of syslog, but since the INPUT policy was set to DROP, with no exceptions, it is not conform with configuration of iptables. Why after setting INPUT policy to DROP, with no exceptions most of the packets recieved before are being dropped and some not, as tcpdump shows?
View 7 Replies
View Related
Jan 15, 2011
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site http://scrutin.wordpress.com/2007/04...-tcpdump/witch i made great use of to recognize the tcpdum tool.
I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?).
MY QUESTION IS::
How can i feed the Opnet Guru with the flows data collected with the
Code:
tcpdumpwith its different options?
NOTE: in the Opnet Guru invironment there is an object called the profile that is being used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.
View 1 Replies
View Related
Aug 13, 2010
What is the best analogue capture program please to capture Austar.
View 1 Replies
View Related
Jun 11, 2009
I have a network like
Node A to Vlan Switch
Node B to Vlan Switch
Node C to Vlan Switch
Node B is set up to be a middle man between A and C.
All nodes have 1 NIC.
They are all linux boxes. Node B can ping Node C. When I try to ping Node C from Node A, the ping just hangs forever.
When I use Wireshark to sniff What's going on with Node B during a ping from Node A to Node C, I can see an ICMP request with src = Node A and dest = Node C. I'd like to know if that ICMP packet was received by B from A or if it is going out. If it's going out, that makes no sense since B knows how to send to C. If B is only getting the requests but not forwarding them, then I know there is something wrong with B's configuration.
So I'd like to be able to sniff incoming packets only, or outgoing packets only. Is there a way to do this?
View 1 Replies
View Related
Jul 23, 2010
I have a USB 500 GiB Disk, but when I connect it to my computer it start spinning at full speed without me trying to access it, is it normal?
View 3 Replies
View Related
Jan 6, 2009
Got a Ubuntu system. Have a device on my LAN that can send Syslog messages.
I would like to:
1. Capture these specific syslog messages.
2. Keep them separate from any other syslog activity on the Ubuntu system.
3. View these syslog messages later.
View 1 Replies
View Related
Jan 17, 2010
Fedora 12 64-bit
Asus mobo M4A78-E
Samsung 2494HM display
The captioned display support 90 deg rotation. Which software do I need to install? Tried editing /etc/X11/xorg.conf as;
Code:
Section "Device"
Identifier "Videocard0"
Driver "radeon"
Option "Rotate" "90"
Restart X and rotate the display 90 deg. It doesn't work.
View 3 Replies
View Related
Aug 1, 2011
In GIMP, can I rotate an image by only a few degrees? It's a scanned image of a crooked xerox copy, and I want to straighten it. I see options only for rotating by 90 or 180 degrees.
View 6 Replies
View Related
May 29, 2010
Does ubuntu have anything similar to window's program Cain & Abel for wireless packet capture?
View 1 Replies
View Related
Dec 9, 2010
I'm using tcpdump and tcptrace to track all incoming and outgoing data packets through my network interfaces. But I fail to monitor the voip data for skype that way, although it works well with http port 80, for example.
I want to track the ip address of the data packets for skype, i.e. know the ip address of the other one speaking at the other end of skype. How can I achieve this?
I've checked the port setting in my skype and I'm sure I'm listening on the right port. But nothing is showing up while I'm in connection with skype.
View 2 Replies
View Related
