Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Kolomyts2018-07-07 18:16:12
CentOS
Alexander Kolomyts, 2018-07-07 18:16:12

How to organize tcpdump's logrotate .pcap files?

Good time of the day. Tell me how to properly rotate pcap files. It seems I have already tried all the options in the config files. but it doesn't work out the way you want.
And I want this:
1) tcpdump writes logs for days on end, it is advisable to split it hourly, so that it is more convenient to analyze the current incident
2) you can not archive .pcap files for today and yesterday
3) and the number of archives is needed for the last 7 days
From 1 and 2 all turned out well. tcpdump -G 3600 -w /faile.pcap and logrotate with daily, compress did a great job.
But for some reason logrotate rotate failed with 3. And I didn't understand why :(
Centos7x64

/etc/systemd/system/tcpdumpd.service
[Unit]
After=network.target

[Service]
Restart=always
RestartSec=30
Environment="TCPDUMP_FORMAT=%%Y-%%m-%%d__%%H-%%M"
ExecStartPre=/bin/mkdir -p /var/log/tcpdumpd/
ExecStart=/sbin/tcpdump -nqU -s 0 -A -i eth0 port 5060 or port 5160 -G 3600 -w '/var/log/tcpdumpd/sipdump_${TCPDUMP_FORMAT}.pcap'
ExecStop=/bin/kill -s QUIT $MAINPID

[Install]
WantedBy=multi-user.target

/etc/logrotate.d/tcpdumpd
/var/log/tcpdumpd/*.pcap {
        daily
        missingok
        rotate 48
        compress
        ifempty
        nocreate
}

with this configuration, a list of files came out:
spoiler
~~ Тут примерно 800 файлов .gz т.е. не удалился во время ротации ни один файл
-rw-r--r-- 1 tcpdump tcpdump  268692 Jul  4 20:00 sipdump_2018-07-04__19-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  269453 Jul  4 21:00 sipdump_2018-07-04__20-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump 1824929 Jul  4 22:00 sipdump_2018-07-04__21-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  258716 Jul  4 23:00 sipdump_2018-07-04__22-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  255119 Jul  4 23:59 sipdump_2018-07-04__23-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  257657 Jul  5 00:59 sipdump_2018-07-05__00-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  259304 Jul  5 01:59 sipdump_2018-07-05__01-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  302674 Jul  5 03:00 sipdump_2018-07-05__02-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump  331481 Jul  5 04:00 sipdump_2018-07-05__03-00.pcap-20180706.gz
-rw-r--r-- 1 tcpdump tcpdump 2565612 Jul  5 05:00 sipdump_2018-07-05__04-00.pcap
-rw-r--r-- 1 tcpdump tcpdump 2465601 Jul  5 06:00 sipdump_2018-07-05__05-00.pcap
-rw-r--r-- 1 tcpdump tcpdump 2429670 Jul  5 07:00 sipdump_2018-07-05__06-00.pcap
-rw-r--r-- 1 tcpdump tcpdump 2414568 Jul  5 08:00 sipdump_2018-07-05__07-00.pcap
-rw-r--r-- 1 tcpdump tcpdump 2579105 Jul  5 09:00 sipdump_2018-07-05__08-00.pcap
-rw-r--r-- 1 tcpdump tcpdump 2788131 Jul  5 10:00 sipdump_2018-07-05__09-00.pcap
~~


There was a suspicion that logrotate considers each sipdump_${TCPDUMP_FORMAT}.pcap file new, and accordingly creates only one .gz archive
Changed /etc/systemd/system/tcpdumpd.service
spoiler
[Unit]
After=network.target

[Service]
Restart=always
RestartSec=30
ExecStartPre=/bin/mkdir -p /var/log/tcpdumpd/
ExecStart=/sbin/tcpdump -nqU -s 0 -A -i eth0 port 5060 or port 5160 -G <b>86400 </b> -w '/var/log/tcpdumpd/<b>sipdump.pcap'</b>
ExecStop=/bin/kill -s QUIT $MAINPID

[Install]
WantedBy=multi-user.target


And changed logrotate options /etc/logrotate.d/tcpdumpd
spoiler
/var/log/tcpdumpd/*.pcap {
        hourly
        start 0
        missingok
        rotate 3
        compress
        shred
        shredcycles 3
        copytruncate
        dateext
        dateformat -%Y-%m-%d__%H-00
}


And now the sipdump.pcap file itself is being written, logrotate rotates the file and 3 archives remain, but when viewing the pcap file I get the error "Couldn't open pcap file sipdump.pcap-2018-07-07__15-00: unknown file format"
Actually, like everyone else is it humane to do it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Alexander Kolomyts, 2018-07-07
@13Arhangel

It seems that something happened with tcpdump. I reviewed the configs, restarted the services: then the files are created as needed and opened. :)

Similar questions
A
Anton Sashnin2016-09-03 12:17:12
Question about IIS on Windows Server 2012 R2. How to close CNA browser? 2Reply
F
fnps2019-01-03 20:51:24
How to update Nginx if nothing helps? 1Reply
D
dmitro_pro2019-01-14 15:52:14
How to create an ip address that works like an alias? 2Reply
Y
yaoleynikov2019-01-14 15:56:51
How to create your own DNS in a corporate network? 1Reply
K
Kozlov2022-03-06 10:38:31
Error starting device libguestfs. How to fix? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question