tcpdump 활용하기

tcpdump 파일 로테이트 옵션 (-G)

http://www.tcpdump.org/manpages/tcpdump.1.html

Man page of TCPDUMP

-G 초단위로 파일이 순환생성
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.

-w 파일로 저장
Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is “-”.
This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.
Use the -U flag to cause packets to be written as soon as they are received.
See pcap-savefile(5) for a description of the file format.

-W 최대 파일갯수
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a ‘rotating’ buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

-Z 권한생성
If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root

-C 파일사이즈
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).


테스트 OS : CentOS 6.X x86
:: test.pcap 파일명으로 5초단위로 로테이트 파일생성 (덮어쓰기)
# tcpdump -nn net 115.68 -G 5 -w test.pcap
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: aaa: Permission denied

# ls -l aaa
-rw-r–r– 1 tcpdump tcpdump 80299 Sep 11 13:29 test.pcap
※ 원인은 생성된 파일 권한이 tcpdump 권한으로 생성되어있기 때문

생성된 파일을 root 유저권한으로 5초단위로 파일명 test.pcap 로 캡쳐 (5초주기로 덮어쓰기)
# tcpdump -nn net 115.68 -G 5 -w test.pcap -Z root


Example 1)
5초단위로 끈어서 시간명으로 파일생성
# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root

# ls -al trace_2014-09-11*
-rw-r–r– 1 root root 130470 Sep 11 13:36 trace_2014-09-11_13:35:55.pcap
-rw-r–r– 1 root root 128020 Sep 11 13:36 trace_2014-09-11_13:36:00.pcap
-rw-r–r– 1 root root 169068 Sep 11 13:36 trace_2014-09-11_13:36:05.pcap
-rw-r–r– 1 root root 141378 Sep 11 13:36 trace_2014-09-11_13:36:10.pcap
-rw-r–r– 1 root root 111066 Sep 11 13:36 trace_2014-09-11_13:36:15.pcap
-rw-r–r– 1 root root 116596 Sep 11 13:36 trace_2014-09-11_13:36:21.pcap
-rw-r–r– 1 root root 80460 Sep 11 13:36 trace_2014-09-11_13:36:26.pcap
-rw-r–r– 1 root root 87421 Sep 11 13:36 trace_2014-09-11_13:36:31.pcap
-rw-r–r– 1 root root 169819 Sep 11 13:36 trace_2014-09-11_13:36:37.pcap
-rw-r–r– 1 root root 96685 Sep 11 13:36 trace_2014-09-11_13:36:42.pcap
-rw-r–r– 1 root root 73052 Sep 11 13:36 trace_2014-09-11_13:36:47.pcap


Example 2)
5초단위로 끈어서 시간명으로 파일생성하되 최대 파일갯수는 5개
# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root -W 5
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5

# tcpdump -nn net 115.68 -G 5 -w ‘trace_%Y-%m-%d_%H:%M:%S.pcap’ -Z root
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C2918 packets captured
2918 packets received by filter
0 packets dropped by kernel

# ls -al trace_2014-09-11*
-rw-r–r– 1 root root 70984 Sep 11 13:39 trace_2014-09-11_13:39:15.pcap
-rw-r–r– 1 root root 63027 Sep 11 13:39 trace_2014-09-11_13:39:20.pcap
-rw-r–r– 1 root root 105150 Sep 11 13:39 trace_2014-09-11_13:39:25.pcap
-rw-r–r– 1 root root 92381 Sep 11 13:39 trace_2014-09-11_13:39:30.pcap
-rw-r–r– 1 root root 60955 Sep 11 13:39 trace_2014-09-11_13:39:36.pcap


Example 3)
파일사이즈단위로 끈어서 저장 (1M 단위로 끈어서 저장)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root

# ls -al packet.pcap*
-rw-r–r– 1 root root 1000986 Sep 11 13:54 packet.pcap
-rw-r–r– 1 root root 1000230 Sep 11 13:54 packet.pcap1
-rw-r–r– 1 root root 1000063 Sep 11 13:54 packet.pcap2
-rw-r–r– 1 root root 1000988 Sep 11 13:54 packet.pcap3
-rw-r–r– 1 root root 1001466 Sep 11 13:54 packet.pcap4
-rw-r–r– 1 root root 1000023 Sep 11 13:54 packet.pcap5
-rw-r–r– 1 root root 1000261 Sep 11 13:54 packet.pcap6
-rw-r–r– 1 root root 1001266 Sep 11 13:54 packet.pcap7
-rw-r–r– 1 root root 1001003 Sep 11 13:54 packet.pcap8


Example 4)
파일사이즈단위로 끈어서 저장하며 최대 파일 갯수는 3개 (파일이 3개만 생성되고 멈추는게 아니고 파일갯수만 3개로 지정되면서 계속해서 덮어쓰기)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root -W 3

 

https://idchowto.com/?p=2227 

idchowto.com - 스마일서브(Cloudv.kr)