我通过使用ssh将命令发送到控制Tcpdump的shell脚本来远程捕获服务器接口上的流量。
#!/bin/bash
# Script to Start/Stop TCP
# Usage: ./ControlTCPdump.sh start|stop [filename]
CONSOLE_OUTPUT="tcpdump$( date +%m%d ).console"
HOST_NAME=`hostname`
#Default filename:
if [ "$2" = "" ]; then
FILENAME="traffic.dmp"
else
FILENAME=$2
fi
if [ "$1" = start ]; then
echo $(date) $FILENAME >> $CONSOLE_OUTPUT
if [ "" = "$(pidof tcpdump)" ]; then
nohup tcpdump -s 96 -w $FILENAME -i em2 -n tcp > /dev/null &>> $CONSOLE_OUTPUT &
echo [$HOST_NAME] TCPdump is started\!
else
echo [$HOST_NAME] There is runnung process. Kill All\!
killall -q tcpdump #Quiet, don't talk
sleep 1
if [ "" = "$(pidof tcpdump)" ]; then
echo [$HOST_NAME] Restarting TCPdump...
nohup tcpdump -s 96 -w $FILENAME -i em2 -n tcp >/dev/null &>> $CONSOLE_OUTPUT &
echo [$HOST_NAME] TCPdump is started\!
else
echo [$HOST_NAME] Error\! Cannot kill them\!
exit 0
fi
fi
else
if [ "$1" = stop ]; then
TD=`pidof tcpdump`
if [ -n "$TD" ]; then
kill "$TD"
fi
sleep 1
if [ "" = "$(pidof tcpdump)" ]; then
echo [$HOST_NAME] TCPdump is stopped\!
else
echo [$HOST_NAME] Error\! Cannot kill them\!
exit 0
fi
else
echo [$HOST_NAME] Syntax error\!
exit 0
fi
fi
该报告称它已经捕获了数千个数据包。但是当我看到tcpdump cap文件时,它是空的并且在使用tcptrace读取时会出现问题。
...
Mon Mar 25 23:25:48 CET 2013 CapturedTraffic201303252230/Traffic30.dmp
tcpdump: listening on em2, link-type EN10MB (Ethernet), capture size
96 bytes 1403831 packets captured 1403831 packets received by filter 0
packets dropped by kernel Mon Mar 25 23:27:28 CET 2013
CapturedTraffic201303252230/Traffic31.dmp tcpdump: listening on em2,
link-type EN10MB (Ethernet), capture size 96 bytes 1378692 packets
captured 1378692 packets received by filter 0 packets dropped by
kernel
...
这种现象就像这个(我使用“ls -l”来查看文件大小):
...
-rw-r--r--. 1 root root 105206180 Mar 25 16:37 Traffic05.dmp
-rw-r--r--. 1 root root 117855276 Mar 25 16:39 Traffic06.dmp
-rw-r--r--. 1 root root 109911288 Mar 25 16:40 Traffic07.dmp
-rw-r--r--. 1 root root 121505444 Mar 25 16:42 Traffic08.dmp
-rw-r--r--. 1 root root 110303300 Mar 25 16:43 Traffic09.dmp
-rw-r--r--. 1 root root 120444026 Mar 25 16:45 Traffic10.dmp
-rw-r--r--. 1 root root 98545664 Mar 25 16:46 Traffic11.dmp
-rw-r--r--. 1 root root 0 Mar 25 16:48 Traffic12.dmp
-rw-r--r--. 1 root root 0 Mar 25 16:50 Traffic13.dmp
-rw-r--r--. 1 root root 0 Mar 25 16:51 Traffic14.dmp
-rw-r--r--. 1 root root 0 Mar 25 16:53 Traffic15.dmp
-rw-r--r--. 1 root root 0 Mar 25 16:54 Traffic16.dmp
...
有时候它有效,有时则没有。以前有人遇到过这种问题吗?非常感谢你帮助我。
答案 0 :(得分:-1)
我尝试过你的脚本,有几点(与你的问题无关)。
您指定HOSTNAME(顺便说一下,默认情况下已设置),您始终使用HOST_NAME。也许您想要设置HOST_NAME?
脚本的最后else应为fi
也就是说,文件在达到一定数量(即缓冲区)时会被写入磁盘。您可以强制与sync同步。例如:
# ls -al
total 16
drwxr-xr-x 2 root root 4096 Mar 26 10:51 .
drwxr-xr-x 5 elisiano users 4096 Mar 26 10:43 ..
-rwxr-xr-x 1 elisiano users 1327 Mar 26 10:49 ControlTCPdump.sh
-rw-r--r-- 1 root root 119 Mar 26 10:51 tcpdump0326.console
-rw-r--r-- 1 root root 0 Mar 26 10:51 traffic.dmp
[root@pc-elisiano /home/elisiano/Projects/ctcpd ]# ls -al
total 16
drwxr-xr-x 2 root root 4096 Mar 26 10:51 .
drwxr-xr-x 5 elisiano users 4096 Mar 26 10:43 ..
-rwxr-xr-x 1 elisiano users 1327 Mar 26 10:49 ControlTCPdump.sh
-rw-r--r-- 1 root root 119 Mar 26 10:51 tcpdump0326.console
-rw-r--r-- 1 root root 0 Mar 26 10:51 traffic.dmp
# sync
# ls -al
total 24
drwxr-xr-x 2 root root 4096 Mar 26 10:51 .
drwxr-xr-x 5 elisiano xbmc 4096 Mar 26 10:43 ..
-rwxr-xr-x 1 elisiano users 1327 Mar 26 10:49 ControlTCPdump.sh
-rw-r--r-- 1 root root 119 Mar 26 10:51 tcpdump0326.console
-rw-r--r-- 1 root root 8192 Mar 26 10:51 traffic.dmp
你可以粘贴控制台输出的输出一次它没有用吗?
另外,您是否达到了文件大小的文件系统限制?
要调试这个,你可以在终端多路复用器(例如screen或tmux)中午餐你的tcpdump并让它在那里运行(即使你分离你的会话)。这样(当您重新连接会话时),您可以看到任何其他输出。