Logging tcpdump output all the time can create a huge amount of data. This can be both: too much data size on HDD and tiring to analyze. You can run a script in a screen which checks out the packages transfered per second and start a tcpdump when the packages exceed a fixed number.
#!/usr/bin/env bash
interface=eth0
dumpdir=/tmp/
packet_threshold=5000
log_packets=100000
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt $packet_threshold ]; then
echo -e "\n`date` high traffic, starting a tcpdump"
tcpdump -n -s0 -c $log_packets -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
Posted by Claus-Theodor Riegg to makandra dev (2015-11-25 10:13)