Logging tcpdump output all the time can create a huge amount of data. This can be both: too much data size on HDD and tiring to analyze. You can run a script in a screen which checks out the packages transfered per second and start a tcpdump when the packages exceed a fixed number.

#!/usr/bin/env bash

interface=eth0
dumpdir=/tmp/
packet_threshold=5000
log_packets=100000

while /bin/true; do
  pkt_old=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
  sleep 1
  pkt_new=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`

  pkt=$(( $pkt_new - $pkt_old ))
  echo -ne "\r$pkt packets/s\033[0K"

  if [ $pkt -gt $packet_threshold ]; then
    echo -e "\n`date` high traffic, starting a tcpdump"
    tcpdump -n -s0 -c $log_packets -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
    echo "`date` Packets dumped, sleeping now."
    sleep 300
  fi
done

UI/UX Design by

We make sure that your target audience has the best possible experience with your digital product. You get:

• Design tailored to your audience
• Proven processes customized to your needs
• An expert team of experienced designers

Read more Show archive.org snapshot