一、编写脚本
根据原文
linux tcpdump脚本实现24小时自动抓包_tcpdump设置终止时间-CSDN博客
修改调整
基本思路
auto_cap.sh(抓包启动脚本)
执行脚本后面跟随参数 start stop 即可启动关闭抓包
./auto_cap.sh [ start | stop|status ]
#!/bin/bash
if [ ! $1 ];then
echo "You should use command like this:"
echo "./auto_cap.sh [start|stop|status]"
exit 1
fi
CAP_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ ! -f $CAP_SCRIPT_DIR/config/auto_cap.config ];then
echo "Config file not exit ,Please Check ! Script Exit ! "
exit 1
fi
source $CAP_SCRIPT_DIR/config/auto_cap.config
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF $CAP_CONDITION"|grep pcap|awk '{print $2}'`
MAINPID=`ps -ef | grep main_dump.sh | grep -v grep |awk '{print $2}'`
STIME=`date +%F"@"%H%M%S`
DATE_DIR=`date +%F`
case $1 in
start)
if [ `crontab -l | grep monitor_dump |wc -l` -eq 0 ];then
crontab -l > cron.conf && echo "*/15 * * * * $CAP_SCRIPT_DIR/monitor_scripts/monitor_dump.sh" >> cron.conf && crontab cron.conf && rm -f cron.conf
else
echo "monitor_dump crontab line is already exit"
fi
if [ `crontab -l | grep monitor_disk |wc -l` -eq 0 ];then
crontab -l > cron.conf && echo "*/15 * * * * $CAP_SCRIPT_DIR/monitor_scripts/monitor_disk.sh" >> cron.conf && crontab cron.conf && rm -f cron.conf
else
echo "monitor_disk crontab line is already exit"
fi
if [ ! "$DUMPPID" ];then
/usr/sbin/tcpdump -i $NET_IF $CAP_CONDITION -w $CAP_FILE_DIR/$DATE_DIR/$STIME.pcap -s 0 &
else
echo "Dump Already started ,TcpdumpPID is $DUMPPID,will killed"
kill -9 $DUMPPID
/usr/sbin/tcpdump -i $NET_IF $CAP_CONDITION -w $CAP_FILE_DIR/$DATE_DIR/$STIME.pcap -s 0 &
echo "New Dump started"
fi
if [ ! "$MAINPID" ];then
nohup sh main_dump.sh >/dev/null 2>&1 &
else
echo "Main_dump.sh Already started ,MAINPID is $MAINPID,will killed"
kill -9 $MAINPID
nohup sh main_dump.sh >/dev/null 2>&1 &
echo "New Main_dump.sh started"
fi
echo "Cap is started"
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
MAINPID=`ps -ef | grep main_dump.sh | grep -v grep |awk '{print $2}'`
echo "MAINPID is $MAINPID"
echo "TcpdumpPID is $DUMPPID"
;;
stop)
crontab -l > cron.conf && sed -i '/.*monitor_dump*/c\ ' cron.conf && crontab cron.conf && rm -f cron.conf
crontab -l > cron.conf && sed -i '/.*monitor_disk*/c\ ' cron.conf && crontab cron.conf && rm -f cron.conf
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
MAINPID=`ps -ef | grep main_dump.sh | grep -v grep |awk '{print $2}'`
if [ ! "$MAINPID" ];then
echo "MAINPID is null ,Do Nothing"
else
echo "MAINPID is $MAINPID Will Killed "
kill -9 $MAINPID
fi
if [ ! "$DUMPPID" ];then
echo "TcpdumpPID is null ,Do Nothing"
else
echo "TcpdumpPID is $DUMPPID Will Killed"
kill -9 $DUMPPID
fi
echo "Cap is stopped"
;;
status)
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
MAINPID=`ps -ef | grep main_dump.sh | grep -v grep |awk '{print $2}'`
if [ ! "$MAINPID" ];then
echo "MAINPID is null , main_dump.sh stopped"
else
echo "MAINPID is $MAINPID,main_dump.sh is running"
fi
if [ ! "$DUMPPID" ];then
echo "DUMPPID is null , tcpdump stopped"
else
echo "TcpdumpPID is $DUMPPID,tcpdump is running"
fi
;;
*)
echo "You should use command like this:"
echo "./auto_cap.sh [start|stop|status]"
;;
esac
maindump.sh (抓包的主程序)
每隔1分钟通过死循环检测,让程序不断的去抓包;
并设定了前一个包抓完,间隔5秒,开始进行下一轮抓包,表示下一行需自定义修改抓包参数;
/cloud/autocap/capdata(存放自动抓包文件的目录)
每天的数据包放在/cloud/autocap/capdata下以日期命名的目录如:/cloud/autocap/capdata/2022-09-08,并进行压缩存储,包的命令格式为:yyyy-mm-dd@hhmmss-hhmmss.pcap.gz;其中yyyy-mm-dd表示日期,第一个hhmmss表示开始抓包的时分秒,第二个hhmmss表示抓包结束的时分秒。
#/bin/bash/
CAP_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ ! -e $CAP_SCRIPT_DIR/config/auto_cap.config ];then
echo "Config file not exit ,Please Check ! Script Exit ! "
exit 1
fi
source $CAP_SCRIPT_DIR/config/auto_cap.config
let MAXSIZE_KB=$MAXSIZE*1000000
#echo $MAXSIZE_kb
while :
do
STIME=`date +%F"@"%H%M%S`
DATE_DIR=`date +%F`
if [ ! -d $CAP_FILE_DIR/$DATE_DIR ];then
mkdir -p $CAP_FILE_DIR/$DATE_DIR
fi
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
if [ ! "$DUMPPID" ];then
nohup /usr/sbin/tcpdump -i $NET_IF $CAP_CONDITION -w $CAP_FILE_DIR/$DATE_DIR/$STIME.pcap -s 0 >/dev/null 2>&1 &
fi
sleep 1
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
PACKSIZE=`ls -l $CAP_FILE_DIR/$DATE_DIR|grep "$STIME.pcap"|awk '{print $5}'`
while [ "$PACKSIZE" -lt "$MAXSIZE_KB" ];do
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
if [ ! "$DUMPPID" ];then
#./auto_cap.sh start
STIME=`date +%F"@"%H%M%S`
nohup /usr/sbin/tcpdump -i $NET_IF $CAP_CONDITION -w $CAP_FILE_DIR/$DATE_DIR/$STIME.pcap -s 0 >/dev/null 2>&1 &
fi
PACKSIZE=`ls -l $CAP_FILE_DIR/$DATE_DIR|grep "$STIME.pcap"|awk '{print $5}'`
sleep 1m
done
kill -9 $DUMPPID
ETIME=`date +%H%M%S`
mv $CAP_FILE_DIR/$DATE_DIR/$STIME.pcap $CAP_FILE_DIR/$DATE_DIR/$STIME-$ETIME.pcap
gzip $CAP_FILE_DIR/$DATE_DIR/*.pcap
sleep 2
done
monitor_scripts目录中:
monitor_dump.sh (监控抓包脚本)
检查自动抓包主进程是否存在,保证异常停止的情况下可以拉起maindump.sh脚本
为了保证抓包主程序能健康运行,通过crond程序来调度monitor_dump.sh;
监控抓包主程序是事正常运行,如果没有运行,则启动它;
#!/bin/bash
CAP_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd ../ && pwd )"
if [ ! -f $CAP_SCRIPT_DIR/config/auto_cap.config ];then
echo "Config file not exit ,Please Check ! Script Exit ! "
exit 1;
fi
source $CAP_SCRIPT_DIR/config/auto_cap.config
DUMPPID=`ps -ef|grep "tcpdump -i $NET_IF"|grep pcap|awk '{print $2}'`
MAINPID=`ps -ef | grep main_dump.sh | grep -v grep |awk '{print $2}'`
#check main programme status
#if [ ! "$MAINPID" ] || [ ! "$DUMPPID" ];then
if [ ! "$MAINPID" ];then
nohup sh $CAP_SCRIPT_DIR/main_dump.sh >/dev/null 2>&1 &
fi
monitor_disk.sh(监控硬盘空间)
监控磁盘的空闲空间,当磁盘的使用率大于等于70%时(可设置),会自动删除最早一天抓到的所在数据包,以保证磁盘的空闲空间;
抓包和磁盘监控脚本会在抓包启动后自动添加到crontab的定时任务中 默认为15分钟检查一次,可以根据实际情况修改
#/bin/bash/
CAP_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd ../ && pwd )"
if [ ! -f $CAP_SCRIPT_DIR/config/auto_cap.config ];then
echo "Config file not exit ,Please Check ! Script Exit ! "
exit 1;
fi
source $CAP_SCRIPT_DIR/config/auto_cap.config
position=`df -h | grep Filesystem | awk '{for( i=1;i<=NF;i++) if( $i~/Use%/) print i}'`
FREEDISK=`df -h|grep "$DISK_PATH$"|awk -v pos=$position '{print $pos}'|awk -F % '{print $1}'`
HEADMOST=`ls -l $CAP_FILE_DIR |grep ^d|awk '{print $NF}'|sort|head -n 1`
#check free disk status
if [ "$FREEDISK" -ge "70" ];then
rm -rf $CAP_FILE_DIR/"$HEADMOST"
fi
二、部署脚本
1.把 autocap.tar.gz 上传到/cloud(其他目录也可以,一般建议单独分区的目录且空间较大)
2.tar -zxvf autocap_2.1.tar.gz 解压
ll 查看脚本目录结构
脚本目录及参数介绍
auto_cap.config 配置自动抓包脚本的一些参数
#抓包文件保存路径(默认为脚本路径下无需修改)
CAP_FILE_DIR=$CAP_SCRIPT_DIR/capdata
#配置文件路径(默认为脚本路径无需修改)
CAP_CONFIG=$CAP_SCRIPT_DIR/config
#抓包过滤网卡 例如(tcpdump –i eth0 host 10.56.19.106 and port 8314 -w 123.pcap则将标黄网卡填入)
NET_IF=eth0
#抓包打包文件大小单位为MB(默认每个数据包大小限制约为100M,根据现场需要修改)
MAXSIZE=100
#抓包过滤条件(如tcpdump –i eth0 host 192.168.13.1 and port 80 -w 123.pcap则将标黄条件填入引号内)
CAP_CONDITION=" host 192.168.13.1 and port 80"
#磁盘监控分区信息(请根据抓包文件保存路径所在磁盘分区填写,避免抓包占满分区空间)
DISK_PATH=/cloud
抓包启动与停止
修改完auto_cap.config 中配置后
执行:
./auto_cap.sh start 即可启动,并自动添加定时监控任务
./auto_cap.sh stop 即可停止,并自动删除定时监控任务
./auto_cap.sh status 可查看抓包进程状态
crontab -l 能查看到对应的监控任务即可
产生的抓包文件:
附件脚本链接
链接: https://pan.baidu.com/s/1uEKCuI9rh2Yl8utYSUe5dQ 提取码: fman