-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathcapture_interface_pcap.sh
executable file
·54 lines (42 loc) · 1.42 KB
/
capture_interface_pcap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/bash
interface=$1
output_dir=$2
user=$3
rotate_interval=60
[[ "$(grep -c "$interface" /proc/net/dev)" == "0" ]] && echo "The interface is NOT found!" && exit 255
[[ ! -d "$output_dir" ]] && echo "The output directory does NOT exist!" && exit 255
# Clean
cleanup() {
echo "=== Capturer is being cancled ==="
echo "=== Wait the converter finished for 3 seconds..."
sleep 3
echo
echo "=== Convert left PCAP files if any"
OIFS="$IFS"
IFS=$'\n'
for f in `find "${output_dir}" -type f -name "*.pcap"`; do
echo "=== $f is left"
"${post_rotate_command}" "$f"
done
IFS="$OIFS"
echo "=== Clean stuff up"
rm -f "$output_dir"/*.pcap
echo
exit 0
}
trap 'cleanup' INT TERM EXIT
#output_file=${output_dir}/$(date +'%Y-%m-%d-%H:%M:%S.pcap')
output_file_format=${output_dir}/'%Y-%m-%d-%H:%M:%S.pcap'
options="-n -nn -N -s 0"
[[ ! -z "${user}" ]] && options="${options} -Z ${user}" #$(id -nu 1000)
# Before the post-rotatation script can be run, please edit an AppArmor configuration file:
# $ sudo vi /etc/apparmor.d/usr.sbin.tcpdump
# by adding the line:
# /**/* ixr,
# then
# $ sudo service apparmor restart
#
script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # On the same directory.
post_rotate_command="${script_dir}"/convert_pcap_csv.sh
sudo tcpdump ${options} -z "${post_rotate_command}" -i ${interface} -G ${rotate_interval} -w "${output_file_format}"
#sudo chown 1000:1000 "${output_dir}"/*