Log tcpdump Output
Solution 1:
Instead of logging all traffic, I would suggest the following: Monitor the number of packets sent to your server. If it exceeds a certain threshold, log a couple of 1000 packets, then wait for a longer time.
That packet trace should contain plenty of information which can be used for analysis. Also, it will not impose too much additional load on your server while everything is fine. You could use the following hacked together bash code as a starting point (could be started in screen, for example):
interface=eth0
dumpdir=/tmp/
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt 5000 ]; then
echo -e "\n`date` Under attack, dumping packets."
tcpdump -n -s0 -c 2000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap
echo "`date` Packets dumped, sleeping now."
sleep 300
fi
done
Feel free to adapt it to your needs.
Solution 2:
It's right there in the man pages, tcpdump has -G,
If specified, rotates the dump file specified with the -w option every
rotate_seconds seconds. Savefiles will have the name specified by -w
which should include a time format as defined by strftime(3). If no
time format is specified, each new file will overwrite the previous.
So, tcpdump -i eth0 -s 65535 -G 86400 -w /var/log/caps/%F.pcap will write to /var/log/caps/%F.pcap (where %F will be 2012-05-10, 2012-05-11, 2012-05-12, etc). Keep in mind it will rotate 24hrs from the time you start the cap, so it's not technically per-day unless you run it at midnight.
I'm not saying what you're planning on doing is a good idea, just that this is the solution you're asking for.
Solution 3:
You can certainly get that data from tcpdump, but it's not entirely straighforward.
First, tcpdump writes to a special file format which isn't a log file, so you would need either another instance of tcpdump or Wireshark to analyze the logfiles. But here's a basic suggestion:
- write a script that kills any running tcpdump and starts a new one which writes to a log file with the day's date in its name
- run that script from cron every midnight
- have a cron entry that clears files older than 3 days in the directory in which you store the log files
Be warned that tcpdump gives a lot of output, so you'll need a fair amount of free disk space!
Solution 4:
If you are on Linux you could use logrotate.
Something like
/var/log/dump.pcap {
rotate 3
daily
postrotate
/usr/bin/killall tcpdump
/usr/sbin/tcpdump options -w /var/log/dump.pcap
endscript
}
This logrotate configuration would go into e.g. /etc/logrotate.d/tcpdump.
You probably have a either a line in /etc/crontab or like me a script /etc/cron.daily/logrotate that calls logrotate.
Logrotate will when it processes this file rename /var/log/dump.pcap.1 to /var/log/dump.pcap.2 and /var/log/dump.pcap to /var/log/dump.pcap.1 and so on.
Then when all those files are renamed and the oldest ones removed (in this example /var/log/dump.pcap.2 would be removed before renaming .1 to .2) it will execute the commands in postrotate. Unfortunately tcpdump does not survice a kill -HUP that is used on other deamons like httpd so this recipe kills it and then starts a new capture.
Note that the first day you may want to start the tcpdump manually.
This is untested but should do the trick.