How can I run tcpdump command with a script?

Question

Im tired of trying to find a answer to this. I got 2 scripts that are in crontab -e command.

START_TCPDUMP.sh

#!/bin/bash
tcpdump -i any port 3306 -s 65535 -x -nn -q -tttt> /etc/openvpn/logs/tcpdump_3306_"$(date +"%Y_%m_%d_%I_%M_%p")".out

STOP_TCPDUMP.sh

PID=$(/usr/bin/ps -ef | grep tcpdump | grep -v grep | grep -v ".sh" | awk '{print $2}')
/usr/bin/kill -9 $PID

CRONTAB -E

*/1 * * * * /etc/openvpn/script/STOP_TCPDUMP.sh
*/1 * * * * /etc/openvpn/script/START_TCPDUMP.sh

I already tryied to change and put start at first line but its all the same.

My output on directory every 1 min its:

/etc/openvpn/logs/tcpdump_3306_2020_01_29_12_22_PM.out (empty: 0kb)

The problem is that files are empty I already tried so much things and its always empty. How can I figure this out?

Also If I run: ps -e | grep tcpdump I get 0 results. But If I run: grep | tcpdump I saw the command running and showing me all the tracked packages..

I just want it to run like 3h and then stop, save the file and then start a new one.

The once per minute schedule is merely for debugging.

Answer 1

The code to kill every running tcpdump process on the system is deeply problematic. You want to kill only the ones started by your cron job. Never use kill -9 routinely; it should be used only in extreme circumstances.

The multiple useless greps are also a bad smell, and seem extremely brittle. But let's simply get rid of that code.

My suggestion would be to have a single script which kills any previous instance and starts a new one.

#!/bin/sh
logdir=/etc/openvpn/logs
exec >> "$logdir/cron.log" 2>&1

fmt="%Y_%m_%d_%I_%M_%p"
old=$(date -d "3 hours ago" +"$fmt")
new=$(date +"$fmt")

fuser -s -k -15 "$logdir/tcpdump_3306_$old.out"

tcpdump -i any port 3306 -s 65535 -x -nn -q -tttt>"$logdir/tcpdump_3306_$new.out"

This takes care to redirect all messages to a separate log file (otherwise cron will send you mail with the output) and to only kill processes which are attached to the previous instance of the tcpdump output file. (For testing maybe specify "$logdir"/tcpdump*.out or even "$logdir"/* to be really sure you get a clean slate.) The default signal of fuser is -9; if you really need that, just take out the -15.

fuser should be reasonably portable; date is more finicky, and won't have a -d option on many non-Linux platforms. You can always install GNU Coreutils, or switch to a simple Perl or Python script for the timestamp calculation.

Answer 2

I just figured it out!

I changed my method. I create a screen at crontab and it will run 24 hours per 7 days a week. Then I just enter file, save the info then clear the file and it will run automatically.

crontab -e

@reboot screen -dmS bTCP; sleep 5; screen -S bTCP -X stuff 'tcpdump -i any port 22 -s 65535 -x -nn -q -tttt> /path/to/logs/NAME.out\n'
*/2 * * * * /path/to/logs/24-pt-query.sh

The 24-pt-query file its a python script to take the information, save it in a new file and then truncate it.

And it will repeat each 2 minute (debugging).