0

I have to write a script where I take a tcpdump on my machine and on a remote machine "simultaneously". That is the beginning of capture (0th second) should be simultaneous, so that I can compare the two tcpdumps in my analysis.

Is there a way I can achieve this?

dreamer13134
  • 471
  • 1
  • 6
  • 19

2 Answers2

1

If you just need approximate time (e.g. with a margin of error in range of, say, 200ms), then just make sure both machines have the same time (e.g. via NTP) and then use e.g. cron to run both commands at the same time.

If you want this to be more often, you might want to use at command instead of cron. You can do some simple date arithmetics, e.g. see this:

or sleep until the specified time:

in both scripts (i.e. local and remote), then run the local command and run the command on the remote machine using ssh.

If you are OK to use e.g. Python, you can make the use of datetime module, e.g. see this:

The idea is pretty much this:

  • Take current time
  • Calculate target time - add some cushion seconds (e.g. 10 seconds)
  • Run both scripts with that time as the parameter (one locally, one remotely with ssh)
  • Sleep until that time in both scripts - if you cannot ssh in 10 seconds or even worse if it takes more than 10 seconds to run local script, you have more serious problems than this one :)
  • Run tcpdump in both scripts - they should be pretty much synced up (with some tolerance, but I don't think it will ever go over 50ms on any recent system)

Hope this helps.

Community
  • 1
  • 1
icyrock.com
  • 27,952
  • 4
  • 66
  • 85
  • 200 MS is as probably as close as you can get. also if possible use format in tcpdump that includes timestamps to the MS level(I don't use tcmpdump, maybe it's there by default). Good luck. – shellter Feb 14 '12 at 00:53
0

Here's something I wrote just now to synchronise multiple test clients:

#!/usr/bin/python
import time
import sys

now = time.time()
mod = float(sys.argv[1])
until = now - now % mod + mod
print "sleeping until", until

while True:
    delta = until - time.time()
    if delta <= 0:
        print "done sleeping ", time.time()
        break
    time.sleep(delta / 2)

This script sleeps until next "rounded" or "sharp" time.

A simple use case is to run ./sleep.py 10; ./test_client1.py in one terminal and ./sleep.py 10; ./test_client2.py in another.

You want to make sure clocks on your machines are synchronised.

Alternatively, use one of these options in tcpdump, use something that gives you full timestamp.

-t
Don't print a timestamp on each dump line.
-tt
Print an unformatted timestamp on each dump line.
-ttt
Print a delta (micro-second resolution) between current and previous line on each dump line.
-tttt
Print a timestamp in default format proceeded by date on each dump line.
-ttttt
Print a delta (micro-second resolution) between current and first line on each dump line.

Finally you could run something like execnet to start commands on multiple machines at (almost) the same time.

Dima Tisnek
  • 11,241
  • 4
  • 68
  • 120