Capture network packets for a specific duration without supervision
The other day I was working on a problem where I had to capture network traffic at a specific time and during a specific duration. Off course the specific time was right in the middle of the night at 45 minutes past midnight.
Not being 20 years old anymore I did not feel like staying aware (or waking up) at that time to start the capture, wait the 30 minutes to capture the traffic then stop the process I started investigating possible ways of doing it.
Even if I have been working with Linux for over 20 years there are still little used commands that I learn from time to time and in this case it was the timeout command:
$ timeout --help
Usage: timeout [OPTION] DURATION COMMAND [ARG]...
or: timeout [OPTION]
Start COMMAND, and kill it if still running after DURATION.
Mandatory arguments to long options are mandatory for short options too.
--preserve-status
exit with the same status as COMMAND, even when the
command times out
--foreground
when not running timeout directly from a shell prompt,
allow COMMAND to read from the TTY and get TTY signals;
in this mode, children of COMMAND will not be timed out
-k, --kill-after=DURATION
also send a KILL signal if COMMAND is still running
this long after the initial signal was sent
-s, --signal=SIGNAL
specify the signal to be sent on timeout;
SIGNAL may be a name like 'HUP' or a number;
see 'kill -l' for a list of signals
--help display this help and exit
--version output version information and exit
DURATION is a floating point number with an optional suffix:
's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
If the command times out, and --preserve-status is not set, then exit with
status 124. Otherwise, exit with the status of COMMAND. If no signal
is specified, send the TERM signal upon timeout. The TERM signal kills
any process that does not block or catch that signal. It may be necessary
to use the KILL (9) signal, since this signal cannot be caught, in which
case the exit status is 128+9 rather than 124.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'timeout invocation'
Basically timeout allows you to run a command or script for a set duration. Here is a quick example:
$ date ;timeout 5 sleep 15 ; date
Thu Apr 30 08:17:00 EDT 2020
Thu Apr 30 08:17:05 EDT 2020
As you can see the sleep 15 should have lasted 15 seconds, however using timeout 5 in front of it it was cut short after 5 seconds.
So this combined with a cron job was my ticket out of being awake in the early hours of the morning. So I simply added a cron job in /etc/cron.d/nightly_packet_capture with the following:
45 00 * * * root /usr/bin/timeout 1800 /usr/sbin/tcpdump -i eth0 -s 0 -w /tmp/nightly_packet_capture_$$.pcap
And bingo the next night I had a nice capture file in /tmp/nightly_packet_capture_27030.pcap containing the eth0 network traffic that occurred between 0h45AM to 1h15AM while not having spent the night in from of my computer.
I used this technique for capturing packets using tcpdump but I am sure the same technique can be used for different use.
Not being 20 years old anymore I did not feel like staying aware (or waking up) at that time to start the capture, wait the 30 minutes to capture the traffic then stop the process I started investigating possible ways of doing it.
Even if I have been working with Linux for over 20 years there are still little used commands that I learn from time to time and in this case it was the timeout command:
$ timeout --help
Usage: timeout [OPTION] DURATION COMMAND [ARG]...
or: timeout [OPTION]
Start COMMAND, and kill it if still running after DURATION.
Mandatory arguments to long options are mandatory for short options too.
--preserve-status
exit with the same status as COMMAND, even when the
command times out
--foreground
when not running timeout directly from a shell prompt,
allow COMMAND to read from the TTY and get TTY signals;
in this mode, children of COMMAND will not be timed out
-k, --kill-after=DURATION
also send a KILL signal if COMMAND is still running
this long after the initial signal was sent
-s, --signal=SIGNAL
specify the signal to be sent on timeout;
SIGNAL may be a name like 'HUP' or a number;
see 'kill -l' for a list of signals
--help display this help and exit
--version output version information and exit
DURATION is a floating point number with an optional suffix:
's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
If the command times out, and --preserve-status is not set, then exit with
status 124. Otherwise, exit with the status of COMMAND. If no signal
is specified, send the TERM signal upon timeout. The TERM signal kills
any process that does not block or catch that signal. It may be necessary
to use the KILL (9) signal, since this signal cannot be caught, in which
case the exit status is 128+9 rather than 124.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'timeout invocation'
Basically timeout allows you to run a command or script for a set duration. Here is a quick example:
$ date ;timeout 5 sleep 15 ; date
Thu Apr 30 08:17:00 EDT 2020
Thu Apr 30 08:17:05 EDT 2020
As you can see the sleep 15 should have lasted 15 seconds, however using timeout 5 in front of it it was cut short after 5 seconds.
So this combined with a cron job was my ticket out of being awake in the early hours of the morning. So I simply added a cron job in /etc/cron.d/nightly_packet_capture with the following:
45 00 * * * root /usr/bin/timeout 1800 /usr/sbin/tcpdump -i eth0 -s 0 -w /tmp/nightly_packet_capture_$$.pcap
And bingo the next night I had a nice capture file in /tmp/nightly_packet_capture_27030.pcap containing the eth0 network traffic that occurred between 0h45AM to 1h15AM while not having spent the night in from of my computer.
I used this technique for capturing packets using tcpdump but I am sure the same technique can be used for different use.
Comments
Post a Comment