Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Jun 02, 2010

Running a Rotating Tcpdump

I am trying to track down a touch and go issue. I want to be able to setup a tcpdump on my ASM that will run continously and rotate every x minutes or as the file grows to x size. Does anyone have a simple way to do this?

 

10 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Yes, tcpdump has an option to roll files over, and keep X number of files...

     

     

    If you RTFM, you'll see that

     

     

    -C = specify a maximum file size to write to

     

    -W = Maximum number of files to keep... The files are used in a rotating buffer

     

    -G = Can be used to specify only write to a number of files then exit (With a 0 status)

     

     

    -w is used to specify the file template name.

     

     

    H
  • Another couple of options:

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ActionOnLog.html

    Perl script that runs as a daemon to watch a log file (like tail in the background), and runs a command when a certain message is found. Smart enough to keep working when log files get rotated, etc. Very handy when you need to run a command to start gathering debugging data or recover from failure that is indicated by a log message.

    ringdump.pl (attached)

    start of config section for the script:

    
    !/usr/bin/perl
     VERSION v0.9b
    use strict;
     tcpdump settings
    my %SETTINGS    = (
            external => { filter => "port 443" },
            internal => { filter => "port 80" },
            lo0 => { filter => "port 80" },
    );
    my $SNAPLEN = 4352;
     script settings
     free space checking
    my $FREE_SPACE_CHECK_INTERVAL = 1;     check free space every this number of seconds
    my $MIN_FREE_SPACE            = 5;     minimum percent space left on parition
    my $CAPTURE_LOCATION          = $ARGV[0];
     file rotation settings
    my $CAPTURES_TO_ROTATE        = 4;     tcpdump capture files to rotate
    my $DESIRED_CAPTURE_SIZE      = 15;     megabytes per capture file before rotating
    my $OVERLAP_DURING_ROTATE     = 5;     seconds to overlap previous capture while starting a new one
    my $CAPTURE_CHECK_INTERVAL    = 1;     how often (seconds) to check the size of capture files for rotating
     trigger settings - time (run tcpdumps for x seconds)
    my $TRIGGER                  = "time-based";
    my $TIME_TO_CAPTURE           = 300;
     trigger settings - log-message (stop tcpdump when log message is received)
    my $TRIGGER                   = "log-message based";
    my $LOG_FILE                  = "/var/log/messages";
    my $LOG_MESSAGE               = "no space in response line";
    my $FOUND_MESSAGE_WAIT        = 5;     how many seconds to gather tcpdumps after we match the log message
     misc
    my $IDLE_TIMER                = 5;       if ! receiving log entries, how long before checking if log is rotated
    my $MAX_ROTATED_LINES         = 10000;   max lines to read from file we're re-reading because it's been rotated
    my $PID_FILE                  = "/var/run/ring_dump.pid";
    my $DEBUG                     = 0;       0/1

    Aaron

  • If you are running the tcpdump as root (not that you SHOULD ) you might need the -Z root in with the other rotating commands. I just ran into this last night.

     

     

    -R
  • I found it with a quick search here: https://devcentral.f5.com/wiki/advdesignconfig.ringdump.ashx
  • Hi guys Does anyone have script ringdump-1-227589569.pl which is working??? I would need (just the part with tcpdump) it for reverse debugging on some customer installations.

     

    The whole script is published here https://github.com/vincentmli/F5-iControl-Perl/blob/master/ringdump-1-227589569.pl

     

    Thanks

     

    • Jason_Adams's avatar
      Jason_Adams
      Icon for Employee rankEmployee

      I would highly recommend using find_error.pl

      It's built into most versions of BIG-IP. I have had much better success with find_error.pl in the past.

      The below article provides a great explanation:

      Run tcpdump regarding a match in a log file \

       

      Run tcpdump regarding a match in a log file

    • gstrakl_175441's avatar
      gstrakl_175441
      Icon for Nimbostratus rankNimbostratus
      OK, do you maybe have this find_error script? I would would greatly appreciate if someone could send me or publish somewhere. Tnx
    • Jason_Adams's avatar
      Jason_Adams
      Icon for Employee rankEmployee
      It has been included with every BIG-IP installation for quite some time. /usr/share/ts/bin/find_error.pl