tcpdump monitor that rotates pcap's upon low disk space.
- python3
- python-systemd [lib]
- python-psutil [lib] - (optional, but strongly recommended)
# mkdir -p /etc/dumper
# cp config.json /etc/dumper/
# chmod 440 /etc/dumper/*
# cp dumper.py /usr/bin/dumper.py
# chmod 440 /usr/bin/dumper.py
# chmod +x /usr/bin/dumper.py
# cp systemd/* /etc/systemd/system/
# systemctl enable dumper@eno1.service
# systemctl start dumper@eno1.service
Or simply via any command line:
# python dumper.py --output=./capture_eno1_%Y-%m-%d_%H:%M:%S.pcap --interface=eno1 --partition=/ --reserved=10 --flushlimit=5 --config=/etc/config.json
Most tcpdump related configuration (filters, parameters etc) is done in config.json.
But dumper also takes parameters from the command-line/service scripts. For instance, a per-interface service script can be found under systemd/ which uses the default config + sends in a interface to dump on.
Any settings done in config.json after startup will override any command line arguments.
But command-line arguments will override config.json the launch.
--interface=<name> - Which NIC to get network traffic from
--output=<filename> - Outputs all traffic capture to this filename
--config=<filename> - Load a config file and monitor for changes, reloads automatically.
--monitor_config=True - Monitor for configuration changes or not (Default True/Yes)
--partition=/ - Monitor for free space, pauses capture when we go below --reserved
--reserved=10 - Will pause capture when disk-space is below 10% (default)
--flushlimit=5 - Will delete old pcap's when disk space is below 5% (default)
--profile=<profile name> - Which profile to run in the config
(This option overrides "profile" in the config)
--instances=1 - How many threads should we run? (Default is 1)
- Reloads
config.jsonin runtime upon changes to it. (Useful for swapping capturing profile) - Multiple
tcpdumpinstances can be managed - Monitors disk usage, pauses all packet captures at
--reservedspace left. - Rotates
.pcap's when disk space falls below--flushlimit