-
Notifications
You must be signed in to change notification settings - Fork 0
/
tcpdump_to_s3.sh
39 lines (31 loc) · 1.25 KB
/
tcpdump_to_s3.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
# Send TCP dumps to S3
die() { status=$1; shift; echo "FATAL: $*"; exit $status; }
# Ensure that apparmor does not block tcpdump
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
# Replace with actual bucket name
BUCKET_NAME="aduggal-storage/tcpdump/stage";
# Get instance id for imdsv1
#INSTANCE_ID="`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id || die \"wget instance-id has failed: $?\"`"
# Get instance ID for imdsv2
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" || die \"wget instance-id has failed: $?\"`
INSTANCE_ID=`curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id || die \"wget instance-id has failed: $?\"`
# Init temp file
touch temp.pcap
while true :
do
# Capture 5k packets
sudo tcpdump -i ens5 -w temp.pcap -c 5000 port 80
# Build filename
YEAR=$(date +%Y);
MONTH=$(date +%m);
DAY=$(date +%d);
HOUR=$(date +%H);
MINUTE=$(date +%M);
S3_KEY="s3://${BUCKET_NAME}/${INSTANCE_ID}/${YEAR}/${MONTH}/${DAY}/${HOUR}:${MINUTE}-${INSTANCE_ID}.pcap";
# Upload file to bucket with date
echo "Writing temp.pcap to ${S3_KEY}"
aws s3 cp --quiet temp.pcap $S3_KEY
# Clear temp pcap
rm -f temp.pcap
done