This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how set time for tcpdump

0

Hi I want to capture traffic with tcpdump and I want to have a script that get as input a time and start capturing traffic with tcpdump and after the time stop the capturing.

can you help that how set for tcpdump or for a shellscript???

asked 08 Jun '14, 08:21

mosa's gravatar image

mosa
11446
accept rate: 0%

One Answer:

0

You don't need any script, if the following simple method is good enough for you.

The first command will schedule tcpdump at 15:30, using the command at (should be available on any Unix like system).

echo "/usr/sbin/tcpdump -ni eth0 -s0 -w /var/tmp/capture_eth0.pcap host 1.2.3.4 and port 80" | at 15:30

The second command will schedule the 'end' of tcpdump, by simply killing all running tcpdump processes 5 minutes later (15:35).

echo "killall tcpdump; killall tcpdump" | at 15:35

atq will show the jobs

atq
4 Thu Jun 12 15:35:00 2014 a surfer
3 Thu Jun 12 15:30:00 2014 a surfer

And at -c [jobid] will show the content of the jobs

at -c 3 | tail -1
tcpdump -ni eth0 -s0 -w /var/tmp/capture_eth0.pcap host 1.2.3.4 and port 80

at -c 4 | tail -1
killall tcpdump; killall tcpdump

If you need a solution for a more complex environment, you'll have to write a shell script that gets started with the at command (or by cron) and that kills only the tcpdump instance that was started by the script after some time (hint: SIGALRM). However, that's plain shell scripting and this is certainly the wrong place to ask for shell scripting tips ;-)

Regards
Kurt

answered 12 Jun '14, 06:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Jun '14, 06:47