¿ù°£ Àα⠰Խù°

°Ô½Ã¹° 111°Ç
   
tcpdump with rotating capture-files (-G ¿É¼Ç)
±Û¾´ÀÌ : ÃÖ°í°ü¸®ÀÚ ³¯Â¥ : 2014-09-11 (¸ñ) 13:03 Á¶È¸ : 5535
±ÛÁÖ¼Ò :
                             

-G      ÃÊ´ÜÀ§·Î ÆÄÀÏÀÌ ¼øȯ»ý¼º
If  specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have the name specified by -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file will overwrite the previous.

-w     ÆÄÀÏ·Î ÀúÀå
Write the raw packets to file rather than parsing and printing them out.  They can later be printed with the -r option.  Standard output is used if file is ``-''.
This  output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.
Use the -U flag to cause packets to be written as soon as they are received.
See pcap-savefile(5) for a description of the file format.

-W     ÃÖ´ë ÆÄÀÏ°¹¼ö
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting  files  from  the  beginning,  thus  creating  a 'rotating' buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

-Z   ±ÇÇÑ»ý¼º
 If  tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
         This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root

-C    ÆÄÀÏ»çÀÌÁî
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new  one.   Savefiles  after the  first  savefile  will  have  the  name  specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).


# tcpdump -nn net 115.68 -G 5 -w test.pcap
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: aaa: Permission denied

# ls -l aaa  
-rw-r--r--   1 tcpdump tcpdump   80299 Sep 11 13:29 test.pcap
¡Ø ¿øÀÎÀº »ý¼ºµÈ ÆÄÀÏ ±ÇÇÑÀÌ tcpdump ±ÇÇÑÀ¸·Î »ý¼ºµÇ¾îÀֱ⠶§¹®

»ý¼ºµÈ ÆÄÀÏÀ» root À¯Àú±ÇÇÑÀ¸·Î 5ÃÊ´ÜÀ§·Î ÆÄÀϸí test.pcap ·Î ĸÃÄ (5ÃÊÁÖ±â·Î µ¤¾î¾²±â)
# tcpdump -nn net 115.68 -G 5 -w test.pcap -Z root


Example 1)
5ÃÊ´ÜÀ§·Î ²ö¾î¼­ ½Ã°£¸íÀ¸·Î ÆÄÀÏ»ý¼º
# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root

# ls -al trace_2014-09-11*
-rw-r--r-- 1 root root 130470 Sep 11 13:36 trace_2014-09-11_13:35:55.pcap
-rw-r--r-- 1 root root 128020 Sep 11 13:36 trace_2014-09-11_13:36:00.pcap
-rw-r--r-- 1 root root 169068 Sep 11 13:36 trace_2014-09-11_13:36:05.pcap
-rw-r--r-- 1 root root 141378 Sep 11 13:36 trace_2014-09-11_13:36:10.pcap
-rw-r--r-- 1 root root 111066 Sep 11 13:36 trace_2014-09-11_13:36:15.pcap
-rw-r--r-- 1 root root 116596 Sep 11 13:36 trace_2014-09-11_13:36:21.pcap
-rw-r--r-- 1 root root  80460 Sep 11 13:36 trace_2014-09-11_13:36:26.pcap
-rw-r--r-- 1 root root  87421 Sep 11 13:36 trace_2014-09-11_13:36:31.pcap
-rw-r--r-- 1 root root 169819 Sep 11 13:36 trace_2014-09-11_13:36:37.pcap
-rw-r--r-- 1 root root  96685 Sep 11 13:36 trace_2014-09-11_13:36:42.pcap
-rw-r--r-- 1 root root  73052 Sep 11 13:36 trace_2014-09-11_13:36:47.pcap


Example 2)
5ÃÊ´ÜÀ§·Î ²ö¾î¼­ ½Ã°£¸íÀ¸·Î ÆÄÀÏ»ý¼ºÇ쵂 ÃÒ´ë ÆÄÀÏ°¹¼ö´Â 5°³
# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root -W 5
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5

# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C2918 packets captured
2918 packets received by filter
0 packets dropped by kernel

# ls -al trace_2014-09-11*
-rw-r--r--  1 root    root      70984 Sep 11 13:39 trace_2014-09-11_13:39:15.pcap
-rw-r--r--  1 root    root      63027 Sep 11 13:39 trace_2014-09-11_13:39:20.pcap
-rw-r--r--  1 root    root     105150 Sep 11 13:39 trace_2014-09-11_13:39:25.pcap
-rw-r--r--  1 root    root      92381 Sep 11 13:39 trace_2014-09-11_13:39:30.pcap
-rw-r--r--  1 root    root      60955 Sep 11 13:39 trace_2014-09-11_13:39:36.pcap


Example 3)
ÆÄÀÏ»çÀÌÁî´ÜÀ§·Î ²ö¾î¼­ ÀúÀå (1M ´ÜÀ§·Î ²ö¾î¼­ ÀúÀå)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root

# ls -al packet.pcap*
-rw-r--r-- 1 root root 1000986 Sep 11 13:54 packet.pcap
-rw-r--r-- 1 root root 1000230 Sep 11 13:54 packet.pcap1
-rw-r--r-- 1 root root 1000063 Sep 11 13:54 packet.pcap2
-rw-r--r-- 1 root root 1000988 Sep 11 13:54 packet.pcap3
-rw-r--r-- 1 root root 1001466 Sep 11 13:54 packet.pcap4
-rw-r--r-- 1 root root 1000023 Sep 11 13:54 packet.pcap5
-rw-r--r-- 1 root root 1000261 Sep 11 13:54 packet.pcap6
-rw-r--r-- 1 root root 1001266 Sep 11 13:54 packet.pcap7
-rw-r--r-- 1 root root 1001003 Sep 11 13:54 packet.pcap8


Example 4)
ÆÄÀÏ»çÀÌÁî´ÜÀ§·Î ²ö¾î¼­ ÀúÀåÇϸç ÃÖ´ë ÆÄÀÏ °¹¼ö´Â 3°³ (ÆÄÀÏÀÌ 3°³¸¸ »ý¼ºµÇ°í ¸ØÃß´Â°Ô ¾Æ´Ï°í ÆÄÀÏ°¹¼ö¸¸ 3°³·Î ÁöÁ¤µÇ¸é¼­ °è¼ÓÇؼ­ µ¤¾î¾²±â)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root -W 3

À̸§ Æнº¿öµå
ºñ¹Ð±Û (üũÇÏ¸é ±Û¾´À̸¸ ³»¿ëÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.)
¿ÞÂÊÀÇ ±ÛÀÚ¸¦ ÀÔ·ÂÇϼ¼¿ä.
   

 



 
»çÀÌÆ®¸í : ¸ðÁö¸®³× | ´ëÇ¥ : ÀÌ°æÇö | °³ÀÎÄ¿¹Â´ÏƼ : ·©Å°´åÄÄ ¿î¿µÃ¼Á¦(OS) | °æ±âµµ ¼º³²½Ã ºÐ´ç±¸ | ÀüÀÚ¿ìÆí : mojily°ñ¹ðÀÌchonnom.com Copyright ¨Ï www.chonnom.com www.kyunghyun.net www.mojily.net. All rights reserved.