3

I’m looking to stand up a full packet capture solution on an Ubuntu server. Our maximum bandwidth is < 60Mb/s and the server has 10K hard drives.

Ideally, I’d like to be able to log everything directly to a pcap file that rotates to a new file daily. Having the ability to remove pcap files that have exceeded a given time period or space threshold (i.e. Over 30 days old or exceeding 90% of the maximum storage space) would also been incredibly advantageous.

I’ve looked into OpenFPC, but development seems to have come to a complete halt. No new editions have been released in well over 2 years; otherwise, that would fit the bill just fine.

SANS has a in-depth tutorial on how to setup tcpdump for this, but the system doesn’t really allow for a way to remove old files.

What is the best solution for running full packet captures on a linux server for an enterprise network?

Ryan Foley
  • 190
  • 3
  • 11
  • 1
    What about using logrotate to clean old pcaps? – xeon Dec 11 '13 at 20:59
  • 1
    Why not just use tcpdump for packet capture then use logrotate for old files ? – krisFR Dec 11 '13 at 20:59
  • 1
    BTW, at 60 mb/s you really are going to need to rotate at 60 minutes instead of per day or something. A single capture that is for a full day will be huge and very painful to work with. – Zoredache Dec 11 '13 at 21:10
  • @Zoredache I agree, at a sustained 60Mb/s, that would be a huge file; so large, I doubt I have enough space for full packet logging. I wanted to give a more realistic bandwidth expectation, but I honestly have no idea. During business hours, I would expect bandwidth usage to be closer to 5-10Mb/s, while morning/lunch/closing might spike to 30Mb/s, and the occasional monthly large update push that might max it out. Perhaps tshark/tcpdump/logrotate offer a combination of size and time rotation? – Ryan Foley Dec 11 '13 at 21:37

2 Answers2

3

You might want to be using tshark for this instead of tcpdump. Tshark uses the same pcap format but it has much better options for continuous logging.

One option is the tshark ring-buffer mode.

-b Cause TShark to run in "multiple files" mode. In "multiple files" mode, TShark will write to several capture files. When the first capture file fills up, TShark will switch writing to the next file and so on.

The created filenames are based on the filename given with the -w option, the number of the file and on the creation date and time, e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 1
    We should probably add "...and if you just want to capture data, use dumpcap instead." to the man page. TShark calls dumpcap under the hood so running it directly should be more efficient. – Gerald Combs Dec 11 '13 at 21:14
  • Is there an easy way to remove files past a certain age? Logrotate seems like the community standard, but how do you integrate multiple filenames into it's functionality? – Ryan Foley Dec 12 '13 at 08:18
2

I believe tcpdump can accomplish this by using the -W -C -G options. See man page for details.

-W

Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

skohrs
  • 1,520
  • 11
  • 23