0

I want to be able to start and stop an NGREP process from inside my python code. I really dont have experience with python on a system level.

Normally I run NGREP from the command line, but I would like to be able to run it from a script every hour and capture the trace and then process the results.

Can anyone point me in the direction of how to achieve this.

By the way, I really just need to be able to do a packet capture, perhaps Python has builtin capabilities for this, maybe tcpdump?

Thanks.

Dave
  • 133
  • 1
  • 2
  • 9

3 Answers3

2

I am not an expert but I would do this:

import subprocess
import sys
import re
import time

keep_running = 1 #Loop flag
wait_hours = 12  #Stop for 12 hours and then run again
run_hours = 1    #We will run ngrep for an hour. The nth run will be dumped to net_log_n.txt
f_num=0
hours_so_far=0
run_time_limit = 100    #Suppose you only want to take a log for 100 hours while you are away.
while keep_running:
    ngrep_cmd = "sudo ngrep -ixW >  net_log_" + str(fnum) + ".txt &"
    subprocess.call([ngrep_cmd], shell=True)
    time.sleep(run_hours*3600)
    subprocess.call(["sudo killall ngrep"], shell=True)
    time.sleep(wait_hours*3600)
    f_num += 1
    hours_so_far += run_hours
    if hours_so_far >= run_time_limit:
        keep_running = 0

You will have to run it as root or with sudo.

I hope it helps!

Vandalay
  • 31
  • 6
  • No need to define `keep_running` if you never change it, just use `while True:`. Your `os.system(sudo killall ngrep)` line is missing quotes, and you should *really* be using `subprocess.call` instead. – Martijn Pieters Oct 29 '12 at 08:50
  • Hello Martijn, sorry I was clumsy with the syntax and thanks for correcting! I put 'keep_running' there to give the idea of an optional line 'if run_hours > 100: keep_running=0', to Dave. I am on a Mac Os 10.4.11 and I have Python 2.3.5, so I do not think I have access to subprocess module. – Vandalay Oct 29 '12 at 09:19
  • I wish I could get 2.6 at least. :) – Vandalay Oct 29 '12 at 09:23
  • 1
    No need to pass in a list if you set `shell=True`, and in the second `subprocess.call`, there is no need to use `shell=True` since you are not redirecting the output. – Martijn Pieters Oct 31 '12 at 10:16
0

Look up threading.Timer and pexpect. If you don't want to install pexpect, you can use subprocess.Popen instead.

EDIT: In response to the comment:

import os
from signal import SIGTERM, SIGKILL
os.kill(pid, SIGTERM) #you can also send SIGKILL instead of SIGTERM. 
#You might also have to put this call in a try block and catch OSError
#Only available on *NIX

EDIT2: If you want to hand-roll the packet capture, use pypcap. This should almost certainly do what you want, since tcpdump uses libpcap itself.

Chinmay Kanchi
  • 62,729
  • 22
  • 87
  • 114
  • I'm not sure why a threading.Timer would be useful in this case. – nosklo Feb 25 '10 at 16:49
  • Because he wants to run it every hour... So, create a `threading.Timer(3600, runNgrep, args, kwargs)` to run the program and create another `threading.Timer` when the program finishes... Where `runNgrep` is a function taking `args` and `kwargs` as arguments, obviously. – Chinmay Kanchi Feb 25 '10 at 17:25
  • These are good suggestions. Any idea how to kill the process though? I see the docs. it seems like send_signal(), terminate() and exit() methods are only available in python 2.6 I am running python 2.5. Following your suggestion, I use subprocess.Popen then get the process id and then run subprocess.Popen with a kill pid to ed the process. Not so elegant, perhaps there is a better way to terminate the process? – Dave Feb 25 '10 at 20:33
0

its not in-built, but you can try Packet Capture and Injection Library

ghostdog74
  • 327,991
  • 56
  • 259
  • 343