Wireshark: massive capture

wireshark capturing

 [root@unix /usr/local/etc/rc.d]# ls -laF TS-*
 -rwxr-xr-x  1 root  wheel  530 Apr 19 13:50 TS-INTERNET.sh*

eg.

 [root@unix /usr/local/etc/rc.d]# cat TS-INTERNET.sh
 #!/bin/sh

 case $1 in

    'start')
        if [ -x $DAEMONPATH ]
        then
            mkdir -p /capture/INTERNET &&
            cd /capture/INTERNET &&
            ifconfig bce2 up monitor &&
            nice --15 tshark  -q -n -t ad -B 8 -i bce2 -w INTERNET -b filesize:256000 -b files:1500 &
            /bin/echo " capturing INTERNET\c"
        fi
        ;;

    'stop')
        /usr/bin/pkill -f -u 0 "tshark .* INTERNET"
        ;;

    *)
        /bin/echo "Usage: $0 [start|stop]"
        exit 1
        ;;
 esac



the stop function actually works so you can use the scripts to kill off a particular capture as well


and i have also set up a crontab that will find the oldest capture file in each directory and remove it


 [root@unix /usr/local/etc/rc.d]# crontab -l
 #---------------------------------------------------------------
 #
 1 * * * * /capture/clean-me.sh > /capture/clean-me.log 2>&1
 #
 #---------------------------------------------------------------



 [root@unix /usr/local/etc/rc.d]# cat /capture/clean-me.sh
 #!/bin/sh
 CAPTURE=/capture
 CAPTURE_DIRS="INTERNET"



 CAPTURE_PERCENT=`/bin/df -k $CAPTURE|/usr/bin/perl -ne 'print "$1" if (m!\s+(\d+)%\s+\S+!s)'`

 cd $CAPTURE || exit 39


 if [ "$CAPTURE_PERCENT" -ge 100 ]
 then
    echo -n "CLEANING $CAPTURE because disk usage is at ${CAPTURE_PERCENT}% ... "
    date

    for i in $CAPTURE_DIRS
    do
        /usr/local/bin/gfind $i -type f -printf "%T@ %p\n" |
            /usr/bin/sort -nr|
                /usr/bin/tail -1|
                    /usr/bin/awk '{print $2}'|
                        /usr/bin/xargs /bin/rm -v
    done

 else
    echo -n "NOT cleaning $CAPTURE because disk usage is only ${CAPTURE_PERCENT}% ... "
    date
 fi