Sunday, May 1, 2016

Rotating traffic captures using tcpdump

To avoid creating large traffic captures using tcpdump, there are couple of interesting switches in tcpdump command which enable one to create rotating traffic captures, compress it on the fly etc.

ni :specifies the network interface on which to capture traffic
-s :; indicates a capture of the full size of the packet
-vvv : verbose
-w  :  indicates the file name and location in which the capture will be saved
-C  :  indicates the size of each file, after reaching this size file will be rotated
-W  :  indicates the number of files that will be stored
-z  :  to compress the file


For example,

tcpdump -ni eth1 -C 20 -z gzip -w /tmp/trace.pcap

This would create a file named trace.pcap...trace.pcapX. After 20MB of data, (-C 20) tcpdump would create a file named trace.pcapX and so on. and compress the capture files after tcpdump finished writing to them.

tcpdump -pni eth0 -s0 -C 100 -W 10 -w /tmp/capture

In this example, tcpdump starts capturing into capture1 until it reaches capture10. When it filled up capture10 with 100MB of data, it starts again, overwriting capture1. This way, your captures
will never use more then 1000MB of disk space.

gdb all threads bt to file

Perform the following steps to collect a backtrace from a core dump for all threads.

Find the core file and the executable that created.

Start gdb in the directory where the log file should be created:

By default, gdb will create a logfile called gdb.txt in the current working directory when logging is enabled.  Optionally, specify a different logfile name with this command:

Enable logging by running the following commands:

(gdb) set height 0
(gdb) set logging file /tmp/thread_apply_all_bt.txt
(gdb) set logging on
Copying output to /tmp/thread_apply_all_bt.txt


Request a backtrace:

(gdb) thread apply all bt full


Exit gdb by running the quit command, or press Ctrl-D.
Collect the logfile.