Packet capture while looking for a chatty host

  • Fri 28 September 2018
  • misc

Been trying to track down exactly what an intermittently super noisy host is doing. Lacking netflow in this environment (and wanting an actual packet capture of the device in the act) we were thrown back on using a SPAN port and a laptop running tcpdump.

It's well known that one can use -G to limit tcpdump to collecting for a certain number of seconds. Somewhat less well known is the fact that you can use formatted string directives in the filename that is passed as a parameter to the -w argument.

I asked the NOC team to do this:

{% highlight bash %} tcpdump -n -s 1500 -i en0 -G 300 -w capture-%Y%m%dT%H%M%S.pcap

in order to give us a nice, ISO8601-filename-formated time sequence of 5 minute packet captures.

But we can run out of space on a laptop SSD fairly quickly. 100 mbit/second is 1TByte/day, in round numbers.

We only care about the captures where there's comparatively a large amount of traffic. So periodically blowing away everything but the largest 15 5-minute pcaps should get us the interesting ones.

{% highlight bash %} for i in ls -l | awk 'NF==9 { printf "%s %s\n", $5, $9 }' | sort -rn | tail +15 | sed -e '$ d' | awk '{ print $2 }' do rm $i done​