#!/bin/bash #Copyright 2002 William Stearns #Released under the GPL #Syncapture, v0.1 # #Designed to capture all syn (or syn+something) packets going to port 80 #in a bpf file and rotate to a new file each night just after midnight. #Chose your storage location here: CaptureDir='/root/syncapture/' #Choose the file to hold the pids of running tcpdumps so we can cleanly kill them later. PIDFile="$CaptureDir/pid-syncapture" #This file should be stored as /root/bin/syncapture #chmod 700 /root/bin/syncapture #This was designed to be run from cron every night just after #midnight. Put this line (minus leading '#' in /var/spool/cron/root : # #1 0 * * * /root/bin/syncapture # #To activate the change to the cron file, run: #touch /var/spool/cron #(note, /var/spool/cron, _not_ /var/spool/cron/root). #If you ever need to rotate logs, just run "syncapture" from the #command line. #Not much to edit below this point #Make storage directory if [ -z "$CaptureDir" ]; then echo "$0: Invalid CaptureDir, exiting." exit 1 fi if [ -z "$PIDFile" ]; then echo "$0: Invalid PIDFile, exiting." exit 1 fi if [ ! -d $CaptureDir ]; then mkdir --mode=700 $CaptureDir fi if [ ! -d $CaptureDir ]; then echo "$0: Could not create capture dir $CaptureDir, exiting." exit 1 fi #Create a dated temp file to hold new data TMPFILE=$(mktemp -q $CaptureDir/syncapture.$(date +%y%m%d).XXXXXX) if [ $? -ne 0 ]; then echo "$0: Can't create temp file in $CaptureDir, exiting..." exit 1 fi #Start new tcpdump to non-promiscuously capture syn (actually syn+something) packets nohup tcpdump -i any -s 200 -p -w $TMPFILE 'tcp and port 80 and tcp[13] & 2 = 2' >/dev/null 2>/dev/null & NewPID="$!" if [ -f $PIDFile ]; then #Kill off any old tcpdumps now that the new tcpdump has started. kill -HUP `cat $PIDFile` sleep 1 kill -TERM `cat $PIDFile` #Erase the list of pids now that we've killed them all >$PIDFile else #Create the pid file touch $PIDFile chmod 700 $PIDFile fi #Save the pid of this one so we can cleanly kill it later. echo "$NewPID" >>$PIDFile