tales from the trenches frontline

Saving binary snoop file.

To save binary snoop file, run this command:

snoop -q -d <devicename> -o <outputfilename>

Rotating snoop file:

On a busy system, it won't take long for output file to grow massively and potentially fill in critical disk space. Below script can be used to save snoop output and rotate it at set time interval. Before running this script edit CAPTURE_DURATION, HOSTNAME and DEVICENAME variables.

#!/usr/bin/bash

logrotate() {

         LIST=$(ls -r $1*)
         COUNT="$2"
         for i in $LIST
         do
                 #echo $i;
                 TMP=$(ls $i | cut -d"." -f 2)
                 if [ $TMP = $1 ]
                 then
                         NEW=$TMP.0
                         mv $i $NEW
                 elif [ $TMP -gt $COUNT ]
                 then
                         rm $i
                 else
                         BASE=$(ls $i | cut -d"." -f 1)
                         NEW=$BASE.$(($TMP+1))
                         mv $i $NEW
                 fi
                 touch $1
         done
}

# function ensuring we're killing the right pid
kill_snoop() {

        PID_TO_KILL=`ptree $$ | grep ${FILENAME} | grep -v grep | awk '{print $1}'`
        kill ${PID_TO_KILL}
}

touch /var/tmp/snoop_out
touch /var/tmp/snoop_out.1
touch /var/tmp/snoop_out.2
touch /var/tmp/snoop_out.3
FILENAME="/var/tmp/snoop_out"

#
# Set below variables manually.
# CAPTURE_DURATION - amount of time in seconds that each snoop file will collect data for
# HOSTNAME - name of remote host to capture traffic to/from. This is not local hostname.
# DEVICENAME - name of device to capture data on (ie hme0,nge1,e1000g1, etc)
#
CAPTURE_DURATION=10
HOSTNAME="remote_hostname"
DEVICENAME="device_name"

while [ true ]
do
         snoop -q -d ${DEVICENAME} -o ${FILENAME} ${HOSTNAME} &
         sleep ${CAPTURE_DURATION}
         kill_snoop
         logrotate ${FILENAME} 2
done