Solve : logging only sample data with tcpdump?

1.	Solve : logging only sample data with tcpdump?
Answer» Hello, I need to log a lot of data from tcpdump, thus I just want sample data (LET's say 10 or 20 percent of the ACTUAL traffic). I know how to filter on tcp and port-numbers, but i haven't found a way to record only sample data. All Packages of a single connection should be recorded, but not all connections. Does anyone know how to achieve this goal? Kind regards Michaelhttp://www.tcpdump.org/tcpdump_man.html Adding the -w flag will cause it to write info to file. You can then use this file to get the info you need. Quote It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis as at the info link above. If you want say 20% you might be able to run it for 2 of 10 second intervals with -w So you could have a program that launches the TCPdump -w to run for 2 seconds and then kills the TCPdump, and then waits 8 seconds and then runs again in a loop. I have macro software that allows for this type of launch and force killing of programs. I use Jitbit Macro Creator for stuff like this, but maybe there is a better method that isnt force killing the TCPdumpover and over again. Using Linux there may be a similar macro creator or better method. Jitbit is Windows based. * Note the only drawback to this launch and kill loop using a macro program like this is that your system you are using can not be used for anything else while this is going on as for it takes control of keyboard and mouse CONTROLS. One way you might be able to get around this issue is to have a virtual system running with the macro and minimized in which the virtual keyboard/mouse should be confined to the virtual environment and not out to the actual physical machine.Thanks for you help. Didn't thought about starting and restarting tcpdump. Wouldn't this approach destroy the connection context. For example, if some part of the conversation between client and server happens in the two seconds while tcpdump is active, and the rest happens in the next 8 seconds. I want to have the ACCESS to all packets of a connection, to get THINKS like minimum round trip time. Kind regards MichaelHmm... other thing you can do then is take the output file created by the -w switch and use a script later that parses and samples some the the contents of the entirety which would be less troublesome than killing TCPdump mid process. Are you good with a computer scripting/programming language to make one? Python, Perl, and others work good for this kind of thing to take input from the file generated and process it ( = sample it ) and spit out a new file appended with the sample results only until it gets to the EOF of the original file.

Answer»

Hello,

I need to log a lot of data from tcpdump, thus I just want sample data (LET's say 10 or 20 percent of the ACTUAL traffic).
I know how to filter on tcp and port-numbers, but i haven't found a way to record only sample data. All Packages of a single connection should be recorded,
but not all connections.

Does anyone know how to achieve this goal?

Kind regards

Michaelhttp://www.tcpdump.org/tcpdump_man.html

Adding the -w flag will cause it to write info to file. You can then use this file to get the info you need.
Quote

It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis

as at the info link above.

If you want say 20% you might be able to run it for 2 of 10 second intervals with -w

So you could have a program that launches the TCPdump -w to run for 2 seconds and then kills the TCPdump, and then waits 8 seconds and then runs again in a loop. I have macro software that allows for this type of launch and force killing of programs. I use Jitbit Macro Creator for stuff like this, but maybe there is a better method that isnt force killing the TCPdumpover and over again. Using Linux there may be a similar macro creator or better method. Jitbit is Windows based. * Note the only drawback to this launch and kill loop using a macro program like this is that your system you are using can not be used for anything else while this is going on as for it takes control of keyboard and mouse CONTROLS. One way you might be able to get around this issue is to have a virtual system running with the macro and minimized in which the virtual keyboard/mouse should be confined to the virtual environment and not out to the actual physical machine.Thanks for you help. Didn't thought about starting and restarting tcpdump.
Wouldn't this approach destroy the connection context. For example, if some part of the conversation between client and server happens
in the two seconds while tcpdump is active, and the rest happens in the next 8 seconds.
I want to have the ACCESS to all packets of a connection, to get THINKS like minimum round trip time.

Kind regards

MichaelHmm... other thing you can do then is take the output file created by the -w switch and use a script later that parses and samples some the the contents of the entirety which would be less troublesome than killing TCPdump mid process.

Are you good with a computer scripting/programming language to make one? Python, Perl, and others work good for this kind of thing to take input from the file generated and process it ( = sample it ) and spit out a new file appended with the sample results only until it gets to the EOF of the original file.

Solve : logging only sample data with tcpdump?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment