https://github.com/torxed/dumper

tcpdump monitor that rotates pcap's upon low disk space.
https://github.com/torxed/dumper

rotate tcpdump

Last synced: about 2 months ago
JSON representation

tcpdump monitor that rotates pcap's upon low disk space.

• Host: GitHub
• URL: https://github.com/torxed/dumper
• Owner: Torxed
• License: gpl-3.0
• Created: 2019-02-21T15:16:19.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2019-06-09T22:04:21.000Z (almost 6 years ago)
• Last Synced: 2025-01-25T17:16:00.362Z (4 months ago)
• Topics: rotate, tcpdump
• Language: Python
• Size: 48.8 KB
• Stars: 0
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# dumper

`tcpdump` monitor that rotates pcap's upon low disk space.

# Installation

## Dependencies

 * python3

 * python-systemd [lib]

 * python-psutil [lib] - (optional, but strongly recommended)

## Manual installation

    # mkdir -p /etc/dumper

    # cp config.json /etc/dumper/

    # chmod 440 /etc/dumper/*

    # cp dumper.py /usr/bin/dumper.py

    # chmod 440 /usr/bin/dumper.py

    # chmod +x /usr/bin/dumper.py

    # cp systemd/* /etc/systemd/system/

# Running dumper

    # systemctl enable [email protected]

    # systemctl start [email protected]

Or simply via any command line:

    # python dumper.py --output=./capture_eno1_%Y-%m-%d_%H:%M:%S.pcap --interface=eno1 --partition=/ --reserved=10 --flushlimit=5 --config=/etc/config.json

# Configuration

Most tcpdump related configuration *(filters, parameters etc)* is done in `config.json`.


But dumper also takes parameters from the command-line/service scripts. For instance, a per-interface service script can be found under `systemd/` which uses the default config + sends in a interface to dump on.

Any settings done in `config.json` after startup **will override any command line arguments**.


But command-line arguments will override `config.json` the launch.

# Parameters

    --interface= - Which NIC to get network traffic from

    --output= - Outputs all traffic capture to this filename

    --config= - Load a config file and monitor for changes, reloads automatically.

    --monitor_config=True - Monitor for configuration changes or not (Default True/Yes)

    --partition=/ - Monitor for free space, pauses capture when we go below --reserved

    --reserved=10 - Will pause capture when disk-space is below 10% (default)

    --flushlimit=5 - Will delete old pcap's when disk space is below 5% (default)

    --profile= - Which profile to run in the config

                              (This option overrides "profile" in the config)

    --instances=1 - How many threads should we run? (Default is 1)

# Features

 * Reloads `config.json` in runtime upon changes to it. (Useful for swapping capturing profile)

 * Multiple `tcpdump` instances can be managed

 * Monitors disk usage, pauses all packet captures at `--reserved` space left.

 * Rotates `.pcap`'s when disk space falls below `--flushlimit`