Jump to content

Using tshark in Ubuntu


wildweaselmi
 Share

Recommended Posts

I'm not the best at linux but I am someone who can usually figure things out.



I am running tshark (instead of tcpdump) so I get better data when analyzed with wireshark. I want to run a check to make sure that tshark continues to run and if not then start it up again and also chmod the .cap files so I can copy them down via FTP so I can analyze them.



First lets create the script to check if the service tshark is running and if not, launch it.



#!/bin/sh

SERVICE='tshark'

echo "`date` Validating $SERVICE is running" >> /home/hosangit/archivecap.log


if ps ax | grep -v grep | grep $SERVICE > /dev/null

then

echo "`date` $SERVICE service running, everything is fine" >> /home/hosangit/archivecap.log

chmod 777 /home/hosangit/captures/*.cap

else

echo "`date` $SERVICE is not running!!!!!" >> /home/hosangit/archivecap.log

echo "`date` Attempting to start $SERVICE now...." >> /home/hosangit/archivecap.log

tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap &

echo `ps -e|grep tshark` >> /home/hosangit/archivecap.log

fi





Let's save this file as archivecap and make it executable by typing

sudo chmod +x /home/hosangit/archivecap





Now let's test it by running it (if you are in your home directory hosangit then)

./archivecap





If everything works, let's make a cronjob to run this every hour

sudo crontab -e

00 * * * * /home/hosangit/archivecap

15 * * * * chmod 777 /home/hosangit/captures/*.*

30 * * * * chmod 777 /home/hosangit/captures/*.*

45 * * * * chmod 777 /home/hosangit/captures/*.*


Note: I have to chmod the capture files because I am using a sudo cron so I can launch tshark which means I don't have rights to ftp the files down (I get an error can not open file) so I have to change the permissions on the files so I can ftp them down which seems to work. So I setup a sudo cron to change permissions every 15 minutes.


Link to comment
Share on other sites

I am noticing that every hour this script actually restarts tshark instead of just checking to see if it is running.





Prior to the cron running I perform a



ps -e|grep tshark





and I see tshark running. Then on the hour when the cron runs it says it isn't running and then starts it up. So it must have something to do with the check. Maybe the file doesn't exit.



Link to comment
Share on other sites

Updated the script and now it seems to be working better.





#!/bin/sh


STARTTSHARK="tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"


LOGFILE=/home/hosangit/archivecap.log


SERVICE='tshark'


echo "`date` Validating $SERVICE is running" >> $LOGFILE


if ps ax | grep -v grep | grep $SERVICE > /dev/null


then


echo "`date` $SERVICE service running, everything is fine" >> $LOGFILE


chmod 777 /home/hosangit/captures/*.cap


echo "`date` Finished chmod *.cap files" >> $LOGFILE


else


echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILE


checktshark=`ps ax | grep -v grep | grep -c tshark`


if [ $checktshark -le 0 ]


then


$STARTTSHARK


if ps ax | grep -v grep | grep $SERVICE > /dev/null


then


echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILE


else


echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILE


fi


fi


echo "`date` Exiting archivecap" >> $LOGFILE


fi


Link to comment
Share on other sites

tshark would close after about 10 (20mb or 15mb) files so I change to 12mb files and it appeared to be running better but after my 15 minute run of archivecap I ran ps -e|grep tshark and noticed the process id changed so in short, my script is restarting tshark when it was running just fine.





I believe the chmod part of my script is what is breaking tshark because I am chmod an open file that tshark is using so what I am going to try is taking that part out and seeing if tshark will continue to run even when the cron runs the check.



Link to comment
Share on other sites

Okay it appears the issue has been resolved by implementing two solutions





SOLUTION #1



utilize two scripts (cannot do a chmod on files that are in use or it will kill the process)



/home/hosangit/chkshrk (purpose is to check every 15 minutes and validate tshark is running and if not, start it up)



#!/bin/sh


STARTSHRK="tshark -i eth0 -q -l -n -t ad -b filesize:18000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"


LOGFILEC=/home/hosangit/chkshark.log


SERVICE='tshark'


echo "`date` Validating $SERVICE is running" >> $LOGFILEC


if ps ax | grep -v grep | grep $SERVICE > /dev/null


then


echo "`date` $SERVICE service running, everything is fine" >> $LOGFILEC


else


echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILEC


checktshark=`ps ax | grep -v grep | grep -c tshark`


if [ $checktshark -le 0 ]


then


$STARTSHRK &


if ps ax | grep -v grep | grep $SERVICE > /dev/null


then


echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILEC


else


echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILEC


fi


fi


echo "`date` Exiting chkshark" >> $LOGFILEC


fi










/home/hosangit/archivecap (purpose is to copy all capture files to archive directory and change permissions so they can be downloaded at 23:59)



#!/bin/sh


STOPTSHARK="pkill tshark"


MOVEFILES="mv -f /home/hosangit/captures/*.* /home/hosangit/captures/archive"


LOGFILE=/home/hosangit/archivecap.log


echo "`date` Starting Archive of Capture Files" >> $LOGFILE


echo "`date` Stopping tshark" >> $LOGFILE


$STOPTSHARK


sleep 5


echo "`date` Moving files to Archive directory" >> $LOGFILE


$MOVEFILES


sleep 5


echo "`date` Changing permissions to allow FTP download" >> $LOGFILE


chmod 777 /home/hosangit/captures/archive/*.cap


sleep 5


echo "`date` Done" >> $LOGFILE






SOLUTION #2



alter the tshark launch script to include the -q and -l options which helps keep tshark up and running (look at the chkshrk script above for the exact command)



also do not use tshark as a filename when one of your calls in your script is looking to see if anything with tshark is running and if so then all is good.







important to set the sudo crontab



00 * * * * /home/hosangit/chkshark


15 * * * * /home/hosangit/chkshark


30 * * * * /home/hosangit/chkshark


45 * * * * /home/hosangit/chkshark


59 23 * * * /home/hosangit/archivecap


Link to comment
Share on other sites

  • 1 month later...

Silly question, but how do you STOP tshark from running in Ubuntu?





I want to free up some memory for ntop so it will stop crashing every other day due to lack of memory which is being consumed by tshark.





Thanks (cron works great with your recommendations)



Link to comment
Share on other sites



Silly question, but how do you STOP tshark from running in Ubuntu?





I want to free up some memory for ntop so it will stop crashing every other day due to lack of memory which is being consumed by tshark.





Thanks (cron works great with your recommendations)







A few different ways you can kill a process in linux (especially ubuntu).









kill $(pgrep tshark)





killall -v tshark





pkill tshark





kill `ps -ef | grep tshark | grep -v grep | awk ‘{print $2}’`







I personally use



#sudo killall tshark


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...