hosang i.t.
hosang i.t.

Using tshark in Ubuntu

cowboy 2010-03-24
0 Comments

​I’m not the best at linux but I am someone who can usually figure things out. I am running tshark (instead of tcpdump) so I get better data when analyzed with wireshark. I want to run a check to make sure that tshark continues to run and if not then start it up again and also chmod the .cap files so I can copy them down via FTP so I can analyze them.

First lets create the script to check if the service tshark is running and if not, launch it.

ShellScript
#!/bin/sh
SERVICE='tshark' 
echo "`date` Validating $SERVICE is running" >> /home/hosangit/archivecap.log 
if ps ax | grep -v grep | grep $SERVICE > /dev/null 
then echo "`date` $SERVICE service running, everything is fine" >> /home/hosangit/archivecap.log 
chmod 777 /home/hosangit/captures/*.cap 
else echo "`date` $SERVICE is not running!!!!!" >> /home/hosangit/archivecap.log 
echo "`date` Attempting to start $SERVICE now...." >> /home/hosangit/archivecap.log 
tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap & echo `ps -e|grep tshark` >> /home/hosangit/archivecap.log
fi

Let’s save this file as archivecap and make it executable by typing sudo chmod +x /home/hosangit/archivecap

Now let’s test it by running it (if you are in your home directory hosangit then) ./archivecap

If everything works, let’s make a cronjob to run this every hour:

ShellScript
sudo crontab -e 
00 * * * * /home/hosangit/archivecap 
15 * * * * chmod 777 /home/hosangit/captures/*.* 
30 * * * * chmod 777 /home/hosangit/captures/*.* 
45 * * * * chmod 777 /home/hosangit/captures/*.*

Note: I have to chmod the capture files because I am using a sudo cron so I can launch tshark which means I don’t have rights to ftp the files down (I get an error can not open file) so I have to change the permissions on the files so I can ftp them down which seems to work. So I setup a sudo cron to change permissions every 15 minutes. ​

I am noticing that every hour this script actually restarts tshark instead of just checking to see if it is running.

Prior to the cron running I perform a

ShellScript
ps -e|grep tshark

and I see tshark running. Then on the hour when the cron runs it says it isn’t running and then starts it up. So it must have something to do with the check. Maybe the file doesn’t exit.

Updated the script and now it seems to be working better.

ShellScript
#!/bin/sh

STARTTSHARK="tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"

LOGFILE=/home/hosangit/archivecap.log

SERVICE='tshark'

echo "`date` Validating $SERVICE is running" >> $LOGFILE
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "`date` $SERVICE service running, everything is fine" >> $LOGFILE
chmod 777 /home/hosangit/captures/*.cap
echo "`date` Finished chmod *.cap files" >> $LOGFILE
else
echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILE
checktshark=`ps ax | grep -v grep | grep -c tshark`
if [ $checktshark -le 0 ]
then
$STARTTSHARK
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILE
else
echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILE
fi
fi
echo "`date` Exiting archivecap" >> $LOGFILE
fi

tshark would close after about 10 (20mb or 15mb) files so I change to 12mb files and it appeared to be running better but after my 15 minute run of archivecap I ran ps -e|grep tshark and noticed the process id changed so in short, my script is restarting tshark when it was running just fine.

I believe the chmod part of my script is what is breaking tshark because I am chmod an open file that tshark is using so what I am going to try is taking that part out and seeing if tshark will continue to run even when the cron runs the check.

Okay it appears the issue has been resolved by implementing two solutions

SOLUTION #1

utilize two scripts (cannot do a chmod on files that are in use or it will kill the process)

/home/hosangit/chkshrk (purpose is to check every 15 minutes and validate tshark is running and if not, start it up)#!/bin/sh

ShellScript
STARTSHRK="tshark -i eth0 -q -l -n -t ad -b filesize:18000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"
LOGFILEC=/home/hosangit/chkshark.log
SERVICE='tshark'

echo "`date` Validating $SERVICE is running" >> $LOGFILEC
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "`date` $SERVICE service running, everything is fine" >> $LOGFILEC
else
echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILEC
checktshark=`ps ax | grep -v grep | grep -c tshark`
if [ $checktshark -le 0 ]
then
$STARTSHRK &
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILEC
else
echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILEC
fi
fi
echo "`date` Exiting chkshark" >> $LOGFILEC
fi

/home/hosangit/archivecap (purpose is to copy all capture files to archive directory and change permissions so they can be downloaded at 23:59)

ShellScript
#!/bin/sh

STOPTSHARK="pkill tshark"

MOVEFILES="mv -f /home/hosangit/captures/*.* /home/hosangit/captures/archive"

LOGFILE=/home/hosangit/archivecap.log

echo "`date` Starting Archive of Capture Files" >> $LOGFILE

echo "`date` Stopping tshark" >> $LOGFILE

$STOPTSHARK

sleep 5

echo "`date` Moving files to Archive directory" >> $LOGFILE

$MOVEFILES

sleep 5

echo "`date` Changing permissions to allow FTP download" >> $LOGFILE

chmod 777 /home/hosangit/captures/archive/*.cap

sleep 5

echo "`date` Done" >> $LOGFILE

SOLUTION #2

alter the tshark launch script to include the -q and -l options which helps keep tshark up and running (look at the chkshrk script above for the exact command)

also do not use tshark as a filename when one of your calls in your script is looking to see if anything with tshark is running and if so then all is good.

important to set the sudo crontab

ShellScript
00 * * * * /home/hosangit/chkshark
15 * * * * /home/hosangit/chkshark
30 * * * * /home/hosangit/chkshark
45 * * * * /home/hosangit/chkshark
59 23 * * * /home/hosangit/archivecap

Silly question, but how do you STOP tshark from running in Ubuntu?

I want to free up some memory for ntop so it will stop crashing every other day due to lack of memory which is being consumed by tshark.

Thanks (cron works great with your recommendations)

A few different ways you can kill a process in linux (especially ubuntu).

ShellScript
kill $(pgrep tshark)
killall -v tshark
pkill tshark
kill ps -ef | grep tshark | grep -v grep | awk {print $2}

kill $(pgrep tshark)

killall -v tshark

pkill tshark

kill `ps -ef | grep tshark | grep -v grep | awk ‘{print $2}’`



I personally use

ShellScript
sudo killall tshark

Categories: Linux, Tech

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .