Skip to content

Instantly share code, notes, and snippets.

@jas-

jas-/tcpdump.sh

Created Dec 21, 2018
Embed
What would you like to do?
tcpdump en masse (solaris)
#!/bin/bash
# How long should we capture?
how_long="2h"
# We could use some interface names
declare -a ifaces
ifaces+=("net2")
ifaces+=("aggreth0")
# What systems should we target?
# If you want the global include it here
# This list limits captures per zone and
# filters captures by host(s) on ${ifaces[@]}
declare -a filter
filter+=("global")
filter+=("zone-1")
filter+=("zone-2")
filter+=("zone-3")
# Create a filter for zoneadm list to limit scope of capture to
efilter="$(echo "${filter[@]}" | tr ' ' '|')"
# Acquire an array of zones to capture for
zones=( $(zoneadm list 2>/dev/null | egrep -i ${efilter}) )
# Create a pcap filter from ${filter[@]}
pcap_filter="$(echo "${filter[@]}" | tr ' ' '\n' | egrep -v global |
awk '{if(NR==1){str="host "$0}else{str=str" or host "$0}print str}' | tail -1)"
# Setup some environment for captures and meta data for files
ts=$(date +%Y%m%d-%H%M%S)
d=/var/tmp/pcap/$(date +%Y%m%d)
[ ! -d ${d} ] && mkdir -p ${d}
# Iterate ${zones[@]} and do work
for zone in ${zones[@]}; do
# Iterate ${ifaces[@]}
for iface in ${ifaces[@]}; do
# Get the link and handle ${iface} for global in the process
[ $(echo "${zone}" | grep -c "global") -gt 0 ] &&
interface="$(dladm | nawk -v i="^${iface}$" '$1 !~ /\// && $1 ~ i{print $1}')" ||
interface="$(dladm | nawk -v z="^${zone}" -v i="${iface}" '$1 ~ z && $5 ~ i{print $1}')"
# Start capturing on ${interface}
[ "${interface}" != "" ] &&
tcpdump -i ${interface} -Z root -C 100 -s 128 -w ${d}/${zone}-${ts}-${interface}.pcap ${pcap_filter} &
done
done
# Go to sleep robot
sleep ${how_long}
# Wake up and do some damage
ps -ef | grep -v grep | grep tcpdump | awk '{print $2}' | xargs -iP kill -9 P
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment