AKLUG Archive: [aklug] Re: Linux certification

From: Shane Spencer <shane@bogomip.com>
Date: Tue Dec 01 2009 - 11:45:14 AKST

Haha.. I do indeed hate it but it probably works just fine if you want
to follow something around the network. We all have our crazy
scripts.

I use ulogd-pcap, a modified logrotate config, and firewall rules to
log traffic off to pcap files without needing to set promisc on my
devices. However it requires a bit of iptables setup. It's not as
purposed as the script below.

On Tue, Dec 1, 2009 at 11:37 AM, Leif Sawyer <lsawyer@gci.com> wrote:
> Damien Hull writes:
>> Thanks for the examples. I haven't had a chance to look at
>> any bash scripting yet. I should have time this weekend.
>>
>> Umm... What's up with those expressions? I don't get them,
>> regular or otherwise. Guess I'll learn once I start reading
>> about shell scripting. In case anyone is confused it's the
>> stuff inside the brackets.
>>
>> =A0 =A0 =A0if [ "$TEST" =3D3D "yes" ]
>
> that's a shortcut for the 'test' (or '[') =A0command.
>
> =A0 test =A0"$TEST" =3D3D "yes" =A0 =A0# returns either 1 or 0
>
>
> And for everybody's super fun time pleasure maki ono discuss,
> here's the startup script that I use on my distributed sniffer
> platform. =A0It runs on multiple types of boxes from a 2G system
> flash drive, so I like it to be generic.
> If it detects a management interface, it'll auto-skip it, otherwise
> any ethernet 'eth*' =A0are valid. =A0It also auto-detects link-state
> and vlan information (only 1 vlan per IF, currently, so no trunks)
>
> There's probably going to be some line wraps, but meh.
>
> Caveat: Shane Spencer will hate this.
>
> #!/bin/bash
> # (c) 2009 Leif Sawyer
>
> # here's where we store our capturefiles
> DATAMOUNT=3D3D"/data"
>
> # Nothing to see...
> ##############################################
>
> PATH=3D3D/bin:/usr/bin:/sbin:/usr/sbin
>
> # Array of system interfaces to check
> declare -a SYSIFACES
>
> # Array of real interfaces to use for sniffing (raw, vlan, etc)
> declare -a REALIFACES
>
> #will we need to load the 802.1q module?
> NEEDVLANMOD=3D3D0
>
> MTD=3D3D$(mount | grep ${DATAMOUNT})
> if [ -z "${MTD}" ]; then
> =A0 =A0 =A0 =A0echo "${DATAMOUNT} partition not mounted, aborting"
> =A0 =A0 =A0 =A0exit 1
> fi
>
> # Check for 'management' interfaces
> DEFIF=3D3D$(netstat -rn | grep '0.0.0.0.*UG')
> DEFIF=3D3D"${DEFIF//*eth/eth/}"
>
> #if there's no management inteface, give grep a fake regexp to avoid brea=
ky
> DEFIF=3D3D"${DEFIF:-^$}"
>
> # get a count of available ports, except for management, for sizing the d=
at=3D
> afile counts.
> # =A0Include any existing VLANS, but exclude their parent physical interf=
aces=3D
> .
> SYSIFACES=3D3D$(ip link show | grep "eth[0-9]" | grep UP |
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 grep -v "${DEFIF}" | cut -f 2 -d: | cut -=
f 1 -d@)
> VLANPARENTS=3D3D$(ip link show | grep "@eth"| cut -f 2 -d: | cut -f 2 -d@=
| s=3D
> ort -u )
> for i in $VLANPARENTS; do
> =A0 =A0 =A0 =A0SYSIFACES=3D3D$(for v in ${SYSIFACES}; do echo $v | egrep =
-vw "${i}\$=3D
> " ; done)
> done
>
> # Make sure we only include 'up' interfaces in the list
> declare -a TEMPIFS
> for IFACE in ${SYSIFACES}; do
> =A0 =A0 =A0 =A0link=3D3D$(ethtool ${IFACE} | grep Link)
> =A0 =A0 =A0 =A0link=3D3D"${link##*no*}"
> =A0 =A0 =A0 =A0if [ -n "${link}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#Always a pointer to the 'next' availa=
ble slot in zero-ba=3D
> sed counting.
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IND=3D3D${#TEMPIFS[@]}
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0TEMPIFS[IND]=3D3D"${IFACE}"
> =A0 =A0 =A0 =A0fi
> done
> SYSIFACES=3D3D( ${TEMPIFS[@]} )
>
> SYSIFACEC=3D3D$(echo ${SYSIFACES}|wc -w)
>
> # figure out how many data files we can store without disk-full errors
> FREE=3D3D$( df -k ${DATAMOUNT} | awk '{print $4}' | tail -1 )
> COUNT=3D3D$( expr ${FREE} / 1000 / 512 / ${SYSIFACEC} )
>
> if [ ${COUNT} -lt 2 ];
> then
> =A0 =A0 =A0 =A0echo "not enough free space on ${DATAMOUNT}!"
> =A0 =A0 =A0 =A0exit 255
> fi
>
> for IFACE in ${SYSIFACES}
> do
> =A0 =A0 =A0 =A0# Check for vlan interfaces
> =A0 =A0 =A0 =A0IND=3D3D${#REALIFACES[@]}
> =A0 =A0 =A0 =A0USE_VLAN=3D3D$(tcpdump -i ${IFACE} -e -X -c 1 2>&1 | grep =
-i 802.1Q)
> =A0 =A0 =A0 =A0USE_VLAN=3D3D"${USE_VLAN##*802.1Q*}"
> =A0 =A0 =A0 =A0REALIFACES[$IND]=3D3D"${IFACE}"
> =A0 =A0 =A0 =A0if [ -z "${USE_VLAN}" ];
> =A0 =A0 =A0 =A0then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0VLAN_ID=3D3D$(tcpdump -i ${IFACE} -X -c 1 =
2>&1 | grep vlan |
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0cut -f 1 -d, | awk '{print $3}' )
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if [ -n "${VLAN_ID}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0REALIFACES[$IND]=3D3D"${IF=
ACE}.${VLAN_ID}"
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NEEDVLANMOD=3D3D1
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fi
> =A0 =A0 =A0 =A0fi
> done
>
> if [ $NEEDVLANMOD -eq 1 ];
> then
> =A0 =A0 =A0 =A0modprobe -Q 8021q
> fi
>
> # taken care of by shutdown script
> # > ${DATAMOUNT}/.sniffer/pids
>
> for i in $(seq 0 $((${#REALIFACES[@]} - 1)))
> do
> =A0 =A0 =A0 =A0# echo "found ${REALIFACES[i]}" #DEBUG
>
> =A0 =A0 =A0 =A0exists=3D3D$( ip link show ${REALIFACES[i]} 2>&1 | grep UP=
| awk '{pr=3D
> int $3}')
> =A0 =A0 =A0 =A0if [ -z "${exists}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0# This interface doesn't yet exist? Probab=
ly a VLAN, so bri=3D
> ng it up
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0VLANID=3D3D"${REALIFACES[i]##*.}"
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ETHIF=3D3D"${REALIFACES[i]%%.*}"
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if [ -n "${VLANID}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0vconfig add $ETHIF $VLANID
> # adding a vlan mungs the parent interface, and this -should- restore it =
bu=3D
> t doesn't.
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 vconfig set_flag ${ETHIF}.$=
{VLANID} REORDER_HDR 0
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifconfig ${ETHIF}.${VLANID=
} up
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fi
> =A0 =A0 =A0 =A0fi
>
> =A0 =A0 =A0 =A0ethstat=3D3D$( ip link show ${REALIFACES[i]} 2>&1 | grep U=
P | awk '{p=3D
> rint $3}')
> =A0 =A0 =A0 =A0if [ -n "${ethstat}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ifconfig ${REALIFACES[i]} promisc >/dev/nu=
ll 2>&1
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ETH_OK=3D3D$?
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if [ "${ETH_OK:-255}" -eq 0 ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0tpid=3D3D$(ps -ef | grep t=
shark | grep ${REALIFACES[i=3D
> ]} |
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 awk '{print $2}')
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if [ -z "${tpid}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0tshark -n =
-q -i ${REALIFACES[i]} -a filesiz=3D
> e:512000 \
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0-b files:${COUNT} -w ${DATA=3D
> MOUNT}/${REALIFACES[i]}.cap &
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0stat=3D3D$=
?
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fi
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sleep 3
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0tpid=3D3D$(ps -ef | grep t=
shark | grep ${REALIFACES[i=3D
> ]} |
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0awk '{print $2}')
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if [ -n "${tpid}" ]; then
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0echo "${tp=
id}" >> ${DATAMOUNT}/.sniffer/pid=3D
> s
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fi
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fi
> =A0 =A0 =A0 =A0fi
> done
>
> echo "capture running on ${#REALIFACES[@]} interface(s), max ${COUNT} fil=
es=3D
> =A0per instance"
>
> exit 0
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Dec 1 11:45:48 2009

This archive was generated by hypermail 2.1.8 : Tue Dec 01 2009 - 11:45:48 AKST