diff --git a/triggertrace b/triggertrace new file mode 100644 index 0000000..c12e4cc --- /dev/null +++ b/triggertrace @@ -0,0 +1,147 @@ +#!/usr/bin/env bash + +################################## +# Constants / global variables +################################## +SCRIPTNAME=`basename "$0"` +VERSION="0.0.1" +LOGLEVEL=INFO +LOGFILE=/var/log/triggertrace.log +INTERFACE=eth0 # interface to monitor +CAPDEST=/tmp/ # capture destination path +THRESHOLD=4000 # threshold in packets per second (pps) +SLEEPTIME=30 # sleeptime in seconds +HELP_TEXT=" + $SCRIPTNAME v$VERSION + + This is triggertrace, it will create tcpdump tracefiles + when a threshold of pps has been triggered + +Usage: + $SCRIPTNAME -l -L + +Options: + -h|--help Display this help + -l|--logfile Specify logfile with path (Default: /var/log/triggertrace.log) + -L|--loglevel Logging level needs to be DEBUG, INFO, WARN or ERROR. (Default: INFO) + +Command: + start start triggertrace (Required) + +Examples: + $SCRIPTNAME start + $SCRIPTNAME -l mylogfile.log -L INFO start + + +" + +################################## +# Functions +################################## + +# Logging functions +log_output () { + echo `date "+%Y/%m/%d %H:%M:%S"`" $1" + echo `date "+%Y/%m/%d %H:%M:%S"`" $1" >> $LOGFILE +} + +log_debug () { + if [[ "$LOGLEVEL" =~ ^(DEBUG)$ ]]; then + log_output "DEBUG $1" + fi +} + +log_info () { + if [[ "$LOGLEVEL" =~ ^(DEBUG|INFO)$ ]]; then + log_output "INFO $1" + fi +} + +log_warn () { + if [[ "$LOGLEVEL" =~ ^(DEBUG|INFO|WARN)$ ]]; then + log_output "WARN $1" + fi +} + +log_error () { + if [[ "$LOGLEVEL" =~ ^(DEBUG|INFO|WARN|ERROR)$ ]]; then + log_output "ERROR $1" + fi +} + +# Help output +usage () { + echo "$HELP_TEXT" +} + +main () { + log_output "starting $0" + + while /bin/true; do + pktbefore=`grep $INTERFACE: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` + sleep 1 + pktafter=`grep $INTERFACE: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` + + pkts=$(( $pktafter - $pktbefore )) + log_output "`date` $pkts packets/s" + + if [ $pkts -gt $THRESHOLD ]; then + log_output "`date` threshold over $THRESHOLD pps, capturing 2000 packets." + tcpdump -n -s0 -c 2000 -w $CAPDEST/trace-"$(date +"%Y_%m_%d_%H_%M")".cap + log_output "`date` Packets captured, sleeping $SLEEPTIME seconds..." + sleep $SLEEPTIME + fi + done +} + +################################# +# Main +################################# + +# Check if a param is set to a valid value +if [[ ! "$LOGLEVEL" =~ ^(DEBUG|INFO|WARN|ERROR)$ ]]; then + log_error "Logging level needs to be DEBUG, INFO, WARN or ERROR." + usage + exit 1 +fi + +# display usage when no parameter specified +if [[ ! "$1" ]]; then + usage + exit 0 +fi + +# Get input parameters +while [[ "$1" != "" ]]; do + case "$1" in + -l | --logfile ) + shift + LOGFILE=$1 + ;; + -L | --loglevel ) + shift + LOGLEVEL=$1 + ;; + -h | --help ) + usage + exit 0 + ;; + -* ) + echo -e "Error: Unknown parameter: $1\r" >&2 + usage + exit 1 + ;; + start ) + main "$@" + ;; + * ) + echo -e "Error: Unknown command: $1\r" >&2 + usage + exit 1 + ;; + esac + shift +done + +# logic starts here +main "$@"