tcpdump247.default

# tcpdump247 (bash) settings

# use ENABLED=0 or ENABLED=1
ENABLED=0

# =====================================================================
if test $ENABLED -ne 0; then # --skipping below if not enabled--

# helpers
IFACE=`/sbin/ip route get 1.2.3.4 | sed -e 's/.* dev //;s/ .*//;q'`
spooldir_exists=$(test -d /var/spool/tcpdump && echo true || echo false)
mkdir -p /var/spool/tcpdump
if ! $spooldir_exists; then
    # Try changing ownership to tcpdump if we created it.
    # On some systems, tcpdump will change to the tcpdump
    # user. Ignore any errors if no such user exists.
    chown tcpdump: /var/spool/tcpdump 2>/dev/null || true
    chmod 0700 /var/spool/tcpdump || true
fi

# a bash(1) list of argument strings. these will be expanded, so make
# sure you enclose single arguments with extra quotes. e.g.:
# "-i eth0 '(udp and port 5060)'"
# Add "-U" to "-w" if you expect little traffic. That way, tcpdump will
# not buffer before writing the pcaps. (tcpdump sadly does not have a HUP/USR1
# to force-flush.)
ARGS_LIST=(
    # SIP traffic split up on UDP and TCP
    "-i $IFACE -pnns0 -w /var/spool/tcpdump/udp5060.pcap. -W 100 -C 20 '(udp and port 5060) or (ip[6:2] & 0x1fff != 0)'"
    "-i $IFACE -pnns0 -w /var/spool/tcpdump/tcp5060.pcap. -W 100 -C 20 tcp and port 5060"
    # MySQL traffic, but only if (non-ACK) flags are set
    # Used to diagnose who disconnects when
    "-i $IFACE -pnns0 -Uw /var/spool/tcpdump/3306synfinrst.pcap. -W 10 -C 10 'tcp and port 3306 and (tcp[13] & 0x47) != 0'"
)

fi # --skipped above if not enabled--
# =====================================================================

# TCP flags mnemonic:
#   'tcp[13] & 32 != 0'  # URG "Unskilled"
#   'tcp[13] & 16 != 0'  # ACK "Attackers"
#   'tcp[13] &  8 != 0'  # PSH "Pester"
#   'tcp[13] &  4 != 0'  # RST "Real"
#   'tcp[13] &  2 != 0'  # SYN "Security"
#   'tcp[13] &  1 != 0'  # FIN "Folk"
# Or, use constants, e.g.:
#   'tcp[tcpflags]&(tcp-syn|tcp-rst)!=0'
#
# vim: set syn=sh ts=8 sw=4 sts=4 et ai: