I'm not the best at linux but I am someone who can usually figure things out. I am running tshark (instead of tcpdump) so I get better data when analyzed with wireshark. I want to run a check to make sure that tshark continues to run and if not then start it up again and also chmod the .cap files so I can copy them down via FTP so I can analyze them.
First lets create the script to check if the service tshark is running and if not, launch it.
#!/bin/shSERVICE='tshark' echo "`date` Validating $SERVICE is running" >> /home/hosangit/archivecap.log if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> /home/hosangit/archivecap.log chmod 777 /home/hosangit/captures/*.cap else echo "`date` $SERVICE is not running!!!!!" >> /home/hosangit/archivecap.log echo "`date` Attempting to start $SERVICE now...." >> /home/hosangit/archivecap.log tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap & echo `ps -e|grep tshark` >> /home/hosangit/archivecap.logfiLet's save this file as archivecap and make it executable by typing sudo chmod +x /home/hosangit/archivecap
Now let's test it by running it (if you are in your home directory hosangit then) ./archivecap
If everything works, let's make a cronjob to run this every hour:
sudo crontab -e 00 * * * * /home/hosangit/archivecap 15 * * * * chmod 777 /home/hosangit/captures/*.* 30 * * * * chmod 777 /home/hosangit/captures/*.* 45 * * * * chmod 777 /home/hosangit/captures/*.*Note: I have to chmod the capture files because I am using a sudo cron so I can launch tshark which means I don't have rights to ftp the files down (I get an error can not open file) so I have to change the permissions on the files so I can ftp them down which seems to work. So I setup a sudo cron to change permissions every 15 minutes.
I am noticing that every hour this script actually restarts tshark instead of just checking to see if it is running.
Prior to the cron running I perform a
ps -e|grep tsharkand I see tshark running. Then on the hour when the cron runs it says it isn't running and then starts it up. So it must have something to do with the check. Maybe the file doesn't exit.
Updated the script and now it seems to be working better.
#!/bin/shSTARTTSHARK="tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"LOGFILE=/home/hosangit/archivecap.logSERVICE='tshark'echo "`date` Validating $SERVICE is running" >> $LOGFILEif ps ax | grep -v grep | grep $SERVICE > /dev/nullthenecho "`date` $SERVICE service running, everything is fine" >> $LOGFILEchmod 777 /home/hosangit/captures/*.capecho "`date` Finished chmod *.cap files" >> $LOGFILEelseecho "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILEchecktshark=`ps ax | grep -v grep | grep -c tshark`if [ $checktshark -le 0 ]then$STARTTSHARKif ps ax | grep -v grep | grep $SERVICE > /dev/nullthenecho "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILEelseecho "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILEfifiecho "`date` Exiting archivecap" >> $LOGFILEfitshark would close after about 10 (20mb or 15mb) files so I change to 12mb files and it appeared to be running better but after my 15 minute run of archivecap I ran ps -e|grep tshark and noticed the process id changed so in short, my script is restarting tshark when it was running just fine.
I believe the chmod part of my script is what is breaking tshark because I am chmod an open file that tshark is using so what I am going to try is taking that part out and seeing if tshark will continue to run even when the cron runs the check.
Okay it appears the issue has been resolved by implementing two solutions
SOLUTION #1
utilize two scripts (cannot do a chmod on files that are in use or it will kill the process)
/home/hosangit/chkshrk (purpose is to check every 15 minutes and validate tshark is running and if not, start it up)#!/bin/sh
STARTSHRK="tshark -i eth0 -q -l -n -t ad -b filesize:18000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap"LOGFILEC=/home/hosangit/chkshark.logSERVICE='tshark'echo "`date` Validating $SERVICE is running" >> $LOGFILECif ps ax | grep -v grep | grep $SERVICE > /dev/nullthenecho "`date` $SERVICE service running, everything is fine" >> $LOGFILECelseecho "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILECchecktshark=`ps ax | grep -v grep | grep -c tshark`if [ $checktshark -le 0 ]then$STARTSHRK &if ps ax | grep -v grep | grep $SERVICE > /dev/nullthenecho "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILECelseecho "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILECfifiecho "`date` Exiting chkshark" >> $LOGFILECfi/home/hosangit/archivecap (purpose is to copy all capture files to archive directory and change permissions so they can be downloaded at 23:59)
#!/bin/shSTOPTSHARK="pkill tshark"MOVEFILES="mv -f /home/hosangit/captures/*.* /home/hosangit/captures/archive"LOGFILE=/home/hosangit/archivecap.logecho "`date` Starting Archive of Capture Files" >> $LOGFILEecho "`date` Stopping tshark" >> $LOGFILE$STOPTSHARKsleep 5echo "`date` Moving files to Archive directory" >> $LOGFILE$MOVEFILESsleep 5echo "`date` Changing permissions to allow FTP download" >> $LOGFILEchmod 777 /home/hosangit/captures/archive/*.capsleep 5echo "`date` Done" >> $LOGFILE
SOLUTION #2
alter the tshark launch script to include the -q and -l options which helps keep tshark up and running (look at the chkshrk script above for the exact command)
also do not use tshark as a filename when one of your calls in your script is looking to see if anything with tshark is running and if so then all is good.
important to set the sudo crontab
00 * * * * /home/hosangit/chkshark15 * * * * /home/hosangit/chkshark30 * * * * /home/hosangit/chkshark45 * * * * /home/hosangit/chkshark59 23 * * * /home/hosangit/archivecapSilly question, but how do you STOP tshark from running in Ubuntu?
I want to free up some memory for ntop so it will stop crashing every other day due to lack of memory which is being consumed by tshark.
Thanks (cron works great with your recommendations)
A few different ways you can kill a process in linux (especially ubuntu).
kill $(pgrep tshark)killall -v tsharkpkill tsharkkill ps -ef | grep tshark | grep -v grep | awk {print $2}kill $(pgrep tshark)
killall -v tshark
pkill tshark
kill `ps -ef | grep tshark | grep -v grep | awk ‘{print $2}’`
I personally use
sudo killall tshark
Recommended Comments
There are no comments to display.