Reset Search
 

 

Article

How to Set Up a Background Ring-Buffer Trace on a Linux Appliance

« Go Back

Information

 
TitleHow to Set Up a Background Ring-Buffer Trace on a Linux Appliance
Objective
Set up a background ring-buffer trace on a Linux based NetSight/ XMC or NAC / Control Appliances to catch the lead-into the problem state.
Environment
All Linux platforms.
 
Procedure
To start the trace:

1. Access the Linux CLI via SSH
2. Execute the following command

tcpdump -i eth0 -n -s 0 -C 10 -W 3 -w rotate.pcap &
3. Leave SSH session open or close out of the SSH session by typing "exit" .   Note:  if you close out the SSH session by simply closing Putty, the process will stop.  

To stop the trace:
1. Access the Linux CLI via SSH
2. List the running processes to find the running trace
ps -aef | grep tcpdump
3. Record the Process ID (PID) of the running trace (the first number following the username of root)
root      2187  2123  0 10:46 pts/0    00:00:00 tcpdump -i eth0 -n -s 0 -C 10 -W 3 -w rotate.pcap
4. Stop the running trace by killing the PID
kill -3 <PID>
Additional notes
The tcpdump parameters needed to set this up are defined as follows:
-C <number_of_Megabytes_after_which_to_rotate_file>
-W <number_of_files_thru_which_to_rotate>

Using the example in the Procedure section above, the -C 10 -W 3 will create (3) capture files (named "rotate.pcap0", "rotate.pcap1", and "rotate.pcap2" respectively), each being no larger than (10) MB.  When the trace reaches (10) MB stored for the "rotate.pcap2", it will then go back and begin over-writing the (3) files, starting with "rotate.pcap0".  This ensures that, no matter when you hit "Stop" on the trace, you will have the issue captured, plus up to (20) MB of lead-in.  These parameters can be adjusted to increase or reduce the amount of lead-in to the problem state.

Executing the tcpdump command with the trailing ampersand (&) runs the command as a background action.  This detaches the command from the SSH session (or terminal) that launched it, allowing the session to be closed without causing the trace to stop running

Capture filters can be used with this ring-buffer trace just like a normal tcpdump command.  For example, to capture only RADIUS data as a ring-buffer trace, the command would be:
tcpdump -i eth0 -n -s 0 -C 10 -W 3 -w rotate.pcap port 1812 &

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255