tcpdump output to Log file in human readable text format and Rotating the Log file using Logrotate
Sniffing on Network for SIP traffic and storing them Text file :
Here we are trying to write the output of the TCPDUMP into one text file, I know we have the option -w which will write the data into the PCAP file but it is writing data in the binary format. But I wanted to have text format.
We also have many other applications which will generate CDR’s but I just wanted to have only REGISTRATION status of all phones in my LAN. All are connected to different Servers and providers.
So better approach is to redirect the TCPDUMP output one file using redirection operator ( > ) then rotate the file every 30 seconds using the logrotate utility of Linux system
We are going to run one python script which will act as a scheduler, It will rotate the LOG file for every 30 seconds. Then we will apply our parse_register.py logic on this file
Once we get the registration data, We will write those results into SQLite3 then we just remove the parsed file.
Log Rotate Option for REGISTER Monitoring :
|
1 2 3 4 5 6 7 8 9 10 |
apt install logrotate vim /etc/logrotate.d/sip_trace.conf # Contents of sip_trace.conf /tmp/sip/trace { size 10k create 700 root root rotate 20 copytruncate } |
Now to rotate the log file using the following command :
|
1 |
logrotate -s /var/log/logstatus /etc/logrotate.d/sip_trace.conf |
We need to run above log rotate command for every 30 seconds. I am thinking of using Python Scheduler instead of cron.
TCPDUMP command to write the data into TEXT FILE :
|
1 |
tcpdump -n -q -tttt -s 0 -A -i eth0 port 6060 > /tmp/sip/trace |
Here is my flow :
First of all, starting the tcpdump using the following command. Make sure to run it as the daemon.
|
1 |
tcpdump -n -q -tttt -s 0 -A -i eth0 port 6060 > /tmp/sip/trace |
Now tcpdump will write the trace to /tmp/sip/trace file
In the next 30 seconds, our python scheduler will call the following logrotate command
|
1 |
logrotate -s /var/log/logstatus /etc/logrotate.d/sip_trace.conf |
which will look at the sip_trace.conf file and if the /tmp/sip/trace exceded 10K size then it will create one new file named trace.1 under the same folder and moves the trace data into trace.1 and truncates the trace file.
Now we have two files, one is trace and another one is trace.1 , Here trace.1 contains all our data.
After running the LOGROTATE, Our python script takes the trace.1 file and parses that file for registrations and stores the data into the SQLITE3. Then it will delete the trace.1 file from that folder.
In the next 30 seconds, Python scheduler will run the logrotate, creates trace.1 file and same process repeats.
Update: It’s working fine. I am able to store all registrations into SQLite3 database.
|
1 2 3 4 5 6 |
sqlite> select * from register_data; id|user|register_time|expires|is_processed 1|21476D23|2017-10-09 11:28:47|120|0 2|10000|2017-10-09 11:25:25|600|0 3|20000|2017-10-09 11:22:24|0|0 sqlite> |
