Skip to content

Schedule TCPDUMP with CRON

Why I need to run tcpdump with cron?

Sometimes problems happens while we are sleeping and disappear without any intervention in the morning.
Unfortunately we are missing diagnosis data to drive the proper root cause analysis.

And of course even we are praying that those problems don’t come back, they will come back.
So prepare yourself to take a tcpdump during the night and collect data! You can do it with the crontab!

What is needed?

The best option is to take the tcpdump with 2 scripts which are scheduled with the crontab.

  1. First script to start the tcpdump
  2. Second script to stop the tcpdump

Scripts

To get the tcpdump running you can use following command within your first bash script (You can also refer to my previous article.)
/usr/sbin/tcpdump -i $SET_INTERFACE -s0 -w “$SAVE_IN_FOLDER/$SAVE_AS_FILE”

To stop the tcpdump after a specific period of time you can use the following part in your second bash script:

#Stop tcpdump command
PID=$(/usr/bin/ps -ef | grep tcpdump | grep -v grep | grep -v “.sh” | awk ‘{print $2}’)
/usr/bin/kill -9 $PID

You can find all scripts also here:
https://github.com/DanielSchwartz1/tcpdump

The scripts are called: tcpdump_getdata.sh & tcpdump_stop.sh

Crontab

This is the crontab for an example tcpdump which starts at 02:00am and stops at 02:05am.

0 2 * * * bash /tmp/tcpdump_getdata.sh
5 2 * * * bash /tmp/tcpdump_stop.sh

Summary

The crontab can be very useful when you need to gather diagnosis data during a time you are not available (e.g. when you sleep).
With the scripts on my GitHub repository you should be able to take a tcpdump without problems.

If you want to know more about it, join my Slack Workspace or send me an email.
Stay up-to-date and subscribe to my Newsletter!

Published inTcpdump

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Please wait...

Subscribe to my newsletter

Want to be updated when a new article is published? Enter your email address and name below to be the first to know.