On Fri, May 14, 2010 at 09:43:49AM -0700, Phil Paradis wrote:
> It's not all that difficult to do on-demand captures and/or
> filtering with the init script; for on-demand captures; you can use
> chkconfig (or equivalent) to turn it on and off as desired. For
> filtering, you can either put the filter into the script (say in a
> variable at the top) or read it from a separate file on start.
It's already possible for people to do a packet capture now if they
log in and run tcpdump themselves. The trick is to let them do this
remotely. From a central NOC, people need to be able to identify
which system and interface will assist with their troubleshooting;
then specify a filter for the system and interface; also specify
criteria like capture size, ring vs. stop, and snaplen; start the
capture; get status; stop the capture; and transfer the capture file
to a local computer for analysis.
rpcap can do some of this, but is more oriented towards streaming. Is
there anything (free) out there that does this already? Max suggested
modifying rpcap. I'm more of a Perl guy than a C guy, though, so it
might be easier for me to write something new in Perl than modify
something in C.
- Morty
