Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
On 02/03/2012 07:04 PM, Jerome Yanga wrote: The permissions on the /data directory is ... # ls -alh /data/ total 4.1M drwxr-xr-x 2 root root 4.0K Feb 3 15:21 . dr-xr-xr-x. 23 root root 4.0K Feb 3 06:49 .. -rw-r--r-- 1 root root 4.0M Feb 3 07:29 502_capture-seed.txt Try running 'chmod a+w /data/'. When I've done this, tcpdump drops root permissions before it starts writing. For example, on my Fedora boxes, all of my tcpdump captures are owned by tcpdump:tcpdump. So, you could also do something with that information. In my environment, any box that's setup doing the kind of packet capturing you're talking about is locked down so that the only people with access to that box also have root access to read the output files. So, blowing the permissions wide open isn't a big deal. FYI, I am running the command as root. The first command does not work even without the shell expansion date command. I created the seed file using the following command. dd if=/dev/zero of=/data/502_capture-seed.txt bs=$(( 1024 * 1024 )) count=4 All I am doing is trying to run tcpdump so that it will create another file once it has reached 4MB (-C 4). I also want it to be limited to just 10 files(-W 10), to rotate to the next file every 5 minutes (-G 300), and to be compressed everytime it creates a new file (-z bzip2). I'd start with something simple and work my way up. Start with this: tcpdump -i eth0 -s 0 -w /data/capture_rotate_1.pcap Then, add your other parameters one by one (see when things break) until you get back to your original: tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap\ -C 4 -W 10 -G 300 -z bzip2 -F /data/capture-seed.txt Hopefully, the permission change on the data directory will be all you need! My gut tells me that the "-F" option is going to throw you. I've never used it before, so I'm not sure... Finally, depending on your hardware, take a look at the pbzip2 package. It is a parallel implementation of bzip2. It scales pretty linearly on multicore x86_64 CPU's. I've been very happy with it. It's also pretty easy to shoot yourself in the foot by overdoing the CPU utilization. MJ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
No dice. :( The chmod did not change anything. I started with and this worked. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 As soon as I added the "-C", I got the same error. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 -C 4 jerome On Mon, Feb 6, 2012 at 5:54 AM, Mark W. Jeanmougin wrote: > On 02/03/2012 07:04 PM, Jerome Yanga wrote: >> >> The permissions on the /data directory is ... >> # ls -alh /data/ >> total 4.1M >> drwxr-xr-x 2 root root 4.0K Feb 3 15:21 . >> dr-xr-xr-x. 23 root root 4.0K Feb 3 06:49 .. >> -rw-r--r-- 1 root root 4.0M Feb 3 07:29 502_capture-seed.txt > > > Try running 'chmod a+w /data/'. When I've done this, tcpdump drops root > permissions before it starts writing. > > For example, on my Fedora boxes, all of my tcpdump captures are owned by > tcpdump:tcpdump. So, you could also do something with that information. > > In my environment, any box that's setup doing the kind of packet capturing > you're talking about is locked down so that the only people with access to > that box also have root access to read the output files. So, blowing the > permissions wide open isn't a big deal. > >> FYI, I am running the command as root. >> >> The first command does not work even without the shell expansion date >> command. >> >> I created the seed file using the following command. >> >> dd if=/dev/zero of=/data/502_capture-seed.txt bs=$(( 1024 * 1024 )) >> count=4 >> >> All I am doing is trying to run tcpdump so that it will create another >> file once it has reached 4MB (-C 4). I also want it to be limited to >> just 10 files(-W 10), to rotate to the next file every 5 minutes (-G >> 300), and to be compressed everytime it creates a new file (-z bzip2). > > > I'd start with something simple and work my way up. Start with this: > > tcpdump -i eth0 -s 0 -w /data/capture_rotate_1.pcap > > Then, add your other parameters one by one (see when things break) until you > get back to your original: > > > tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap\ > -C 4 -W 10 -G 300 -z bzip2 -F /data/capture-seed.txt > > Hopefully, the permission change on the data directory will be all you need! > My gut tells me that the "-F" option is going to throw you. I've never used > it before, so I'm not sure... > > Finally, depending on your hardware, take a look at the pbzip2 package. It > is a parallel implementation of bzip2. It scales pretty linearly on > multicore x86_64 CPU's. I've been very happy with it. It's also pretty easy > to shoot yourself in the foot by overdoing the CPU utilization. > > MJ > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
> I am running on RHEL 6.1 with Selinux disabled. And AppArmor disabled as well right? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
On 02/06/2012 09:54 AM, Jerome Yanga wrote: No dice. :( The chmod did not change anything. I started with and this worked. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 As soon as I added the "-C", I got the same error. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 -C 4 What's an 'ls -al /data/' show? MJ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
Here is the permission of /data/ # ls -al /data/ total 4104 drwxrwxrwx 2 root root 4096 Feb 6 06:54 . dr-xr-xr-x. 23 root root 4096 Feb 3 06:49 .. -rw-rw-rw- 1 root root 4194304 Feb 3 07:29 capture-seed.txt I saw some articles about disabling AppArmor and tried running the command but I get a response that the command does not exist. Due to this, I had assumed that I do not even have it installed. aa-complain /usr/bin/tcpdump jeorme On Mon, Feb 6, 2012 at 7:01 AM, wrote: >> I am running on RHEL 6.1 with Selinux disabled. > > And AppArmor disabled as well right? > > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
Hey Jerome, I should've been more specific. I wanted to see permissions and ownership on the files created by tcpdump. How about: tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap2\ -C 4 ls -al /data/ Also, I tend to do '-s 0'. Why did you pick 65535, anyway? I'm struggling on that one... Thanks, MJ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
Mark, I tried something and it seems to work now. I created the file /data/capture_rotate_`date +%Y_%m_%d`.pcap2 first and changed its permission to how you suggested prior to running tcpdump and it started working properly. I picked 65535 so I can capture the everything. Though it should be the default, I just wanted to make sure that it is what I am capturing. Thanks you for the help. :) jerome On Mon, Feb 6, 2012 at 7:58 AM, Mark W. Jeanmougin wrote: > Hey Jerome, > > I should've been more specific. I wanted to see permissions and ownership on > the files created by tcpdump. How about: > > tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 > > tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap2\ > -C 4 > > ls -al /data/ > > Also, I tend to do '-s 0'. Why did you pick 65535, anyway? I'm struggling on > that one... > > Thanks, > > MJ > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] tcpdump: file.pcap0: Permission denied
FYI, the command below just give me a Permission Denied error and does not create any files. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap2 -C 4 jerome On Mon, Feb 6, 2012 at 8:09 AM, Jerome Yanga wrote: > Mark, > > I tried something and it seems to work now. > > I created the file /data/capture_rotate_`date +%Y_%m_%d`.pcap2 first > and changed its permission to how you suggested prior to running > tcpdump and it started working properly. > > I picked 65535 so I can capture the everything. Though it should be > the default, I just wanted to make sure that it is what I am > capturing. > > Thanks you for the help. :) > > jerome > > On Mon, Feb 6, 2012 at 7:58 AM, Mark W. Jeanmougin > wrote: >> Hey Jerome, >> >> I should've been more specific. I wanted to see permissions and ownership on >> the files created by tcpdump. How about: >> >> tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 >> >> tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap2\ >> -C 4 >> >> ls -al /data/ >> >> Also, I tend to do '-s 0'. Why did you pick 65535, anyway? I'm struggling on >> that one... >> >> Thanks, >> >> MJ >> - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
