Rotating PCAP on SIP Trunk for RTP and SIP caputres

The below script is obsoleted by the tcpdump -G option, to rotate every X seconds. The filename needs to include a unique element otherwise tcpdump performs circular logging over the same one file. Although untest, the following command produces the same results;

sudo tcpdump -G 3600 -w ./%Y-%m-%d--%H-%M-%S--carriername--turnkname.pcap

We can use this in a script for rotating PCAPs - circular-pcap.sh;

#!/bin/bash

starthour=$(date "+%H")
echo "Datetime is `date "+%y-%m-%d %H:%M:%S"`"

tcpdump -nlASX -s 0 -i eth0 -G 1800 -w ./%Y-%m-%d--%H-%M-%S--sip-trunk.pcap host 192.2.0.55 and udp > /dev/null 2>&1 &

while true;
do

  nowhour=$(date +"%H")
  if [ $nowhour -ne $starthour ]
  then
    starthour=$(date "+%H")
    find ./ -maxdepth 1 -mtime +4 -name "*.pcap" -exec rm {} \;
  fi
 
  sleep 1800

done

 

Obsolete:

pcap-sip-trunk.sh - Script to caputre traffic to a SIP trunk provider using tcpdump in a format that Wireshark can open. Once open in Wireshark, "Telephony" menu at the top then either "VoIP Calls" or "RTP > Show All Streams". Now we can see SIP message and RTP stream to ensure audio is being signaled correctly. Usefall for one way audio issues or loss of audio etc. NOTE: We are deleting .pcap file older than 4 days!

 #!/bin/bash

starthour=$(date "+%H")
echo "Datetime is `date "+%y-%m-%d %H:%M:%S"`"
tcpdump -nlASX -s 0 -vvv -i eth3 host 192.2.0.55 -w `date "+%Y-%m-%d--%H-%M-%S--carriername--turnkname"`.pcap > /dev/null  2>&1 &
dumppid=$!
echo "dumppid is $dumppid"

while true;
do

  nowhour=$(date +"%H")
  if [ $nowhour -ne $starthour ]
  then
    starthour=$(date "+%H")
    echo "Datetime is `date "+%y-%m-%d %H:%M:%S"`"
    kill $dumppid
    find . -maxdepth 1 -mtime +3 -name "*.pcap" -exec rm {} \;
    tcpdump -nlASX -s 0 -vvv -i eth3 host 192.2.0.55 -w `date "+%Y-%m-%d--%H-%M-%S--carriername--turnkname"`.pcap > /dev/null  2>&1 &
    dumppid=$!
    echo "dumppid is $dumppid"
  fi
  
  sleep 300

done 

---