Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
blob: a212c189fc6c0ec4d235e0ee1449614feebe7dfa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/sh
MINLOAD=6
NPKTS=1000
IF=sis0
ADDR=91.121.146.101

TCPDUMP=/usr/sbin/tcpdump
FSTAT=/usr/bin/fstat

LOAD=$(uptime | sed -n 's/.*ages: \([^\.]*\)\..*/\1/p')

if [ ${LOAD} -lt ${MINLOAD} -a "${1}" != '-f' ]; then
	#echo "Load not high enough..." >&2
	exit 0
fi

PIDFILE="/var/run/$(basename $0).pid"
if [ -e "${PIDFILE}" ]; then
	if kill -0 $(cat  "${PIDFILE}"); then
		echo "${0} already running $(cat  "${PIDFILE}")" >&2
		exit 0
	fi
fi
echo $$ > ${PIDFILE}

PROCESSES=$(ps axww -O pcpu,pmem,nice,time,uid,user,gid,group  | sed 1d | sort -k 2,3 -r)

TIMESTAMP=$(date +%Y-%m-%d_%H:%M:%S)
DUMPFILE=/tmp/dump-${TIMESTAMP}.pcap

echo "Capturing to ${DUMPFILE}..." >&2
tcpdump -i ${IF} -c ${NPKTS} -w ${DUMPFILE} ip and tcp >&2

# 01:34:19.329994 white-dwarf.narf.ssji.net.23195 > cluster014.ovh.net.www: F 0:0(0) ack 4294967083 win 2048 <nop,nop,timestamp 3594572061 19> (DF)
FLOWS="$(${TCPDUMP} -r ${DUMPFILE} src ${ADDR} | cut -f 2,4 -d' ' | sort | uniq -c | sort -n -r)"

SRCPORTS="$(echo "${FLOWS}" | sed -n 's/^.*[0-9][0-9]*.*\.\([^ ]*\) .*/\1/p' | uniq)" # don't want to sort here

echo "Identifying sources..." >&2
FSTAT_OUT=""
for PORT in $SRCPORTS; do
	LOCALFSTAT_OUT="$(${FSTAT} | grep "internet.*:$PORT")"
	PIDS="$(echo "${LOCALFSTAT_OUT}" | awk '{ print $3 }' | sort -nu)"
	for PID in $PIDS; do
		LOCALFSTAT_OUT="${LOCALFSTAT_OUT}

### lsof for PID $PID
$(${FSTAT} -p "${PID}")"
	done

	FSTAT_OUT="${FSTAT_OUT}

## lsof for port ${PORT}
${LOCALFSTAT_OUT}"
done

echo "# Processes"
echo "${PROCESSES}"
echo "# Packets"
echo "${FLOWS}"
echo "# Source ports"
echo "${SRCPORTS}"
echo "${FSTAT_OUT}"

rm ${PIDFILE}