Unix Script Help - Piping Output to File with time stamp

[kateinseattle]

I would like to run 'snoop' on a solaris box to capture packets. However, I would like snoop to write the packets captured to a file, i.e. snoop > filename

The problem I have is that the file gets increases in size until it runs out of disk space.

Ideally it would be great to get snoop to write to a file until it get to a certain size and then start again with a new file. The files are named with a timestamp and kept until the disk space is getting full.

Can anyone point me to bash scripts that can help me along the way?

 

[TonyGroves]

How about:
[tt]
test `stat -c %s $filename` -gt 1000000 \
&& mv $filename `date +%s`.log
[/tt]
This will rename $filename to a time-based name if it is bigger than 1MB.

 

[Annihilannic]

Unfortunately, like most tools, once snoop has the file open, even if you mv it to another name the process will still have the file open and continue writing to it.

Also unfortunately, with some tools that write sequentially to a file you can get around this by copying the file and then flattening it, i.e.

[tt]cp snoop.out snoop.out.1
> snoop.out[/tt]

... but with others (like snoop) which keep track of the offset they were writing to in the file, this does not work.

So the only alternative I can see is to run, say, a cron job every hour to kill the previous snoop and start a new snoop process using a time-based filename for output. Obviously you could make the script smarter and only do so if the file is bigger than size x, etc.

Annihilannic.

 

[taupirho]

Would using ulimit here to limit the size of files be an option? I'm an ex unixer working on VMS for last 5 years so can't test it out

 

[Annihilannic]

Interesting idea! Yeah, I guess you could do something like this:

ulimit 20480
while true
do 
    snoop -d hme0 -o snoop.out.`date +%Y%m%d%H%M%S`
done

That would make 10 megabyte output files. It's possible you would miss a small amount of traffic each time it restarts.

Annihilannic.