I want to leave something like tcpdump running for up to a week and therefore make its output as concise as possible to reduce file size and speed up post-capture analysis.
All I need to to do is log the first instance of each packet source or destination (IP address and port) so I can build up a picture of what devices are communicating with my server (or vice versa).
So, once it sees a packet from IP address 192.168.1.10 to port 80, no longer capture any more packets from that address to that port.
Bonus points if it can build up a table of packet counts from each source/to each destination.
The best I've come up with so far is to run tcpdump with the -t
and -q
options (no timestamps and quiet, respectively) and run the output through sort
and uniq
to reduce (but not eliminate) the duplicates. Packets to the same destination port but from different source ports slip through this net for example.
tcpdump
's -G feature, combined with -w, to write manageable sized pcap files, which can be post-processed after the specified interval, into a more condensed format.iptables
rule would be enough, to do logging for each new packet. It seems to me that the bonus points are contradictory to your first goal, as maintaining a count means having the need to see all packets and not stop after the first one.