capture-storm

#!/bin/sh

usage()
{
    cat <<__EOF__
Usage: $(basename $0) [ -l logfile ] [ -u username ]

Options:
  -l logfile            - Log messages to the specified file instead of
                          storm.log.
  -u username           - Send mail to the specified user instead of
                          \${USER}@$domain
__EOF__

    exit ${1-1}
}

log()
{
    echo "$(basename $0): $1" >&2
}

pktcount()
{
    netstat -s -p tcp | grep 'control packets' | awk '{print $1}'
}

domain=$(hostname)
domain=${domain#*.}
[ "$domain" = $(hostname -s) ] && domain= # No domain.

while [ $# -gt 0 ]; do
    case $1 in
    -h|--help)
        usage 0
        ;;
    -l)
        shift
        if [ -z "$1" ]; then
            log "log file must be a non-empty string"
            usage
        fi

        logfile="$1"
        ;;
    -u)
        shift
        if [ -z "$1" ]; then
            log "username must be a non-empty string"
            usage
        fi

        mailto="$1"@$domain
        ;;
    *)
        usage
        ;;
    esac
    shift
done

: ${mailto=${USER}@${domain}}
: ${logfile=storm.log}

if [ -n "$domain" ]; then
    log "sending notification mail to $mailto"
else
    log "no domain found, not sending mail"
fi

sudo tcpdump -i lo0 -s 0 -C 11 -W 500 -w /d2/tmp/lo.cap. &
tdpid=$!

count=$(pktcount)
i=0

while true; do
    oldcount=$count
    count=$(pktcount)
    diff=$((count - oldcount))

    if [ $((i % 60)) -eq 0 ]; then
        echo "$(date): $diff" >> $logfile
    fi

    if [ $((i % 10)) -eq 0 ]; then
        sockstat -4 -P tcp > sockstat.$((i % 500))
    fi

    if [ $diff -gt 1000 ]; then
        kill -INT $tdpid
        mail -s $(basename $0) $mailto <<__EOF__
A possible packet storm capture has been saved in /d2/tmp/lo.cap.*
on $(hostname -s). There were $((count - oldcount)) TCP control packets seen
in the last second. Exiting now!

Here's the output of sockstat -4 -P tcp:
$(sockstat -4 -P tcp)

Here's the output of ps(1):
$(ps auxwww)

Here's the output of netstat -p tcp:
$(netstat -p tcp)
__EOF__
        break
    fi
    sleep 1
    i=$((i + 1))
done

exit 0