#抓取nginx access日志不是 400 的行,找出该ip ,并且启动抓包

#该脚本的执行要放在 crond 里面或者 while循环里面

##################

#网卡名称

net_card=enp0s8

#最多抓取10条记录

cap_max_ip_num=1

#要抓取ip的在nginx里面的错误

#存放抓包的目录

cap_dir="/tmp/cap_dir/"

if [ ! -d "$cap_dir" ]; then

	mkdir "$cap_dir"

fi

#当前已经开始抓包的ip地址

cap_ip_history_file="$cap_dir/___tcp_dump_ip"

if [ ! -f "$cap_ip_history_file" ]; then

　　touch  "$cap_ip_history_file"

fi 

function mytcpdump()

{

	ip=$1

	tcpdump -i $net_card -w $cap_dir/file${ip}.cap host $1 &

}

function begin_capture()

{

    count_line=`wc -l $cap_ip_history_file | awk '{print $1}'`

    if [ $count_line -ge $cap_max_ip_num ];then

        echo " capture max limit !!"

	exit 1

    fi

	ip=`tail -1 access.log |awk '{if($(NF-4)==400) print $1}'`

	echo "access the log is " $ip

	if [ "$ip" != "" ]; then

		grep_result=`grep "$ip" $cap_ip_history_file `

		if [ "$grep_result" == "" ]; then

			echo "begin tcp dump " $ip

			echo `date` $ip >> $cap_ip_history_file

			mytcpdump $ip

		fi

	fi

}

function clean()

{

	rm -rf $cap_dir

}

case "$1" in

    start)

        begin_capture

        ;;

    clean)

        clean

        ;;

    *)

        echo $"Usage: $0 {start|clean}"

        exit 1

esac