Is there a simple tool or utility I can use to buffer a network capture for say the last 3 minutes and if an event happens perhaps by a GPIO trigger or UDP message I write the last 3 minutes and the following 1 minute to disk? We have a network freeze that occurs between 40 minutes and 14 hours and I'd like to capture network traffic around the detected event time to better understand the situation. I have used tcpdump and wireshark in the past before but have always manually triggered the start and stop of the captures and I need the stop time to be automated and want to avoid recording a bunch of irrelevant data. Most of our development environments are using Ubuntu 18.04 if that matters.
At this point we're not limited to any language or building the tool from scratch if needed.
You could try running a script that launches 2 instances of dumpcap, one to capture all traffic into a ring buffer of limited duration and files, and the other instance to merely wait for the capture event in question. Once the capture event occurs, the 2nd instance of dumpcap could terminate, sleep for 1 minute, and then the remaining dumpcap instance could be killed. For example:
#!/bin/sh echo "Starting capture instance ..." dumpcap -i eth0 -f "TBD Capture Filter" -b duration:180 -b files:2 -w file.pcapng & echo "Starting event instance ..." dumpcap -i eth0 -f "TBD Event Capture Filter" -c 1 echo "Got event; sleeping for 60 seconds ..." sleep 60 echo "Killing all dumpcap instances ..." killall dumpcap echo "Done."
When capturing has finished, you should be left with up to 2 files containing the last 6 minutes (maximum) of data. You can even add a mergecap command to the script to merge the 2 files together if you wish: mergecap -F pcapng file.pcapng file_*.pcapng.
And in case the 2nd dumpcap instance leaves behind its temporary capture file, you can clean that up as well if you wish, e.g., rm -f /tmp/wireshark*