Linux – tcpdump – rotate capture files using -G, -W and -C

linuxmacostcpdumpunix

I'm looking to be able to capture a rotating tcpdump output which captures 30 minutes worth of data, into 48 files, cyclically.

The man page implies this should be possible, but my testing doesn't seem to produce the result I'm looking for:

-W

      Used in conjunction with the -C option, this will limit the
      number of files created to the specified number, and begin
      overwriting files from the beginning, thus creating a 'rotating' buffer. 
      In addition, it will name the files with enough
      leading 0s to support the maximum number of files, allowing
      them to sort correctly.

      Used in conjunction with the -G option, this will limit the
      number of rotated dump files that get created, exiting with
      status 0 when reaching the limit.  If used with -C as well, the
      behavior will result in cyclical files per timeslice.

I'm running this on OS X 10.9.5/10.10.3 clients. Here's the test command; it just exits after the 3rd file:

tcpdump -i en0 -w /var/tmp/trace-%Y-%M-%d_%H.%M.%S.pcap -W 3 -G 3 -C -K -n

Best Answer

That's because you wrote -W 3 instead of -W 48. There are, however, other errors in your command.

The option -G means:

-G rotate_seconds

      If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have the name specified by -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file will overwrite the previous.

      If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Since you wrote -G 3, you will be rotating this every 3 seconds, while you stated

...which captures 30 minutes worth of data

Also, the naming scheme is wrong: from the above,

If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Thus there is no point in specifying the time format for the name.

Further, the -C option has no argument, while, according to the man page, it should:

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
-C file_size ] [ -G rotate_seconds ] [ -F file ] [ -I interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]

The man page states:

-C

      Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

So you should specify -C 100 in order to produce 100 MB files.

In the end, your command should be:

tcpdump -i en0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K -n

This will rotate files (of names trace1, trace2, ...) cyclically, with period 48, either every 1800 seconds (=30 minutes) or every 100 MB, whichever comes first.

Related Question