Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump.
I want for example to have one file per hour, with no more than 24 hours. But I don't want tcpdump to stop after 24 files, I want it to delete the oldest and create a new file. I want it to run forever but never make more than 24 files.
The man page seems to indicate that if you use -C -W -G together you can achieve this, but my testing has not shown this to work.
Using -G -W and a strftime exits after 5 files
# tcpdump -w foo.%F_%H%M%S -G 5 -W 5 -Z root port 22
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5
Using all three together seems to just limit the number of files generated per timeframe. For example the below will capture up to 5 x 1MB files in each 5s window. If there is more than 5MB in 5s, only the last 5MB are kept. The number of total files though, will grow forever.
# tcpdump -w foo.%F_%H%M%S -G 5 -C 1 -W 5 -Z root port 22
This will capture 5 x 1MB files and overwrite in a ring.
# tcpdump -w foo -C 1 -W 5 -Z root port 22
But I want to rotate by time, not size.
Best Answer
Take the following as an example that produces six capture files per minute indefinitely:
# tcpdump -i eth0 -G 10 -w dump-%S.pcap.Note that only the second time variable
%Sneeds to be specified in the template file name, with a rotational time frame of ten seconds specified by-G. When the capture time changes from minute to minute,tcpdumpoverwrites the previous second-marked file.Now, a hourly rotational and daily cyclical capture could be achieved by:
# tcpdump -i eth0 -G 3600 -w dump-%H.pcap.The same rationale applies here.
tcpdumpcreates a new file every 3600 seconds, naming it with the current hour. Upon changing days, the previous hour files are sequentially replaced.