Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump.
I want for example to have one file per hour, with no more than 24 hours. But I don't want tcpdump to stop after 24 files, I want it to delete the oldest and create a new file. I want it to run forever but never make more than 24 files.
The man page seems to indicate that if you use -C -W -G
together you can achieve this, but my testing has not shown this to work.
Using -G -W
and a strftime
exits after 5 files
# tcpdump -w foo.%F_%H%M%S -G 5 -W 5 -Z root port 22
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5
Using all three together seems to just limit the number of files generated per timeframe. For example the below will capture up to 5 x 1MB files in each 5s window. If there is more than 5MB in 5s, only the last 5MB are kept. The number of total files though, will grow forever.
# tcpdump -w foo.%F_%H%M%S -G 5 -C 1 -W 5 -Z root port 22
This will capture 5 x 1MB files and overwrite in a ring.
# tcpdump -w foo -C 1 -W 5 -Z root port 22
But I want to rotate by time, not size.
-G
alone, and delete old files fromcron
. – Satō Katsura Jan 31 '17 at 08:24ls|tail -n +24
) and call the command from-z
. Make sure you ignore the filename passed in. – meuh Jan 31 '17 at 17:08tcpdump
to respond to something likeSIGHUP
orSIGUSR1
by closing the current file and opening it anew. That would have played well with log rotators such asnewsyslog
. Or just make-C
and-W
apply regardless to handle rotation itself, as you say. – Satō Katsura Feb 01 '17 at 16:11