11

Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump.

I want for example to have one file per hour, with no more than 24 hours. But I don't want tcpdump to stop after 24 files, I want it to delete the oldest and create a new file. I want it to run forever but never make more than 24 files.

The man page seems to indicate that if you use -C -W -G together you can achieve this, but my testing has not shown this to work.

Using -G -W and a strftime exits after 5 files

# tcpdump -w foo.%F_%H%M%S -G 5 -W 5 -Z root port 22
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5

Using all three together seems to just limit the number of files generated per timeframe. For example the below will capture up to 5 x 1MB files in each 5s window. If there is more than 5MB in 5s, only the last 5MB are kept. The number of total files though, will grow forever.

# tcpdump -w foo.%F_%H%M%S -G 5 -C 1 -W 5 -Z root port 22

This will capture 5 x 1MB files and overwrite in a ring.

# tcpdump -w foo -C 1 -W 5 -Z root port 22

But I want to rotate by time, not size.

Slashterix
  • 355
  • 1
    Use -G alone, and delete old files from cron. – Satō Katsura Jan 31 '17 at 08:24
  • 1
    Or write a command to delete the 25th file (eg from ls|tail -n +24) and call the command from -z. Make sure you ignore the filename passed in. – meuh Jan 31 '17 at 17:08
  • So there is no way in just tcpdump to do what I want? There are lots of ways to skin the cat using multiple tools/scripts together, I was just hoping for an all in one option. – Slashterix Feb 01 '17 at 04:04
  • 1
    Well, UNIX is about doing one thing well. Although in this particular case it seems to be bad design more than anything. A better design would have been for tcpdump to respond to something like SIGHUP or SIGUSR1 by closing the current file and opening it anew. That would have played well with log rotators such as newsyslog. Or just make -C and -W apply regardless to handle rotation itself, as you say. – Satō Katsura Feb 01 '17 at 16:11

1 Answers1

11

Take the following as an example that produces six capture files per minute indefinitely:

# tcpdump -i eth0 -G 10 -w dump-%S.pcap.

Note that only the second time variable %S needs to be specified in the template file name, with a rotational time frame of ten seconds specified by -G. When the capture time changes from minute to minute, tcpdump overwrites the previous second-marked file.

Now, a hourly rotational and daily cyclical capture could be achieved by:

# tcpdump -i eth0 -G 3600 -w dump-%H.pcap.

The same rationale applies here. tcpdump creates a new file every 3600 seconds, naming it with the current hour. Upon changing days, the previous hour files are sequentially replaced.

dfernan
  • 298