10

Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump.

I want for example to have one file per hour, with no more than 24 hours. But I don't want tcpdump to stop after 24 files, I want it to delete the oldest and create a new file. I want it to run forever but never make more than 24 files.

The man page seems to indicate that if you use -C -W -G together you can achieve this, but my testing has not shown this to work.

Using -G -W and a strftime exits after 5 files

# tcpdump -w foo.%F_%H%M%S -G 5 -W 5 -Z root port 22
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5

Using all three together seems to just limit the number of files generated per timeframe. For example the below will capture up to 5 x 1MB files in each 5s window. If there is more than 5MB in 5s, only the last 5MB are kept. The number of total files though, will grow forever.

# tcpdump -w foo.%F_%H%M%S -G 5 -C 1 -W 5 -Z root port 22

This will capture 5 x 1MB files and overwrite in a ring.

# tcpdump -w foo -C 1 -W 5 -Z root port 22

But I want to rotate by time, not size.

Slashterix
  • 345
  • 1
  • 4
  • 10
  • 1
    Use `-G` alone, and delete old files from `cron`. – Satō Katsura Jan 31 '17 at 08:24
  • 1
    Or write a command to delete the 25th file (eg from `ls|tail -n +24`) and call the command from `-z`. Make sure you ignore the filename passed in. – meuh Jan 31 '17 at 17:08
  • So there is no way in just tcpdump to do what I want? There are lots of ways to skin the cat using multiple tools/scripts together, I was just hoping for an all in one option. – Slashterix Feb 01 '17 at 04:04
  • Well, UNIX is about doing one thing well. Although in this particular case it seems to be bad design more than anything. A better design would have been for `tcpdump` to respond to something like `SIGHUP` or `SIGUSR1` by closing the current file and opening it anew. That would have played well with log rotators such as `newsyslog`. Or just make `-C` and `-W` apply regardless to handle rotation itself, as you say. – Satō Katsura Feb 01 '17 at 16:11

1 Answers1

10

Take the following as an example that produces six capture files per minute indefinitely:

# tcpdump -i eth0 -G 10 -w dump-%S.pcap.

Note that only the second time variable %S needs to be specified in the template file name, with a rotational time frame of ten seconds specified by -G. When the capture time changes from minute to minute, tcpdump overwrites the previous second-marked file.

Now, a hourly rotational and daily cyclical capture could be achieved by:

# tcpdump -i eth0 -G 3600 -w dump-%H.pcap.

The same rationale applies here. tcpdump creates a new file every 3600 seconds, naming it with the current hour. Upon changing days, the previous hour files are sequentially replaced.

dfernan
  • 278
  • 1
  • 4
  • 10