tcpdump – rotate capture files using -G, -W and -C

linux macos unix tcpdump

87,461

Solution 1

That's because you wrote -W 3 instead of -W 48. There are, however, other errors in your command.

The option -G means:

-G rotate_seconds

If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Since you wrote -G 3, you will be rotating this every 3 seconds, while you stated

...which captures 30 minutes worth of data

Also, the naming scheme is wrong: from the above,

If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Thus there is no point in specifying the time format for the name.

Further, the -C option has no argument, while, according to the man page, it should:

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -I interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]

The man page states:

-C

Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

So you should specify -C 100 in order to produce 100 MB files.

In the end, your command should be:

tcpdump -i en0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K -n

This will rotate files (of names trace1, trace2, ...) cyclically, with period 48, either every 1800 seconds (=30 minutes) or every 100 MB, whichever comes first.

Solution 2

Expanding upon flabdablet’s answer (changing -G 1800 to -G 300 – rotation every five minutes – just for testing purposes),

tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300

will give you %m=month, %d=day of month, %H=hour of day, %M=minute of day, %S=second of day, %s=millisecond of day, resulting in

/var/temp/trace-03-02-08-30-56-1520002568
/var/temp/trace-03-02-08-35-56-1520002568
/var/temp/trace-03-02-08-40-56-1520002568

Very useful for organizing traces for those pesky intermittent problems. Also, if you're not root, you may want to sudo and of course make it a nohup:

sudo bash -c "nohup tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300 &"

Solution 3

Seems to me that all you need is

tcpdump -i en0 -G 1800 -w /var/tmp/trace-%H-%M.pcap

The strftime format specifier that -G expects in the -w filename doesn't have to represent a complete date and time. With just %H and %M in there, and a rotate time of exactly half an hour, any given invocation of tcpdump will only ever generate two different %M values half an hour apart, and yesterday's trace files will get overwritten when the same hour and minute numbers roll around again.

Solution 4

After some experimentation, I couldn't get @MariusMatutiae answer to work as expected. If the time became the limiting factor and without the addition of the time format to the file name, then the current pcap file is simply overwritten.

For example, try:

tcpdump -i en0 -w /var/tmp/trace -W 10 -G 5 -C 1

All you end up with is trace.pcap0 being written over and over.

As it suggested in the comment, if you add the time formatting to the file name, then you simply end up with and every growing list of files.

Therefore, I had to stick with simple size limited files:

tcpdump -i en0 -w /var/tmp/trace -W 48 -C 100

View more solutions

87,461

Author by

Andrew

Updated on September 18, 2022

Comments

Andrew almost 2 years
I'm looking to be able to capture a rotating tcpdump output which captures 30 minutes worth of data, into 48 files, cyclically.

The man page implies this should be possible, but my testing doesn't seem to produce the result I'm looking for:
-W
I'm running this on OS X 10.9.5/10.10.3 clients. Here's the test command; it just exits after the 3rd file:
```
tcpdump -i en0 -w /var/tmp/trace-%Y-%M-%d_%H.%M.%S.pcap -W 3 -G 3 -C -K -n
```
- Admin about 9 years
  
  pls see my answer
petertc over 8 years

The in the end answer is missing the condition If no time format is specified, each new file will overwrite the previous. (I have updated the answer.)
Bill Menees over 7 years

@okwap, when you edited the answer (to add -%Y-%m-%d_%H:%M:%S), you broke the cyclical part of using -G, -C, and -W together. The original answer using just /var/tmp/trace for the -w filename was correct and generated the intended cyclic outputs as described ( trace1,trace2,...). When using -G, -C, and -W together, you can't use the strftime format in the filename and still get the cyclic outputs. With your edit, tcpdump will just continue writing out files non-cyclically because the filenames never repeat.
MariusMatutiae about 7 years

@BillMenees Thanks for bringing this to my attention, I have undone okwap's edit.
Niels2000 over 6 years

Just like Swinster in the comment below, I note that this answer does not produce the expected behavior. Using -w -W -C and -G in conjunction causes the same file to be overwritten again and again. It does not cause a number of files to be created equal to -W <n> as one would expect.
4253wyerg4e over 2 years

My -G command stops working after the X seconds specified. After debugging, I found out that this command will also need -Z username to avoid permission error