tcpdump – rotate capture files using -G, -W and -C
That's because you wrote -W 3
instead of -W 48
. There are, however, other errors in your command.
The option -G
means:
-G rotate_seconds
If specified, rotates the dump file specified with the
-w
option every rotate_seconds seconds. Savefiles will have the name specified by-w
which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.If used in conjunction with the
-C
option, filenames will take the form of 'file<count>'.
Since you wrote -G 3
, you will be rotating this every 3 seconds, while you stated
...which captures 30 minutes worth of data
Also, the naming scheme is wrong: from the above,
If used in conjunction with the
-C
option, filenames will take the form of 'file<count>'.
Thus there is no point in specifying the time format for the name.
Further, the -C
option has no argument, while,
according to the man page, it should:
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -I interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
The man page states:
-C
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the
-w
flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
So you should specify -C 100
in order to produce 100 MB files.
In the end, your command should be:
tcpdump -i en0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K -n
This will rotate files (of names trace1, trace2, ...) cyclically, with period 48, either every 1800 seconds (=30 minutes) or every 100 MB, whichever comes first.
Expanding upon flabdablet’s answer
(changing -G 1800
to -G 300
–
rotation every five minutes –
just for testing purposes),
tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300
will give you %m=month
, %d=day of month
, %H=hour of day
, %M=minute of day
, %S=second of day
, %s=millisecond of day
,
resulting in
/var/temp/trace-03-02-08-30-56-1520002568
/var/temp/trace-03-02-08-35-56-1520002568
/var/temp/trace-03-02-08-40-56-1520002568
Very useful for organizing traces for those pesky intermittent problems.
Also, if you're not root, you may want to sudo
and of course make it a nohup:
sudo bash -c "nohup tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300 &"
Seems to me that all you need is
tcpdump -i en0 -G 1800 -w /var/tmp/trace-%H-%M.pcap
The strftime format specifier that -G expects in the -w filename doesn't have to represent a complete date and time. With just %H and %M in there, and a rotate time of exactly half an hour, any given invocation of tcpdump will only ever generate two different %M values half an hour apart, and yesterday's trace files will get overwritten when the same hour and minute numbers roll around again.