tcpdump – rotate capture files using -G, -W and -C

That's because you wrote -W 3 instead of -W 48. There are, however, other errors in your command.

The option -G means:

-G rotate_seconds

      If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have the name specified by -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file will overwrite the previous.

      If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Since you wrote -G 3, you will be rotating this every 3 seconds, while you stated

...which captures 30 minutes worth of data

Also, the naming scheme is wrong: from the above,

If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Thus there is no point in specifying the time format for the name.

Further, the -C option has no argument, while, according to the man page, it should:

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
-C file_size ] [ -G rotate_seconds ] [ -F file ] [ -I interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]

The man page states:

-C

      Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

So you should specify -C 100 in order to produce 100 MB files.

In the end, your command should be:

tcpdump -i en0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K -n

This will rotate files (of names trace1, trace2, ...) cyclically, with period 48, either every 1800 seconds (=30 minutes) or every 100 MB, whichever comes first.


Expanding upon flabdablet’s answer (changing -G 1800 to -G 300 – rotation every five minutes – just for testing purposes),

tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300

will give you %m=month, %d=day of month, %H=hour of day, %M=minute of day, %S=second of day, %s=millisecond of day, resulting in

/var/temp/trace-03-02-08-30-56-1520002568
/var/temp/trace-03-02-08-35-56-1520002568
/var/temp/trace-03-02-08-40-56-1520002568

Very useful for organizing traces for those pesky intermittent problems.  Also, if you're not root, you may want to sudo and of course make it a nohup:

sudo bash -c "nohup tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300 &"

Seems to me that all you need is

tcpdump -i en0 -G 1800 -w /var/tmp/trace-%H-%M.pcap

The strftime format specifier that -G expects in the -w filename doesn't have to represent a complete date and time. With just %H and %M in there, and a rotate time of exactly half an hour, any given invocation of tcpdump will only ever generate two different %M values half an hour apart, and yesterday's trace files will get overwritten when the same hour and minute numbers roll around again.