Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how to save a new file when tcpdum file size reaches 10Mb

Tags:

tcpdump

I want to capture my network traffic with using tcpdump and if captured packet rise is 10mb i want to make another file.how can i schedule this with tcpdump. please be kind enough to help me. thank you.

like image 488
Kevin Ð Alwis Avatar asked Feb 05 '14 03:02

Kevin Ð Alwis

People also ask

How do I save a tcpdump file?

Use “-w” option in tcpdump command to save the capture TCP/IP packet to a file, so that we can analyze those packets in the future for further analysis.

What is tcpdump capture size?

Tcpdump packet capture on the management interface, by default, captures 68 bytes or 96 bytes of data from each packet, depending on the platform. The PA-200, PA-500, and PA-2000 series captures 68 bytes of data from each packet. Any amount over the default gets truncated.

How many bytes does tcpdump capture?

By default tcpdump extracts only the first 68 bytes of a datagram. Therefore, when the full content of network traffic is needed, it may be necessary to set a larger snaplen value using the -s option.

2 Answers

tcpdump -W 5 -C 10 -w capfile

What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.

So your directory will have 5 files rotating with constant capture data:

capfile0
capfile1
capfile2
capfile3
capfile4

Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).

It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.

like image 186
Peter Party Bus Avatar answered Oct 21 '22 19:10

Peter Party Bus

Worth mention that omitting the -W will disable rotation, so files will just be added instead of being rotated. its good when u investigate a network problem and need to capture traffic for long time and want all files to be there.

% tcpdump -i eth0 -w file.pcap -G 3600 -C 100 -K -n &
like image 25
chenchuk Avatar answered Oct 21 '22 17:10

chenchuk
Sign in to Comment

Related questions

Sniffing and displaying TCP packets in UTF-8
Getting stdout from a tcpdump subprocess after terminating it
How to resolve tcpdump dropped packets?
24/7 packet capture in Android using tcpdump
Python with tcpdump in a subprocess: how to close subprocess properly?
Plot RTT histogram using wireshark or other tool
tcpdump: Output only source and destination addresses
frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes
Is there any way to put Android WIFI (droid handset) into promiscuous monitoring mode?
tcpdump to only print urls
Stripping payload from a tcpdump?
how wireshark marks some packets as "tcp segment of a reassembled pdu" [closed]
tcpdump vs tcpflow (or "why isn't tcpdump ASCII packet data human readable?")
How to display all data using tcpdump?
Use Tshark to view json data
How to see outgoing ESP packets in tcpdump before they get encrypted
Packet capture in RDMA?
Understanding Tcpdump filter & bit-masking
In tools like tcpdump, when exactly are the network packets captured?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!