Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to save a new file when tcpdum file size reaches 10Mb

Tags:

tcpdump

I want to capture my network traffic with using tcpdump and if captured packet rise is 10mb i want to make another file.how can i schedule this with tcpdump. please be kind enough to help me. thank you.

like image 488
Kevin Ð Alwis Avatar asked Feb 05 '14 03:02

Kevin Ð Alwis


People also ask

How do I save a tcpdump file?

Use “-w” option in tcpdump command to save the capture TCP/IP packet to a file, so that we can analyze those packets in the future for further analysis.

What is tcpdump capture size?

Tcpdump packet capture on the management interface, by default, captures 68 bytes or 96 bytes of data from each packet, depending on the platform. The PA-200, PA-500, and PA-2000 series captures 68 bytes of data from each packet. Any amount over the default gets truncated.

How many bytes does tcpdump capture?

By default tcpdump extracts only the first 68 bytes of a datagram. Therefore, when the full content of network traffic is needed, it may be necessary to set a larger snaplen value using the -s option.


2 Answers

tcpdump -W 5 -C 10 -w capfile

What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.

So your directory will have 5 files rotating with constant capture data:

capfile0
capfile1
capfile2
capfile3
capfile4

Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).

It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.

like image 186
Peter Party Bus Avatar answered Oct 21 '22 19:10

Peter Party Bus


Worth mention that omitting the -W will disable rotation, so files will just be added instead of being rotated. its good when u investigate a network problem and need to capture traffic for long time and want all files to be there.

% tcpdump -i eth0 -w file.pcap -G 3600 -C 100 -K -n &
like image 25
chenchuk Avatar answered Oct 21 '22 17:10

chenchuk