how to save a new file when tcpdum file size reaches 10Mb

Question

I want to capture my network traffic with using tcpdump and if captured packet rise is 10mb i want to make another file.how can i schedule this with tcpdump. please be kind enough to help me. thank you.

Answer 1

tcpdump -W 5 -C 10 -w capfile

What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.

So your directory will have 5 files rotating with constant capture data:

capfile0
capfile1
capfile2
capfile3
capfile4

Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).

It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.

Answer 2

Worth mention that omitting the -W will disable rotation, so files will just be added instead of being rotated. its good when u investigate a network problem and need to capture traffic for long time and want all files to be there.

% tcpdump -i eth0 -w file.pcap -G 3600 -C 100 -K -n &