1

I want to capture some traffic with tcpdump for troubleshooting. The problem is, the error is not reproducible. To not fill up the hole disks with captures, I would like to capture the traffic with some sort of sliding window.

Let's say I write the capture to a file and when the file reaches a size of 1GB it will drop the oldest packets and write the new ones. This way I would only get the traffic for some hours but hopefully enough to have the right packets when the user calls.

I couldn't find an option for tcpdump. Has someone an idea how to solve this?

Christian
  • 4,703
  • 2
  • 24
  • 27

2 Answers2

4

The -c option can help you with this:

   -c     Exit after receiving count packets.

So this would get you a circular traffic.dmp file: 

while :
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic.dmp
done

If you dropped it in a for loop you could get a series of files:

for file in 1 2 3 4 5
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic${file}.dmp
done

. Just adjust the numbers after you figure out some number that is not to big for your disk to capture a few hours worth of packets.

-C also looks interesting:

   -C     Before writing a raw packet to a  savefile,  check  whether  the
          file  is  currently  larger than file_size and, if so, close the
          current savefile and open a new one.  Savefiles after the  first
          savefile  will  have the name specified with the -w flag, with a
          number after it, starting at 1 and continuing upward.  The units
          of  file_size  are  millions  of  bytes  (1,000,000  bytes,  not
          1,048,576 bytes).
gm3dmo
  • 10,057
  • 1
  • 42
  • 36
  • Thanks davey. With a larger number of small files, I should get very close to a sliding window. I hope the merge will work when I have to cancel recording while writing file x from x+20. The option '-W filecount' sounds very promising. This should get me to the sliding window. I should have read more of the man page before asking. – Christian Jun 25 '10 at 08:22
1

If you insist on using tcpdump, davey's answer is the right one. However, there are other capture packets, producing pcap files, with more options for this sort of work. Let's mention:

  • tshark, part of the Wireshark program. Its -a ("Stop writing to a capture file after it reaches a size of value kilobytes") and -b ("When the first capture file fills up, TShark will switch writing to the next file and so on") options seem particularily interesting

  • pcapdump, part of the pcaputils package. See the configuration options interval= (move to the next file after N seconds of capture) and filefmt= (pattern to generate the name of the capture files).

bortzmeyer
  • 3,941
  • 1
  • 21
  • 24