-1

I want to use tcpdump to create log files for network. I can write to file the output with filenames containing minutes.

Note: I don't want to create files by filesize. I want to create files for every minute.

I tried to a lot of command but I couldn't.

# log_{DAY}_{MOUNTH}_{YEAR}__{HOUR}_{MINUTE}.pcap

log_08-07_2018__12_34.pcap
log_08-07_2018__12_35.pcap
log_08-07_2018__12_36.pcap
log_08-07_2018__12_37.pcap
jww
  • 97,681
  • 90
  • 411
  • 885
Mustafa Aydemir
  • 21
  • 2
  • 5
  • Since Stack Overflow hides the Close reason from you: *Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve).* – jww Jul 09 '18 at 15:06

1 Answers1

3

From the tcpdump man page:

-G rotate_seconds If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous. If used in conjunction with the -C option, filenames will take the form of 'file count'.

Looking at the strftime man page, you find all the documented conversion specifiers needed to create files in the format you've indicated.

Using the information from the various man pages, the following command should produce pcap files every minute that are named according to the format you indicated:

tcpdump -i eth0 -G 60 -w 'log_%d-%m_%Y__%H_%M.pcap'

Might I suggest a different naming convention though? The format you've chosen won't sort very well and clocks can drift over time, especially for long-running capture files; therefore, I'd recommend using an ISO 8601 format. For example:

tcpdump -i eth0 -G 60 -w 'log_%Y-%m-%dT%H_%M-04:00.pcap'

... or even simpler:

tcpdump -i eth0 -G 60 -w 'log_%FT%T-04:00.pcap'

NOTE -04:00 happens to be the current offset from UTC for my timezone. If you don't share pcap files with colleagues in different time zones, then you can omit the offset, but it can be useful so you might want to keep it anyway. You never know when you might want to share pcaps with colleagues across time zones in the future, and if they open your pcap file, they will have the information they need to easily time-shift the packet timestamps via Wireshark's Edit -> Time Shift ... feature so packet timestamps are relative to the time zone in which the capture file was taken rather than their own time zone. In this way, everyone is referencing the same time regardless of their own time zone and confusion can be avoided.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23