0

I have the following command: sudo tcpdump -ni enp0s3 -W 1 -C 1 -w file.cap with this command I say: "listen on the network interface enp0s3 and capture all packets in a file whose maximum size must be 1 mb". It works, however the problem is that when the file reaches the size of 1mb, it is reset and the capture starts all over again from 0 kb, deleting all the packets. I want that when the file is 1MB, only the older packages are deleted and the new ones are added replacing them. I don't want all packets to be deleted and acquisition restarts at 0kb. In other words, I want the file to always be around 1mb, adding the new incoming packets in place of the oldest ones.

  • Look at https://superuser.com/questions/904786/tcpdump-rotate-capture-files-using-g-w-and-c – Antonio Petricca Aug 04 '21 at 08:06
  • This answers don't fix my issue, because I want to rotate on the same file (only one .pcap file) and discard the oldest packets to add the new incoming ones. –  Aug 04 '21 at 08:18
  • So why not `logrotate`? – KamilCuk Aug 04 '21 at 08:44
  • I searched a lot of examples, but the examples that I found used always more than one file or overwrote the same file from the beginning. –  Aug 04 '21 at 08:50
  • Does this answer your question? [Write to another tcpdump file every minute](https://stackoverflow.com/questions/51231858/write-to-another-tcpdump-file-every-minute) – Steffen Ullrich Aug 04 '21 at 09:48

1 Answers1

1

You can use -U -W 2 with the -C size limit. It will then alternate between two files and you can concatenate them (or work on the older one).

Alternatives would be to write to a stream or pipe and not to files, at all.

eckes
  • 10,103
  • 1
  • 59
  • 71
  • thank you, this could be a good solution. Anyway is there any option to do what I want? Can I say "when you reach the dimension of 1 mb, only discard the oldest packets to add the new ones" ? Obviously on the same file. I haven't find anything about it... –  Aug 04 '21 at 08:17
  • 1
    @WonderWhy I don’t think it is possible. Since the packets have variable length you won’t be able to find the Start of the overwritten partial package at the end of the current write position. And if you want to drop packets at the beginning you would have to rewrite the whole file. If you want to do it in a single file you would need to come up with your own segmentation or rewrite scheme (can easily be done in a pipe) – eckes Aug 04 '21 at 08:20