Sometimes you have an hard-to-debug problem and you are using tcpdump to analyse the dumps later on with wireshark, after the Problem happened again. But having tcpdump running for some time, the capture files can easily grow to several 100 MiB, which are not really practical to open and handle with Wireshark.
To keep file sizes reasonable, tcpdump offers a couple handy options that can help.
rotating with timestamps
Rotating capture files with a timestamp is a very simple and convenient solution. Using the -G option, you can specify after how many seconds tcpdump should open a new capture file.
With -G present, the -w option now accepts strftime-placeholders (like %H for hour, %M for minute and so on) so you can name the file like the current date.
[email protected]:~# tcpdump -pni eth0 -s65535 -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap'
tcpdump would expand the stftime placeholders which could result in a filename like trace_2010-08-30_13:04:55.pcap. All the available Placeholders are documented in strftime(3).
The downside is that this will run until stopped or until you run out of disk space.
One option would be to limit the number of files tcpdump creates. This can be done using the -W command line option
[email protected]:~# tcpdump -pni eth0 -s65535 -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -W 5
This works just like the example above, with the difference that tcpdump will stop capturing after writing the 5th file – effectively capturing for 5 * 3600 seconds = 5 hours.
Another method would be a cronjob to delete old captures
rotating by size
As an alternative to “rotate after x seconds”, tcpdump offers an alternative rotation to rotate the file after it has grown to a defined limit. This is done by specifying -C with the filesize in
Megabytes on the command line. The file in -w will have a number appended to it, starting at 1 and counting upwards. strftime-placeholders are not supported.
[email protected]:~# tcpdump -pni eth0 -s65535 -C 100 -w capture
This would create a file named capure1. After 100MB of data, tcpdump would create a file named capture2. After another 100MB, it creates the file capture3 and so on.
This will aswell run until stopped or disk full.
To counter the “disk full”, the -W option behaves different with -C. Instead of exitting, tcpdump “rotates” back to the file capture1, effectively overwriting it. With this, you have something
like a ring buffer – never using more than a predefined amount of disk space
[email protected]:~# tcpdump -pni eth0 -s65535 -C 100 -W 10 -w capture
In this example, tcpdump starts capturing into capture1 until it reaches capture10. When it filled up capture10 with 100MB of data, it starts again, overwriting capture1. This way, your captures
will never use more then 1000MB of disk space.
postrotating capture files
One other thing to help preserve disk space could be to compress the capture files after tcpdump finished writing to them. For this, tcpdump has a built-in “postrotate” command option: -z <command>
When tcpdump closes a capture file, it executes the command specified with the just closed capture file as the first and only argument.
[email protected]:~# tcpdump -pni eth0 -s65535 -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -z gzip
This works like the first example, but after closing the file uses gzip to compress the file. Be aware that you cannot specify any other arguments to the file (-z “gzip -9″ will not work), so if
you need additional options, you have to create a wrapper script and use that instead.
If running your postrotate does not work and results in an Permission denied-Error like
[email protected]:~# tcpdump pni eth0 -s65535 -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -z gzip
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
compress_savefile:execlp(echo, trace_2010-08-30_13:04:55.pcap): Permission denied
[email protected]:~# dmesg | tail -n1
[34471806.841102] type=1503 audit(1395226938.909:41): operation="exec" pid=10460 parent=10447 profile="/usr/sbin/tcpdump" requested_mask="x::" denied_mask="x::" fsuid=0 ouid=0 name="/bin/gzip"
Then apparmor is denying tcpdump to run any other command. You can allow tcpdump to run gzip by adding it to /etc/apparmor.d/usr.sbin.tcpdump
# Last Modified: Wed Feb 3 07:58:30 2009
# Author: Jamie Strandboge <[email protected]>
after reloading apparmor profiles, your tcpdump should be able to produce gzipped files.