Again this goes into the,
you need to execute tcpdump for a limited amount of time it's very easy with the
combination of two switches: "-G" and "-W". Basically you tell tcpdump to run
for a certain number of seconds, and when it's done rotating a max # of files,
$ sudo tcpdump -w foo
-i eth0 -n -G 60 -W 1
Will exit tcpdump after 60 seconds.
$ sudo tcpdump -w
foo.%s -n -i eth0 -G 5 -W 3
This will create three files of five seconds a piece then exist gracefully. Each
file will have the suffix of epoch. This is what I am looking for most of the
time though - with varying lengths of times (i.e.: 6 files of 300 seconds)
$ sudo tcpdump -Z root
-w foo.%s -n -i eth0 -G 5 -W 3
"-Z root" is needed because by default before opening a file which is to be
rotated it drop privileges. Not necessary if you have that "%s" because it'll
just create a new file each time, but needed if you have a ring buffer. (Use the
And lastly some versions of tcpdump don't capture the entire packet by default.
You sometimes need to tack on "-s 65535" to see the full packet.