Morgan Wesström wrote:
Frank Shute wrote:On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.Which command should I use ?You should be able to set up newsyslog(8) to rotate the dumps. You want to have a look at newsyslog.conf(5) to craft a line to put in your conf file. There are examples to work from in the conf file already. Regards,Correct me if I'm wrong but wouldn't tcpdump have to be restarted after the logrotate? I'm under the impression that it would just continue to output to the old inode even if the file occupying it changes name and the restart functionality of newsyslog(8) isn't really bright enough to restart tcpdump with all its initial parameters. I'm using sysutils/cronolog for my Apache logs so I don't have to restart Apache at all for the logrotate. Unfortunately cronolog doesn't seem to have a size option to trigger the rotation though. Maybe there's another alternative for the OP?
tcpdump(1) doesn't have options to support rotating dump files based on size, and it doesn't understand SIGHUP to mean close all open file descriptors and reinitialise yourself the way that syslogd(8) and a lot of other daemon processes do, so newsyslog(8) won't work either. Therefore you're going to have to wrap tcpdump in a script to test the size of the output file, stop tcpdump when the output hits the target size, then restart tcpdump with a new dump file. [If you're trying to dump very frequent traffic this will almost certainly mean that you miss a few packets]. Now, depending on what data you're capturing there might be a really simple way of doing that. If you capture just the default 68 bytes of headers then simply capturing 154202 packets will give you a 10MB dump file. So you can do this: #!/bin/sh n=0 while true ; do n=$(( $n + 1 )) tcpdump -i em0 -c 154202 -w /tmp/tcpdump.out.$n done On the other hand, if you want to capture the traffic in it's entirety (ie. by using '-s 0' on the tcpdump command line so you get the packet payload as well), then packets can be anywhere up to 1500bytes (on a typical ethernet -- 8kB or more is possible if you're using jumbo frames). Packet counting won't work help in this case, but something like the following might. (Warning: completely untested code. May cause unexpected results up to and including the destruction of the Internet...) #!/bin/sh tcpdumpcmd='tcpdump -i em0 -s 0 -w /tmp/tcpdump.out.$n &' n=0 while true ; do n=$(( $n++ )); eval $tcpdumpcmd while [ $( stat -f %z /tmp/tcpdump.$n ) -lt 10485760 ] ; do sleep 5; done kill $( jobs -s ) done Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature