Morgan Wesström wrote:
Frank Shute wrote:
On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.

Which command should I use ?

You should be able to set up newsyslog(8) to rotate the dumps.

You want to have a look at newsyslog.conf(5) to craft a line to put in
your conf file. There are examples to work from in the conf file


Correct me if I'm wrong but wouldn't tcpdump have to be restarted after
the logrotate? I'm under the impression that it would just continue to
output to the old inode even if the file occupying it changes name and
the restart functionality of newsyslog(8) isn't really bright enough to
restart tcpdump with all its initial parameters.
I'm using sysutils/cronolog for my Apache logs so I don't have to
restart Apache at all for the logrotate. Unfortunately cronolog doesn't
seem to have a size option to trigger the rotation though. Maybe there's
another alternative for the OP?

tcpdump(1) doesn't have options to support rotating dump files based on
size, and it doesn't understand SIGHUP to mean close all open file
descriptors and reinitialise yourself the way that syslogd(8) and a lot
of other daemon processes do, so newsyslog(8) won't work either.

Therefore you're going to have to wrap tcpdump in a script to test the size
of the output file, stop tcpdump when the output hits the target size, then
restart tcpdump with a new dump file.  [If you're trying to dump
very frequent traffic this will almost certainly mean that you miss a few

Now, depending on what data you're capturing there might be a really simple
way of doing that.  If you capture just the default 68 bytes of headers then
simply capturing 154202 packets will give you a 10MB dump file.  So you can do



while true ; do
   n=$(( $n + 1 ))
   tcpdump -i em0 -c 154202 -w /tmp/tcpdump.out.$n

On the other hand, if you want to capture the traffic in it's entirety
(ie. by using '-s 0' on the tcpdump command line so you get the packet
payload as well), then packets can be anywhere up to 1500bytes (on a typical
ethernet -- 8kB or more is possible if you're using jumbo frames).  Packet
counting won't work help in this case, but something like the following might.
(Warning: completely untested code.  May cause unexpected results up to and
including the destruction of the Internet...)


tcpdumpcmd='tcpdump -i em0 -s 0 -w /tmp/tcpdump.out.$n &'

while true ; do
 n=$(( $n++ ));
 eval $tcpdumpcmd

 while [ $( stat -f %z /tmp/tcpdump.$n ) -lt 10485760 ] ; do
        sleep 5;

 kill $( jobs -s )



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP:     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to