How to implement max file size limits and "log rotation" with tcpdump
A simple tutorial describing how to create "rollover" files for tcpdump packet captures.
💡
Author's note: this is an older article I brought over from my prior blog by popular request. Some of the information may be a little dated.
The issue: You need to collect a packet capture for an extended amount of time but don't want it to consume too much disk space.
The solution: Use the following tcpdump syntax:
tcpdump port 25 -s 0 -vvv -C 100 -W 50 -w /tmp/example.pcap
-s 0tells tcpdump to collect the entire packet contents.-vvvenables verbose logging/details (which among other things will give us a running total on how many packets are captured).-C 100tells tcpdump to store up to 100 MB of packet data per file.-W 50tells tcpdump to store up to 50 rollover files (example.pcap00, example.pcap01 ... example.pcap49 at which point it would start over).-w /tmp/example.pcaptells tcpdump where to write the files.
Important note regarding file permissions: since tcpdump will be creating new files dynamically, the destination directory needs to be an area where it can create new files under the authority of the tcpdump or pcap user (depending on your distribution). If you want tcpdump to write the files under the authority of root, add the -Z root switch.
In this case, tcpdump will use a max of ~ 5 GB for rollover files.
