Sunday, May 1, 2016

Rotating traffic captures using tcpdump

To avoid creating large traffic captures using tcpdump, there are couple of interesting switches in tcpdump command which enable one to create rotating traffic captures, compress it on the fly etc.

ni :specifies the network interface on which to capture traffic
-s :; indicates a capture of the full size of the packet
-vvv : verbose
-w  :  indicates the file name and location in which the capture will be saved
-C  :  indicates the size of each file, after reaching this size file will be rotated
-W  :  indicates the number of files that will be stored
-z  :  to compress the file


For example,

tcpdump -ni eth1 -C 20 -z gzip -w /tmp/trace.pcap

This would create a file named trace.pcap...trace.pcapX. After 20MB of data, (-C 20) tcpdump would create a file named trace.pcapX and so on. and compress the capture files after tcpdump finished writing to them.

tcpdump -pni eth0 -s0 -C 100 -W 10 -w /tmp/capture

In this example, tcpdump starts capturing into capture1 until it reaches capture10. When it filled up capture10 with 100MB of data, it starts again, overwriting capture1. This way, your captures
will never use more then 1000MB of disk space.

6 comments: