stok Posted May 14, 2009 Share Posted May 14, 2009 I want to be able to capture packets continuously with Linux using something like tcpdump. At some point, I'd run out of space to store the captures, so I'd like to be able to drop the old stuff and keep the newer stuff. It also seems to be a good idea to split the files into more manageable sizes. What's the best way to accomplish this? Quote Link to comment Share on other sites More sharing options...
digip Posted May 14, 2009 Share Posted May 14, 2009 Wireshark has an option to limit log size and rotate upon reaching size limits, so I imagine tcpdump would as well. If not, wireshark has a command line api that comes with the wireshark install, which I imagine could do the same thing as tcpdump. Its an option like use multiple files, save to x number of megabyts, new file on x number of megabytes. Never did it from the cli, so not sure what the commands are. I guess read the man file or google for documentation. Quote Link to comment Share on other sites More sharing options...
Tarbizkit Posted May 15, 2009 Share Posted May 15, 2009 you could use tshark from the distribution as well. Also, if you are not really concerned about what is inside the traces or you have some other reason not to capture the data (basically only header info), you could filter out the payload and bring down the size of the files as well. Quote Link to comment Share on other sites More sharing options...
taiyed14 Posted May 15, 2009 Share Posted May 15, 2009 i agree with digip. tshark and i believe tcpdump have an option to rotate files after X MB. (check out the man pages or -h of either) Then have a cron job delete the old files. Quote Link to comment Share on other sites More sharing options...
haxple Posted May 15, 2009 Share Posted May 15, 2009 You should make a script to execute tcpdump every 1 / 2 / 5 hours... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.