Capture packets 24 hours a day/7 days a week

[stok]

I want to be able to capture packets continuously with Linux using something like tcpdump. At some point, I'd run out of space to store the captures, so I'd like to be able to drop the old stuff and keep the newer stuff. It also seems to be a good idea to split the files into more manageable sizes.

What's the best way to accomplish this?

[digip]

Wireshark has an option to limit log size and rotate upon reaching size limits, so I imagine tcpdump would as well. If not, wireshark has a command line api that comes with the wireshark install, which I imagine could do the same thing as tcpdump. Its an option like use multiple files, save to x number of megabyts, new file on x number of megabytes. Never did it from the cli, so not sure what the commands are. I guess read the man file or google for documentation.

[Tarbizkit]

you could use tshark from the distribution as well. Also, if you are not really concerned about what is inside the traces or you have some other reason not to capture the data (basically only header info), you could filter out the payload and bring down the size of the files as well.

[taiyed14]

i agree with digip. tshark and i believe tcpdump have an option to rotate files after X MB. (check out the man pages or -h of either) Then have a cron job delete the old files.

[haxple]

You should make a script to execute tcpdump every 1 / 2 / 5 hours...