Rotate capture files

To rotate capture files, “-C file_size“ (the unit is MB, i.e., 1,000,000 Bytes) option can be used to set the size of rotation file: 

  1. # tcpdump -w enp0s3.pcap -C 1

Otherwise the files can be rotated based on time (seconds) through “-G seconds“ option: 

  1. # tcpdump -w enp0s3_%F_%T.pcap -G 3
  2. tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
  3. ^C10 packets captured
  4. 12 packets received by filter
  5. 0 packets dropped by kernel
  6. # ls -lt *.pcap
  7. -rw-r--r-- 1 root root 100 Jun  6 09:13 enp0s3_2019-06-06_09:13:28.pcap
  8. -rw-r--r-- 1 root root 176 Jun  6 09:13 enp0s3_2019-06-06_09:13:24.pcap
  9. -rw-r--r-- 1 root root 746 Jun  6 09:13 enp0s3_2019-06-06_09:13:21.pcap

For time format, this page gives a reference.

If some operations need to be done with saved files, “-z postrotate-command“ option can be used. E.g., compress the rotated file: 

  1. # tcpdump -w enp0s3_%F_%T.pcap -G 3 -z gzip
  2. tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
  3. ^C22 packets captured
  4. 24 packets received by filter
  5. 0 packets dropped by kernel
  6. # ls *.gz
  7. enp0s3_2019-06-21_13:37:29.pcap.gz  enp0s3_2019-06-21_13:37:37.pcap.gz  enp0s3_2019-06-21_13:37:43.pcap.gz
  8. enp0s3_2019-06-21_13:37:34.pcap.gz  enp0s3_2019-06-21_13:37:40.pcap.gz

BTW, there is another “-W filecount“ option which can be used in conjunction with “-C“ or “-G“ option to limit the number of files.