tcpdump – rotate capture files using -G, -W and -C

I'm looking to be able to capture a rotating tcpdump output which captures 30 minutes worth of data, into 48 files, cyclically.

The man page implies this should be possible, but my testing doesn't seem to produce the result I'm looking for:

-W

      Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

      Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit.  If used with -C as well, the behavior will result in cyclical files per timeslice.

I'm running this on OS X 10.9.5/10.10.3 clients. Here's the test command; it just exits after the 3rd file:

tcpdump -i en0 -w /var/tmp/trace-%Y-%M-%d_%H.%M.%S.pcap -W 3 -G 3 -C -K -n

That's because you wrote -W 3 instead of -W 48. There are, however, other errors in your command.

The option -G means:

-G rotate_seconds

      If specified, rotates the dump file specified with the -w option every rotate_seconds seconds.  Savefiles will have the name specified by -w which should include a time format as defined by strftime(3).  If no time format is specified, each new file will overwrite the previous.

      If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Since you wrote -G 3, you will be rotating this every 3 seconds, while you stated

...which captures 30 minutes worth of data

Also, the naming scheme is wrong: from the above,

If used in conjunction with the -C option, filenames will take the form of 'file<count>'.

Thus there is no point in specifying the time format for the name.

Further, the -C option has no argument, while, according to the man page, it should:

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
-C file_size ] [ -G rotate_seconds ] [ -F file ] [ -I interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]

The man page states:

-C

      Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

So you should specify -C 100 in order to produce 100 MB files.

In the end, your command should be:

tcpdump -i en0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K -n

This will rotate files (of names trace1, trace2, ...) cyclically, with period 48, either every 1800 seconds (=30 minutes) or every 100 MB, whichever comes first.


Expanding upon flabdablet’s answer (changing -G 1800 to -G 300 – rotation every five minutes – just for testing purposes),

tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300

will give you %m=month, %d=day of month, %H=hour of day, %M=minute of day, %S=second of day, %s=millisecond of day, resulting in

/var/temp/trace-03-02-08-30-56-1520002568
/var/temp/trace-03-02-08-35-56-1520002568
/var/temp/trace-03-02-08-40-56-1520002568

Very useful for organizing traces for those pesky intermittent problems.  Also, if you're not root, you may want to sudo and of course make it a nohup:

sudo bash -c "nohup tcpdump -i en0 -w /var/tmp/trace-%m-%d-%H-%M-%S-%s -W 3 -G 300 &"