问题
I want to capture my network traffic with using tcpdump and if captured packet rise is 10mb i want to make another file.how can i schedule this with tcpdump. please be kind enough to help me. thank you.
回答1:
tcpdump -W 5 -C 10 -w capfile
What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.
So your directory will have 5 files rotating with constant capture data:
capfile0
capfile1
capfile2
capfile3
capfile4
Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).
It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.
回答2:
Worth mention that omitting the -W will disable rotation, so files will just be added instead of being rotated. its good when u investigate a network problem and need to capture traffic for long time and want all files to be there.
% tcpdump -i eth0 -w file.pcap -G 3600 -C 100 -K -n &
回答3:
Since this is a very useful thread, it might be worthwhile to mention that the folder where you run this tcpdump command requires world write-able permissions or your user needs to be owner or part of the owning group of the directory otherwise you will see an error writing to files.
来源:https://stackoverflow.com/questions/21567963/how-to-save-a-new-file-when-tcpdum-file-size-reaches-10mb