Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 23 May 2009 19:29:20 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: how to rotate a tcpdump file
Message-ID:  <4A184080.7010203@infracaninophile.co.uk>
In-Reply-To: <4A1831CD.6080505@pp.dyndns.biz>
References:  <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002>	<20090523160452.GA71919@melon.esperance-linux.co.uk> <4A1831CD.6080505@pp.dyndns.biz>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCC1D7ADFD24C9BB2D25F1B1D
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Morgan Wesstr=F6m wrote:
> Frank Shute wrote:
>> On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
>>> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.
>>>
>>> Which command should I use ?
>>>
>> You should be able to set up newsyslog(8) to rotate the dumps.
>>
>> You want to have a look at newsyslog.conf(5) to craft a line to put in=

>> your conf file. There are examples to work from in the conf file
>> already.
>>
>> Regards,
>=20
> Correct me if I'm wrong but wouldn't tcpdump have to be restarted after=

> the logrotate? I'm under the impression that it would just continue to
> output to the old inode even if the file occupying it changes name and
> the restart functionality of newsyslog(8) isn't really bright enough to=

> restart tcpdump with all its initial parameters.
> I'm using sysutils/cronolog for my Apache logs so I don't have to
> restart Apache at all for the logrotate. Unfortunately cronolog doesn't=

> seem to have a size option to trigger the rotation though. Maybe there'=
s
> another alternative for the OP?

tcpdump(1) doesn't have options to support rotating dump files based on
size, and it doesn't understand SIGHUP to mean close all open file
descriptors and reinitialise yourself the way that syslogd(8) and a lot
of other daemon processes do, so newsyslog(8) won't work either.

Therefore you're going to have to wrap tcpdump in a script to test the si=
ze
of the output file, stop tcpdump when the output hits the target size, th=
en
restart tcpdump with a new dump file.  [If you're trying to dump
very frequent traffic this will almost certainly mean that you miss a few=

packets].

Now, depending on what data you're capturing there might be a really simp=
le
way of doing that.  If you capture just the default 68 bytes of headers t=
hen
simply capturing 154202 packets will give you a 10MB dump file.  So you c=
an do
this:

#!/bin/sh

n=3D0

while true ; do
    n=3D$(( $n + 1 ))
    tcpdump -i em0 -c 154202 -w /tmp/tcpdump.out.$n
done

On the other hand, if you want to capture the traffic in it's entirety
(ie. by using '-s 0' on the tcpdump command line so you get the packet
payload as well), then packets can be anywhere up to 1500bytes (on a typi=
cal
ethernet -- 8kB or more is possible if you're using jumbo frames).  Packe=
t
counting won't work help in this case, but something like the following m=
ight.
(Warning: completely untested code.  May cause unexpected results up to a=
nd
including the destruction of the Internet...)

#!/bin/sh

tcpdumpcmd=3D'tcpdump -i em0 -s 0 -w /tmp/tcpdump.out.$n &'
n=3D0

while true ; do
  n=3D$(( $n++ ));
  eval $tcpdumpcmd

  while [ $( stat -f %z /tmp/tcpdump.$n ) -lt 10485760 ] ; do
	sleep 5;
  done

  kill $( jobs -s )
done

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enigCC1D7ADFD24C9BB2D25F1B1D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkoYQIcACgkQ8Mjk52CukIx/zwCdH5lCwBezKAQeHRehiGZX9b/j
0BMAnRnnKyYUwDD4lf/JEBSn+fwsFJ2L
=0MZ2
-----END PGP SIGNATURE-----

--------------enigCC1D7ADFD24C9BB2D25F1B1D--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A184080.7010203>