Date: Sat, 23 May 2009 19:29:20 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz> Cc: freebsd-questions@freebsd.org Subject: Re: how to rotate a tcpdump file Message-ID: <4A184080.7010203@infracaninophile.co.uk> In-Reply-To: <4A1831CD.6080505@pp.dyndns.biz> References: <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002> <20090523160452.GA71919@melon.esperance-linux.co.uk> <4A1831CD.6080505@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCC1D7ADFD24C9BB2D25F1B1D Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Morgan Wesstr=F6m wrote: > Frank Shute wrote: >> On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote: >>> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte. >>> >>> Which command should I use ? >>> >> You should be able to set up newsyslog(8) to rotate the dumps. >> >> You want to have a look at newsyslog.conf(5) to craft a line to put in= >> your conf file. There are examples to work from in the conf file >> already. >> >> Regards, >=20 > Correct me if I'm wrong but wouldn't tcpdump have to be restarted after= > the logrotate? I'm under the impression that it would just continue to > output to the old inode even if the file occupying it changes name and > the restart functionality of newsyslog(8) isn't really bright enough to= > restart tcpdump with all its initial parameters. > I'm using sysutils/cronolog for my Apache logs so I don't have to > restart Apache at all for the logrotate. Unfortunately cronolog doesn't= > seem to have a size option to trigger the rotation though. Maybe there'= s > another alternative for the OP? tcpdump(1) doesn't have options to support rotating dump files based on size, and it doesn't understand SIGHUP to mean close all open file descriptors and reinitialise yourself the way that syslogd(8) and a lot of other daemon processes do, so newsyslog(8) won't work either. Therefore you're going to have to wrap tcpdump in a script to test the si= ze of the output file, stop tcpdump when the output hits the target size, th= en restart tcpdump with a new dump file. [If you're trying to dump very frequent traffic this will almost certainly mean that you miss a few= packets]. Now, depending on what data you're capturing there might be a really simp= le way of doing that. If you capture just the default 68 bytes of headers t= hen simply capturing 154202 packets will give you a 10MB dump file. So you c= an do this: #!/bin/sh n=3D0 while true ; do n=3D$(( $n + 1 )) tcpdump -i em0 -c 154202 -w /tmp/tcpdump.out.$n done On the other hand, if you want to capture the traffic in it's entirety (ie. by using '-s 0' on the tcpdump command line so you get the packet payload as well), then packets can be anywhere up to 1500bytes (on a typi= cal ethernet -- 8kB or more is possible if you're using jumbo frames). Packe= t counting won't work help in this case, but something like the following m= ight. (Warning: completely untested code. May cause unexpected results up to a= nd including the destruction of the Internet...) #!/bin/sh tcpdumpcmd=3D'tcpdump -i em0 -s 0 -w /tmp/tcpdump.out.$n &' n=3D0 while true ; do n=3D$(( $n++ )); eval $tcpdumpcmd while [ $( stat -f %z /tmp/tcpdump.$n ) -lt 10485760 ] ; do sleep 5; done kill $( jobs -s ) done Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigCC1D7ADFD24C9BB2D25F1B1D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkoYQIcACgkQ8Mjk52CukIx/zwCdH5lCwBezKAQeHRehiGZX9b/j 0BMAnRnnKyYUwDD4lf/JEBSn+fwsFJ2L =0MZ2 -----END PGP SIGNATURE----- --------------enigCC1D7ADFD24C9BB2D25F1B1D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A184080.7010203>