Date: Sat, 23 May 2009 21:04:22 +0100 From: Frank Shute <frank@shute.org.uk> To: Morgan =?iso-8859-1?Q?Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: how to rotate a tcpdump file Message-ID: <20090523200422.GB72411@melon.esperance-linux.co.uk> In-Reply-To: <20090523195214.GA72411@melon.esperance-linux.co.uk> References: <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002> <20090523160452.GA71919@melon.esperance-linux.co.uk> <4A1831CD.6080505@pp.dyndns.biz> <20090523195214.GA72411@melon.esperance-linux.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 23, 2009 at 08:52:14PM +0100, Frank Shute wrote: > > On Sat, May 23, 2009 at 07:26:37PM +0200, Morgan Wesstrm wrote: > > > > Frank Shute wrote: > > > On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote: > > >> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte. > > >> > > >> Which command should I use ? > > >> > > > > > > You should be able to set up newsyslog(8) to rotate the dumps. > > > > > > You want to have a look at newsyslog.conf(5) to craft a line to put in > > > your conf file. There are examples to work from in the conf file > > > already. > > > > > > Regards, > > > > Correct me if I'm wrong but wouldn't tcpdump have to be restarted after > > the logrotate? I'm under the impression that it would just continue to > > output to the old inode even if the file occupying it changes name and > > the restart functionality of newsyslog(8) isn't really bright enough to > > restart tcpdump with all its initial parameters. > > I was thinking of using the -C and -w options to tcpdump(1). From the > manpage: > > -C Before writing a raw packet to a savefile, check whether the > file is currently larger than file_size and, if so, close the > current savefile and open a new one. Savefiles after the first > savefile will have the name specified with the -w flag, with a > number after it, starting at 1 and continuing upward. The units > of file_size are millions of bytes (1,000,000 bytes, not > 1,048,576 bytes). > > and now looking at it more closely, you don't even have to use > newsyslog. Just include the args: -C 10000000 -w my_tcpdump_log Oops! should be: -C 10 -w my_tcpdump_log I assume the OP is not too bothered whether it's megabytes or mebibytes or whatever the hell they call them (using base 10 rather than 2). > > You would still need a script to rotate the logs though. > > Probably, wrap tcpdump in a shell script that does some arithmetic > similar to what Matthew has written in his post. > > > I'm using sysutils/cronolog for my Apache logs so I don't have to > > restart Apache at all for the logrotate. Unfortunately cronolog doesn't > > seem to have a size option to trigger the rotation though. > > You can use newsyslog with Apache to rotate logs. From my conf: > > /var/log/httpd-access.log 644 5 200 * B /var/run/httpd.pid 30 > > 5 logfiles, 200Kb big, give Apache a SIGUSR1 (30) to stop & restart > the logging. > > > Maybe there's another alternative for the OP? > > > > /Morgan > > Regards, > -- Frank Contact info: http://www.shute.org.uk/misc/contact.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090523200422.GB72411>