how to rotate a tcpdump file

Matthew Seaman m.seaman at
Sat May 23 18:29:36 UTC 2009

Morgan Wesström wrote:
> Frank Shute wrote:
>> On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
>>> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.
>>> Which command should I use ?
>> You should be able to set up newsyslog(8) to rotate the dumps.
>> You want to have a look at newsyslog.conf(5) to craft a line to put in
>> your conf file. There are examples to work from in the conf file
>> already.
>> Regards,
> Correct me if I'm wrong but wouldn't tcpdump have to be restarted after
> the logrotate? I'm under the impression that it would just continue to
> output to the old inode even if the file occupying it changes name and
> the restart functionality of newsyslog(8) isn't really bright enough to
> restart tcpdump with all its initial parameters.
> I'm using sysutils/cronolog for my Apache logs so I don't have to
> restart Apache at all for the logrotate. Unfortunately cronolog doesn't
> seem to have a size option to trigger the rotation though. Maybe there's
> another alternative for the OP?

tcpdump(1) doesn't have options to support rotating dump files based on
size, and it doesn't understand SIGHUP to mean close all open file
descriptors and reinitialise yourself the way that syslogd(8) and a lot
of other daemon processes do, so newsyslog(8) won't work either.

Therefore you're going to have to wrap tcpdump in a script to test the size
of the output file, stop tcpdump when the output hits the target size, then
restart tcpdump with a new dump file.  [If you're trying to dump
very frequent traffic this will almost certainly mean that you miss a few

Now, depending on what data you're capturing there might be a really simple
way of doing that.  If you capture just the default 68 bytes of headers then
simply capturing 154202 packets will give you a 10MB dump file.  So you can do



while true ; do
    n=$(( $n + 1 ))
    tcpdump -i em0 -c 154202 -w /tmp/tcpdump.out.$n

On the other hand, if you want to capture the traffic in it's entirety
(ie. by using '-s 0' on the tcpdump command line so you get the packet
payload as well), then packets can be anywhere up to 1500bytes (on a typical
ethernet -- 8kB or more is possible if you're using jumbo frames).  Packet
counting won't work help in this case, but something like the following might.
(Warning: completely untested code.  May cause unexpected results up to and
including the destruction of the Internet...)


tcpdumpcmd='tcpdump -i em0 -s 0 -w /tmp/tcpdump.out.$n &'

while true ; do
  n=$(( $n++ ));
  eval $tcpdumpcmd

  while [ $( stat -f %z /tmp/tcpdump.$n ) -lt 10485760 ] ; do
	sleep 5;

  kill $( jobs -s )



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list