how to rotate a tcpdump file

Frank Shute frank at shute.org.uk
Sat May 23 20:04:30 UTC 2009 

On Sat, May 23, 2009 at 08:52:14PM +0100, Frank Shute wrote:
>
> On Sat, May 23, 2009 at 07:26:37PM +0200, Morgan Wesstrm wrote:
> >
> > Frank Shute wrote:
> > > On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
> > >> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.
> > >>
> > >> Which command should I use ?
> > >>
> > > 
> > > You should be able to set up newsyslog(8) to rotate the dumps.
> > > 
> > > You want to have a look at newsyslog.conf(5) to craft a line to put in
> > > your conf file. There are examples to work from in the conf file
> > > already.
> > > 
> > > Regards,
> > 
> > Correct me if I'm wrong but wouldn't tcpdump have to be restarted after
> > the logrotate? I'm under the impression that it would just continue to
> > output to the old inode even if the file occupying it changes name and
> > the restart functionality of newsyslog(8) isn't really bright enough to
> > restart tcpdump with all its initial parameters.
> 
> I was thinking of using the -C and -w options to tcpdump(1). From the
> manpage:
> 
> -C     Before  writing  a  raw  packet to a savefile, check whether the
>     file is currently larger than file_size and, if  so,  close  the
>     current  savefile and open a new one.  Savefiles after the first
>     savefile will have the name specified with the -w flag,  with  a
>     number after it, starting at 1 and continuing upward.  The units
>     of  file_size  are  millions  of  bytes  (1,000,000  bytes,  not
>     1,048,576 bytes).
> 
> and now looking at it more closely, you don't even have to use
> newsyslog. Just include the args: -C 10000000 -w my_tcpdump_log

Oops! should be: -C 10 -w my_tcpdump_log

I assume the OP is not too bothered whether it's megabytes or
mebibytes or whatever the hell they call them (using base 10 rather
than 2).

> 
> You would still need a script to rotate the logs though.
> 
> Probably, wrap tcpdump in a shell script that does some arithmetic
> similar to what Matthew has written in his post.
> 
> > I'm using sysutils/cronolog for my Apache logs so I don't have to
> > restart Apache at all for the logrotate. Unfortunately cronolog doesn't
> > seem to have a size option to trigger the rotation though. 
> 
> You can use newsyslog with Apache to rotate logs. From my conf:
> 
> /var/log/httpd-access.log   644  5   200  *   B  /var/run/httpd.pid  30
> 
> 5 logfiles, 200Kb big, give Apache a SIGUSR1 (30) to stop & restart
> the logging.
> 
> > Maybe there's another alternative for the OP?
> > 
> > /Morgan
> 
> Regards,
> 

-- 

 Frank 


 Contact info: http://www.shute.org.uk/misc/contact.html

More information about the freebsd-questions mailing list