How to rotate capture files with tcpdump
Split tcpdump packet captures into rotating files by time interval or packet count to manage disk space.
How to rotate capture files with tcpdump
Split tcpdump packet captures into rotating files by time interval or packet count to manage disk space.
Prerequisites
- tcpdump installed with root or sudo access.
Step-by-Step: Rotate Capture Files with tcpdump
Rotate capture files every 60 seconds using the
-Gflag. tcpdump creates a new file each interval:sudo tcpdump -i eth0 -w /tmp/capture_%Y%m%d_%H%M%S.pcap -G 60The
%Y%m%d_%H%M%Sformat adds timestamps to filenames.Limit the number of rotation files with
-W. tcpdump keeps only the last 10 files:sudo tcpdump -i eth0 -w /tmp/capture_%Y%m%d_%H%M%S.pcap -G 3600 -W 10Rotate by file size using
-C. tcpdump creates a new file every 100 MB:sudo tcpdump -i eth0 -w /tmp/capture.pcap -C 100Files are named
capture.pcap,capture.pcap1,capture.pcap2, etc.Combine
-Cand-Wto limit both size and count:sudo tcpdump -i eth0 -w /tmp/capture.pcap -C 50 -W 20