[Feature] Want an option to exit after specified time

[sonots]

I want an option to let tcpdump exit after a specified time passed (seconds, minutes, hours).

The reason is because I want to start tcpdump only during a specific time like 10:00 - 13:00. I often use crontab to start tcpdump on a specific time (like 10:00) with -c option to let tcpdump automatically die, but I can not assure it will not die until a specific time (like 13:00 here) and will die after the specific time.

Especially, if the captured server is service-out, it will not receive packets any more, then the tcpdump lives forever. I want to avoid such situations, too

[infrastation]

It is possible to have one cron job to start tcpdump and write a pidfile and another cron job to stop tcpdump.

[sonots]

Right, but I felt the new option is more useful than -c option.

[mcr]

I agree that an option to exit after some period of time, or after writing X many save files, and it would also be nice to have an option to roll the save file after X minutes rather than on Z bytes. My goal in tcpdump is to create a parallel program that uses the same print-*.c files, but is called pktdump; it would have a fresh set of (long) options. That's why all the ndo stuff... maybe you want to suggest an interface to specify the options, sonots?

Here is my script to start/stop tcpdump, that I use in production:

#!/bin/sh

set -ex
PATH=/usr/sbin:/sbin:/usr/bin:/bin:$PATH export PATH
TRACEIF=$1
TRACEFN=$1-$(date +%s)
TRACEDIR=$(date +/traces/%Y/%m/%d)

(

mkdir -p $TRACEDIR

cd $TRACEDIR
if [ -r /traces/${TRACEIF}.pid ]; then
    olddumppid=$(cat /traces/${TRACEIF}.pid )
fi
sh -c 'echo $$ >/traces/'$TRACEIF'.pid ; exec tcpdump -i '$TRACEIF' -s 0 -n -C 16 -w '${TRACEFN}'.pcap ' </dev/null >$TRACEIF.out 2>&1 &

if [ -n "$olddumppid" ]; then
    echo Killing old tcpdump for $TRACEIF at $olddumppid. | Mail -s "$TRACEIF restarted" [email protected]
    kill $olddumppid
fi

) &

[infrastation]

Let's have this issue assigned to @mcr then.

[jaunix]

This seems like a fairly trivial feature to add, https://github.com/the-tcpdump-group/tcpdump/compare/master...jaunix:stop-after-time

 $ ./tcpdump -h
 tcpdump version 4.8.0-PRE-GIT_2015_03_16
 libpcap version 1.8.0-PRE-GIT_2015_03_07
 OpenSSL 1.0.1e-fips 11 Feb 2013
 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                 [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                 [ -i interface ] [ -j tstamptype ] [ -M secret ] --limit-time seconds] [ --number ]
                 [ -Q in|out|inout ]
                 [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                 [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                 [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                 [ -Z user ] [ expression ]
 $ date ; sudo ./tcpdump --limit-time 3 -w /tmp/foo ; date
 Mon Mar 16 15:53:44 PDT 2015
 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 5 packets captured
 5 packets received by filter
 0 packets dropped by kernel
 Mon Mar 16 15:53:49 PDT 2015
 $

[gvanem]

You want to do it with a call to signal(SIGALRM,cleanup) + alarm()? MSVC/MingW doesn't have that. There must be a cleaner way to do this.

[zhexuany]

The alternative approach I found is to use timeout if you are using Linux. The delta of time different is around 0.02. I am pretty fine with this approach unless tcpdump proposes a native implementation. Say I only want tcpdump listen with 15 seconds. I can do the following.

timeout 15 tcpdump -i any -s 0 port 3000 tcp