tcpdump icon indicating copy to clipboard operation
tcpdump copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

Stop capturing after writing N bytes

Open kirawrath opened this issue 8 years ago • 3 comments

I would like a way to read n bytes with tcpdump and then exit. Today we can use -c option, but it only counts packets, not bytes. With the -C option I almost have what I want, the problem is that it does not exit after writing the specified size, but instead close that file and start to write a new one. If I use it in conjunction with the option -W 1 I still don't get what I need because it will then overwrite the beginning of my file.

This feature does not seem to be complex at all, and I feel many others felt frustrated like I did when I realized I could not accomplish this with tcpdump alone (I wrote a wrapper in c++ to overcome this). I can write this feature myself, I just need to know if there is anything preventing it to be created.

kirawrath avatar Nov 30 '16 13:11 kirawrath

Here's a hack that might suit in the short term.

[steve@localhost tcpdump]$ cat foo.sh
#!/bin/sh
pkill tcpdump
rm /tmp/foo.cap1
[steve@localhost tcpdump]$ sudo ./tcpdump -i ens33  -C 5 -W 5 -w /tmp/foo.cap -z ./foo.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1916 packets captured
1956 packets received by filter
40 packets dropped by kernel
[steve@localhost tcpdump]$ ls -lh /tmp/foo.cap*
-rw-r--r--. 1 root root 4.8M Jan 18 22:43 /tmp/foo.cap0
[steve@localhost tcpdump]$

stevekay avatar Jan 18 '17 22:01 stevekay

Thanks for that workaround @stevekay 👍

mattie47 avatar Oct 21 '19 23:10 mattie47

Is this still the recommended way of doing this? The man page says:

-W Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used in conjunction with both -C and -G, the -W option will currently be ignored, and will only affect the file name.

However I haven't been able to achieve this behavior...

tarrenj avatar Oct 23 '19 15:10 tarrenj