Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop capturing after writing N bytes #569

Open
kirawrath opened this issue Nov 30, 2016 · 3 comments
Open

Stop capturing after writing N bytes #569

kirawrath opened this issue Nov 30, 2016 · 3 comments
Labels
feature request

Comments

@kirawrath
Copy link

I would like a way to read n bytes with tcpdump and then exit.
Today we can use -c option, but it only counts packets, not bytes.
With the -C option I almost have what I want, the problem is that it does not exit after writing the specified size, but instead close that file and start to write a new one.
If I use it in conjunction with the option -W 1 I still don't get what I need because it will then overwrite the beginning of my file.

This feature does not seem to be complex at all, and I feel many others felt frustrated like I did when I realized I could not accomplish this with tcpdump alone (I wrote a wrapper in c++ to overcome this).
I can write this feature myself, I just need to know if there is anything preventing it to be created.
@stevekay
Copy link
Contributor

Here's a hack that might suit in the short term.

[steve@localhost tcpdump]$ cat foo.sh
#!/bin/sh
pkill tcpdump
rm /tmp/foo.cap1
[steve@localhost tcpdump]$ sudo ./tcpdump -i ens33  -C 5 -W 5 -w /tmp/foo.cap -z ./foo.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1916 packets captured
1956 packets received by filter
40 packets dropped by kernel
[steve@localhost tcpdump]$ ls -lh /tmp/foo.cap*
-rw-r--r--. 1 root root 4.8M Jan 18 22:43 /tmp/foo.cap0
[steve@localhost tcpdump]$

@DEADBEEFh DEADBEEFh mentioned this issue Jul 16, 2019
Open
@mattie47
Copy link

Thanks for that workaround @stevekay 👍

@tarrenj
Copy link

tarrenj commented Oct 23, 2019

Is this still the recommended way of doing this? The man page says:

-W
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit.
If used in conjunction with both -C and -G, the -W option will currently be ignored, and will only affect the file name.

However I haven't been able to achieve this behavior...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Milestone
No milestone
Development

No branches or pull requests
5 participants
@infrastation @kirawrath @tarrenj @stevekay @mattie47