I recently had a situation where I needed to constantly listen to network traffic, while being mindful of not filling up the disk. Fortunately tcpdump has a nice built in way of doing that:
That breaks down as:
– -w tcp.pcap: write to files that all start with the name tcp.pcap
– -s0: save the whole packet
– -C 1500: limit each capture file to 1,500 MBs
– -W 15: limit the number of capture files to 15
On disk you’ll get the following 15 files:
Once it finishes with tcp.pcap14 is cycles back through the whole thing, over writing one file at a time, starting with tcp.pcap00.
Exactly what period of time this will cover depends on how much network traffic you are capturing. It could be 5 minutes or 15, and vary between each file.