I recently had a situation where I needed to constantly listen to network traffic, while being mindful of not filling up the disk. Fortunately tcpdump has a nice built in way of doing that:
tcpdump -w tcp.pcap -s0 -C 1500 -W 15That breaks down as:
– -w tcp.pcap: write to files that all start with the name tcp.pcap
– -s0: save the whole packet
– -C 1500: limit each capture file to 1,500 MBs
– -W 15: limit the number of capture files to 15
On disk you’ll get the following 15 files:
tcp.pcap00
tcp.pcap01
tcp.pcap02
tcp.pcap03
tcp.pcap04
tcp.pcap05
tcp.pcap06
tcp.pcap07
tcp.pcap08
tcp.pcap09
tcp.pcap10
tcp.pcap11
tcp.pcap12
tcp.pcap13
tcp.pcap14
Once it finishes with tcp.pcap14 is cycles back through the whole thing, over writing one file at a time, starting with tcp.pcap00.
Exactly what period of time this will cover depends on how much network traffic you are capturing. It could be 5 minutes or 15, and vary between each file.