Often I’ll find that I need to run tcpdump over a long period of time. The easiest way to avoid having oversized files is to rotate with the -C option. This approach is fine, but it means that any sort of basic trend analysis will require a little bit of automated help. If rotation is done on a time basis, a simple ls -l will show when traffic peaked or bottomed out. To this end, I authored a patch which was accepted upstream.

E.g. Dump 10 minutes worth of data in 60 second files: tcpdump -G 60 -w timedump -s 0 -C 10

Update: It’s awesome seeing all the people who’ve used this simple change since 2005! Ask me sometime why I wrote this.