Often I’ll find that I need to run tcpdump
over a long period of time. The easiest way to avoid having oversized files is
to rotate with the
-C option. This approach is fine, but it means
that any sort of basic trend analysis will require a little bit of automated
help. If rotation is done on a time basis, a simple
ls -l will
show when traffic peaked or bottomed out. To this end, I authored a
which was accepted upstream.
E.g. Dump 10 minutes worth of data in 60 second files:
tcpdump -G 60 -w timedump -s 0 -C 10
Update: It’s awesome seeing all the people who’ve used this simple change since 2005! Ask me sometime why I wrote this.