2

Some of my servers collect a lot of packet data. Is there a utility (or patch to tcpdump(1)) to log a pcap stream to disk which:

  1. Rotates based on size of data written
  2. Prunes written files, keeping only the N most recent
  3. Does not re-use output filenames
  4. Is self-contained
    (Ruling out, e.g., a rotation with external pruning via crond(8)+tmpwatch(8))

Basically I want a multilog or svlogd that groks the pcap record format.

The -W filecount option of tcpdump-4.0.0 "prunes" by recycling old filenames, which violates #3 above, forcing me to consult mtimes to determine recency and providing no guarantees against surprise truncation of the log file.

The -G option introduces strftime(2)-specifier support in output filenames, which would give me at least second-precision in file names, but I can't figure out how to get pruning to work with this scheme.

pilcrow
  • 449
  • 5
  • 19

2 Answers2

4

Dumpcap should do what you need.

dumpcap -w /tmp/output.pcap -b filesize:20000 -b files:10

will rotate through a maximum of 10 files with a maximum size of 20 MB. Each file has a unique name, e.g. output_00018_20100315122857.pcap.

Daemonlogger should work as well, but I haven't used it.

Gerald Combs
  • 6,331
  • 23
  • 35
1

You might want Grok. It does what you want and then some.

Bill Weiss
  • 10,782
  • 3
  • 37
  • 65
  • Thanks, Bill. For posterity, can you be more specific, say, assuming an input of "tcpdump ... -w -" ? At first blush, `grok` (the utility) is a web interface, and its cousin `bag` has an incomplete man page that leaves me guessing how this might address my needs. – pilcrow Mar 15 '10 at 18:55
  • `bag` will capture packets (using `libpcap`) and store them in a few formats: indexes, raw pcap, etc. It rotates files out intelligently based on an amount of files or time, as you configure it. The `grok` frontend gives you a nice way to search those indexes and pcaps. It's optional, but nice. The documentation sucks, but you can probably email the devs and ask questions. They're nice guys. – Bill Weiss Mar 15 '10 at 19:30