Time-based Packet Capture with tcpdump: Difference between revisions
| No edit summary | No edit summary | ||
| Line 1: | Line 1: | ||
| [[Category:General Linux]] | [[Category:General Linux]] | ||
| = | = Creating a Continuous Packet Capture without a Script = | ||
| A common challenge with `tcpdump` is that its built-in file rotation (`-G`) can be unreliable; the process may exit or fail due to permission errors. This occurs because, by default, `tcpdump` drops its root privileges after starting, which interferes with its ability to manage files in protected directories. | |||
| You can solve this without a wrapper script by using the `-Z` option to specify which user `tcpdump` should run as. | |||
| ==  | == The Command == | ||
| This one-liner command runs `tcpdump` with time-based rotation and explicitly tells it to use the `root` user for file operations. This ensures it has the necessary permissions to continuously overwrite the capture file. | |||
| <syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| tcpdump -i  | sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 -Z root 'host hostname.asd.local and port 12345' | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| == | == Parameter Breakdown == | ||
| * <code>-i any</code>: Listen on all network interfaces. | |||
| < | * <code>-w /tmp/capture.pcap</code>: Writes the raw packet output to a file. | ||
| * <code>-G 600</code>: Sets the rotation interval. It triggers a file rotation every 600 seconds (10 minutes). | |||
| </ | * <code>-W 1</code>: Limits the number of capture files to one, ensuring the same file is overwritten. | ||
| * <code>-Z root</code>: This is the crucial flag. It tells `tcpdump` to change its user to `root` after opening the capture device. Since it's running as root, it will have no problem writing or overwriting the file in `/tmp/` during rotation. | |||
| * <code>'host ... and port ...'</code>: The filter expression to capture only the traffic you need. | |||
| ==  | == Why This Method Works == | ||
| This approach directly addresses the privilege-dropping issue. By forcing `tcpdump` to operate as the `root` user with `-Z root`, you ensure that when the 10-minute rotation occurs, the process still has sufficient permissions to manage the capture file. This prevents both the "Permission denied" error and the premature termination of the process, resulting in a stable, continuous capture loop. | |||
| == Running as a Background Process == | == Running as a Background Process == | ||
| To run  | To run this capture continuously, you can send it to the background with `nohup` and `&`. | ||
| <syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| nohup tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 'host hostname.asd.local and port 12345' & | nohup sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 -Z root 'host hostname.asd.local and port 12345' & | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| To stop the capture, find its process ID and use  | To stop the capture, find its process ID with `pgrep tcpdump` and use `sudo kill <PID>`. Note that because the process and the file it creates are owned by root, you will need `sudo` to manage them. | ||
| < | |||
Revision as of 10:25, 27 August 2025
Creating a Continuous Packet Capture without a Script
A common challenge with `tcpdump` is that its built-in file rotation (`-G`) can be unreliable; the process may exit or fail due to permission errors. This occurs because, by default, `tcpdump` drops its root privileges after starting, which interferes with its ability to manage files in protected directories.
You can solve this without a wrapper script by using the `-Z` option to specify which user `tcpdump` should run as.
The Command
This one-liner command runs `tcpdump` with time-based rotation and explicitly tells it to use the `root` user for file operations. This ensures it has the necessary permissions to continuously overwrite the capture file.
sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 -Z root 'host hostname.asd.local and port 12345'
Parameter Breakdown
- -i any: Listen on all network interfaces.
- -w /tmp/capture.pcap: Writes the raw packet output to a file.
- -G 600: Sets the rotation interval. It triggers a file rotation every 600 seconds (10 minutes).
- -W 1: Limits the number of capture files to one, ensuring the same file is overwritten.
- -Z root: This is the crucial flag. It tells `tcpdump` to change its user to `root` after opening the capture device. Since it's running as root, it will have no problem writing or overwriting the file in `/tmp/` during rotation.
- 'host ... and port ...': The filter expression to capture only the traffic you need.
Why This Method Works
This approach directly addresses the privilege-dropping issue. By forcing `tcpdump` to operate as the `root` user with `-Z root`, you ensure that when the 10-minute rotation occurs, the process still has sufficient permissions to manage the capture file. This prevents both the "Permission denied" error and the premature termination of the process, resulting in a stable, continuous capture loop.
Running as a Background Process
To run this capture continuously, you can send it to the background with `nohup` and `&`.
nohup sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 -Z root 'host hostname.asd.local and port 12345' &
To stop the capture, find its process ID with `pgrep tcpdump` and use `sudo kill <PID>`. Note that because the process and the file it creates are owned by root, you will need `sudo` to manage them.
