Time-based Packet Capture with tcpdump

From Jwiki
Revision as of 09:05, 27 August 2025 by Gyurci08 (talk | contribs) (Created page with "Category:General Linux = Time-based Packet Capture with tcpdump = Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring a container's network interface without needing external scripts or cron jobs, and it automatically resets the capture file. == Command == This command captures traffic on the `vethec9ed9c` interface, saving it to a single file that is overwritten every 10 minute...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Time-based Packet Capture with tcpdump

Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring a container's network interface without needing external scripts or cron jobs, and it automatically resets the capture file.

Command

This command captures traffic on the `vethec9ed9c` interface, saving it to a single file that is overwritten every 10 minutes. sudo tcpdump -i vethec9ed9c -w /tmp/capture.pcap -G 600 -W 1

Parameter Breakdown

  • -i vethec9ed9c: Specifies the network interface to monitor.
  • -w /tmp/capture.pcap: Writes the raw packet output to a file. This is required for the rotation feature.
  • -G 600: Sets the rotation interval. It creates a new savefile every 600 seconds (10 minutes).
  • -W 1: Limits the number of capture files to one. When the 10-minute interval from -G elapses, tcpdump overwrites this file.

Background Process

To run the capture continuously in the background, use nohup and &. nohup sudo tcpdump -i vethec9ed9c -w /tmp/capture.pcap -G 600 -W 1 & To stop the capture, find its process ID with pgrep tcpdump and then use sudo kill <PID>.

Retrieved from "https://wiki.jandzsogyorgy.hu/index.php?title=Time-based_Packet_Capture_with_tcpdump&oldid=217"