tcpdump mailing list archives
Re: -C option not working? FreeBSD 10.1
From: Wesley Shields <wxs () FreeBSD org>
Date: Wed, 18 Feb 2015 13:18:14 -0500
I've got a patch for this at https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960. Seems to work well but I would appreciate any testing anyone can do. I'm also going to make sure this is right from the capsicum perspective as I have no experience with that. Once I discuss it with those folks I'll send a pull request. On a somewhat related note, how is -G, -W and -C supposed to work together. The man page makes it sound like you can use all three together, but I'm not able to get anything to work. I would expect to do this: tcpdump -i em0 -G 5 -W 5 -C 1 -w foo.pcap and get foo.pcap0, foo.pcap1, foo.pcap2, foo.pcap3, foo.pcap4. Each output file should have 5 seconds worth of packets in them and then rotated. I can't seem to get this behavior. -- WXS
On Feb 18, 2015, at 12:38 AM, SJP Lists <sjp.lists () flashbsd net> wrote: Hello all, Firstly, apologies if I missed info about this from a FAQ, documentation, source README and CHANGES and Google or if I am just doing something silly. I looked at the man page and performed a Google and case sensitive searches via casesensitivesearch.com (to avoid all the -c results) but did not find any info about this issue I am having. I have built a host for circular recording of WAN traffic onto 2TB worth of storage, in order to hopefully catch pcaps after an event of intermittent issues we are not able to replicate. Hoping that when a user complains and gives us the time of the issue, I can just grab a copy of the pre-recorded pcap which should contain the traffic associated with their issue. I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an example, run as root: tcpdump -C 1 -W 10 -w filename -i em0 and I am finding that filename0 is created and captured to, but the capture does not roll over to the next file and instead continues to capture to the first file beyond the limit I thought would be imposed with "-C 1", until I kill the process. I have tried the -Z option with "-Z root", in case the issue was that a new file cannot be created once privs are dropped, but I get the same result. Thank you for reading and any help that you can give! Shane _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- -C option not working? FreeBSD 10.1 SJP Lists (Feb 17)
- Re: -C option not working? FreeBSD 10.1 Wesley Shields (Feb 18)
- Re: -C option not working? FreeBSD 10.1 Wesley Shields (Feb 18)
- Re: -C option not working? FreeBSD 10.1 Wesley Shields (Feb 18)
- Re: -C option not working? FreeBSD 10.1 Guy Harris (Feb 18)
- Re: -C option not working? FreeBSD 10.1 Wesley Shields (Feb 18)
- Re: -C option not working? FreeBSD 10.1 SJP Lists (Feb 18)
- Re: -C option not working? FreeBSD 10.1 Guy Harris (Feb 18)