[tcpdump-workers] -C option not working? FreeBSD 10.1

Wesley Shields wxs at FreeBSD.org
Wed Feb 18 13:18:14 EST 2015

I've got a patch for this at https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960.

Seems to work well but I would appreciate any testing anyone can do. I'm also going to make sure this is right from the capsicum perspective as I have no experience with that. Once I discuss it with those folks I'll send a pull request.

On a somewhat related note, how is -G, -W and -C supposed to work together. The man page makes it sound like you can use all three together, but I'm not able to get anything to work. I would expect to do this:

tcpdump -i em0 -G 5 -W 5 -C 1 -w foo.pcap

and get foo.pcap0, foo.pcap1, foo.pcap2, foo.pcap3, foo.pcap4. Each output file should have 5 seconds worth of packets in them and then rotated. I can't seem to get this behavior.

-- WXS

> On Feb 18, 2015, at 12:38 AM, SJP Lists <sjp.lists at flashbsd.net> wrote:
> Hello all,
> Firstly, apologies if I missed info about this from a FAQ, documentation,
> source README and CHANGES and Google or if I am just doing something
> silly.  I looked at the man page and performed a Google and case sensitive
> searches via casesensitivesearch.com (to avoid all the -c results) but did
> not find any info about this issue I am having.
> I have built a host for circular recording of WAN traffic onto 2TB worth of
> storage, in order to hopefully catch pcaps after an event of intermittent
> issues we are not able to replicate.  Hoping that when a user complains and
> gives us the time of the issue, I can just grab a copy of the pre-recorded
> pcap which should contain the traffic associated with their issue.
> I've used FreeBSD 10.1 for this.  With the following tcpdump syntax as an
> example, run as root:
> tcpdump -C 1 -W 10 -w filename -i em0
> and I am finding that filename0 is created and captured to, but the capture
> does not roll over to the next file and instead continues to capture to the
> first file beyond the limit I thought would be imposed with "-C 1", until I
> kill the process.
> I have tried the -Z option with "-Z root", in case the issue was that a new
> file cannot be created once privs are dropped, but I get the same result.
> Thank you for reading and any help that you can give!
> Shane
> _______________________________________________
> tcpdump-workers mailing list
> tcpdump-workers at lists.tcpdump.org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

More information about the tcpdump-workers mailing list