Some of my servers collect a lot of packet data. Is there a utility (or patch to tcpdump(1)) to log a pcap stream to disk which:
- Rotates based on size of data written
- Prunes written files, keeping only the N most recent
- Does not re-use output filenames
- Is self-contained
(Ruling out, e.g., a rotation with external pruning viacrond(8)+tmpwatch(8))
Basically I want a multilog or svlogd that groks the pcap record format.
The -W filecount option of tcpdump-4.0.0 "prunes" by recycling old filenames, which violates #3 above, forcing me to consult mtimes to determine recency and providing no guarantees against surprise truncation of the log file.
The -G option introduces strftime(2)-specifier support in output filenames, which would give me at least second-precision in file names, but I can't figure out how to get pruning to work with this scheme.
Dumpcap should do what you need.
will rotate through a maximum of 10 files with a maximum size of 20 MB. Each file has a unique name, e.g. output_00018_20100315122857.pcap.
Daemonlogger should work as well, but I haven't used it.
You might want Grok. It does what you want and then some.