0

I'm using tcpdump for a rotating network traffic capture, and Moloch as a nice viewer for the data. The problem is that tcpdump appends a number to the end of the filename, while Moloch only uses files that end in .pcap.

Is there a way to set up tcpdump to create filenames ending in .pcap?

Using a date format string doesn't work because I need the filenames to repeat (after every 20 files or so).

sudo tcpdump -i eth0 -s 0 -W 4 -G 15 -C 1 -w ./dump.pcap

Improve this question
1
  • 1
    Seems like it would be super easy to modify tcpdump to put the number before the .pcap. Maybe even offer it as a pull request to the core maintainers. @guyharris
    – Spiff
    Commented Jul 4, 2018 at 21:07

1 Answer 1

Reset to default
0

I figure tcpdumps "postrotate-command" can be used for this. tcpdump [...] -z <command> will call the command after each capture with the current filename, hence I presume you should be able to rename files with it, if you do the renaming in a small shell script:

-z postrotate-command Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the save- file being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .