0

I'm attempting to run a tcpdump for packet capture for the headers of encrypted traffic. I'm trying to do it with the rotating capture based off time. This is the command I'm running.

sudo tcpdump -nnSvvtttts 300 -G 600 -i eth0 -w /home/onion/tcpdump/encrypted_date +%y_%m_%d_%H_%M_%S.pcap

I've cut the -G to 10 in an attempt to create a new file every 10 seconds just to verify it's working but I still only end up with one file. Am I misunderstanding the -G man page or is it something I'm missing?

Improve this question

1 Answer 1

Reset to default
0

After removing a space between date and + in your provided code, I see rotated files being created:

[nevin-mac-mini:~] root# tcpdump -i en0 -nvv -w /tmp/encrypted_date+%y_%m_%d_%H_%M_%S.pcap -G 10
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C4875 packets captured
4876 packets received by filter
0 packets dropped by kernel
[nevin-mac-mini:~] root# 

[nevin-mac-mini:~] root# ls /tmp/encr*
/tmp/encrypted_date+15_09_13_18_47_49.pcap
/tmp/encrypted_date+15_09_13_18_48_01.pcap
/tmp/encrypted_date+15_09_13_18_48_11.pcap
/tmp/encrypted_date+15_09_13_18_48_22.pcap
/tmp/encrypted_date+15_09_13_18_48_34.pcap
/tmp/encrypted_date+15_09_13_18_48_46.pcap
/tmp/encrypted_date+15_09_13_18_48_56.pcap
[nevin-mac-mini:~] root#

Perhaps having the -G come after the -w is significant...?

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .