How can I capture the last N seconds of packets using tcpdump?
Asked
Active
Viewed 5.1k times
6 Answers
22
If you just want tcpdump to run for n seconds and then quit, you could use timeout.
For example:
timeout 2 tcpdump -eni mon0
Otherwise I don't believe tcpdump has an option to do this.
siesta
- 329
4
I think the best way to accomplish this is with tcpdump's -G flag, which, when used with -w, will save your dump to a new file every N seconds. For instance:
tcpdump -w outfile-%s -G 10
This will create a new file with the name of 'outfile-XXXX' (where XXXX represents the number of seconds since epoch) every 10 seconds.
See the man pages for tcpdump(8) and strftime(3) for additional details.
Flimzy
- 4,465
1
I was trying to solve the same issue so, I wrote a portable script to run tcpdump for n second.
#tcpdump_for_n_sec.sh
n=$1
shift #remove first arg from $@
tcpdump $@ & x=$!
sleep $n
kill $x
Usage ./tcpdump_for_n_sec.sh sec args for tcpdump
./tcpdump_for_n_sec.sh 5 -i any not port 22 -s0 -wfile.pcap
lafferc
- 111
0
tcpdump options -w new.tcpdump
ps -ef |grep tcpdump
take note of PID, say it is 11193
at 11:00
kill 11193
now just wait til 11:00 comes and your capture will be killed but saved
-1
sudo tcpdump -i -w & this will run tcpdump is sleeping mode
- w: save output in the .pcap file &: tcpdump process will run in sleeping mode note: make sure you have enough space available if you want . to run it for a while. It wont interrupt if logoff until you kill the process.
Lin-man
- 1