LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-10-2014, 06:38 AM   #1
Checksumfail
LQ Newbie
 
Registered: Jan 2011
Posts: 12

Rep: Reputation: 0
Irregular TCPdump file sizes


I've recently configured the network at my work so that all our VoIP phones get routed through a (semi)managed switch and the port in/out to the internet is mirrored to a spare network interface on our linux file server. I'm then using TCPdump to capture RTP traffic so that if we need to review a phonecall we can use wireshark's new playback feature to listen to it.

The TCPdump command runs at startup:
sudo tcpdump -n -s 0 -T rtp -vvv -W 240 -i phonecap -w /home/[User]/VoipCalls/phonecap%Y-%b-%e-%H-%M-%S.pcap -G 3600

This means the dump files are split every hour (To more easily find specific calls) and the files are overwritten after 1 week.

The problem however is that the filesize varies greatly, most captures that have no calls are about 4kb and those with calls are about 1mb per minute of phonecall, so theoretically a maximum of 60mb. Some files however are 13-16GB for no apparent reason.

I've compared different captures and some of the ~30MB captures have MORE packets and larger average packet sizes than the 13GB+ files, where is the extra filesize coming from? I will test taking off the -vvv option, but the verbose information shouldn't be entered into the dump, should it?

Is there any 'extra' data other than packets that gets put into the dump files that I can disable?

I would upload an example of some of the dump files but unfortunately I can't due to the sensitive nature of the files and the fact they belong to my company, not me.
 
Old 06-10-2014, 02:30 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,880

Rep: Reputation: 162Reputation: 162
You should disable -vv option.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I've found tcpdump tagged as 'Installed' in PPM, why I can't find a tcpdump command ? illidan.modeler Puppy 1 09-07-2013 07:50 AM
Sizes of file sluge Linux - Newbie 1 10-26-2012 10:15 AM
Tcpdump - Capture file whenever file reached the specified limit apit Linux - Networking 5 09-13-2008 03:00 AM
define different physical sizes on Multiple Monitors of different sizes MasterC Linux - Desktop 2 03-18-2008 04:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration