I want to run tcpdump at boot and direct the output to a speicifed file. I then want logrotate to restart that job periodically. I am running Slackware 14.1

I can put the job in /etc/rc.d/rc.local:

tcpdump -tttt -nn portrange 1-4 and 'tcp[13] & 4 != 0' >> /var/log/mylog 2>&1 &

Would that be the best way to do it at start-up? Would I need nohup?

with logrotate I'm thinking:

Would that work running putting the '&' at the end of the command in the logrotate script?

It looks like it should work with the & at the end. The "killall" will unfortunately get any other instances of "tcpdump" that might be running.

If you examine the variable $! immediately after running "tcpdump" in the post-rotate script, you will get the PID of tcpdump and that can be saved in a file and used later for restarting. There are drawbacks to that method, so alternately you could search the ouput of "ps" for the right instance of "tcpdump" to kill.

About the redirect, you won't get that useful information from just redirecting stdin and stdout from "tcpdump". If you want the raw packets, then capture using -w instead of >>

Turbocapitalist, OK, I'm going to try it and see what happens. Normally there won't be any other tcpdumps running, so I needn't worry about capturing and saving the PID. That tcpdump gives me e.g.:

2016-07-02 12:33:42.587933 IP 98.102.63.107.1910 > 98.30.204.114.61355: Flags [R.], seq 1405462380, ack 207756548, win 0, length 0

which is all I need. I don't need the actual packet. I need the timestamp and the IP to compare with the log.samba to track break-ins (the log.samba does not give the IP for non-local login attempts).

I'll post back results, though it may be a while.