LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-11-2013, 06:26 PM   #1
Omacron
LQ Newbie
 
Registered: Sep 2013
Posts: 2

Rep: Reputation: Disabled
tcpdump 4.1.1 with libpcap 1.1.1 will not work with -C and -G options simultaneously


Hi all,
I am having some problems getting tcpdump 4.1.1 to behave as needed. My objective is:
-Generate a new pcapfile every hour (with time and date in capture name)
-If any capture during this hour period is greater than 50 MB then generate a new file with the same name and a numerical suffix at the end.

In tcpdump 4.4.0 (libpcap 1.4.0) this is possible via the following command:
tcpdump -pni eth0 -s65535 -G 3600 -C 50 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap'
This will generate a set of logs as so: (I would rather the counter restarted to 1 every time a new logfile has been split, but I can live with this for the moment)
trace_2013-09-11_22:42:38.pcap
trace_2013-09-11_22:42:38.pcap1
trace_2013-09-11_22:42:38.pcap2
trace_2013-09-11_22:42:38.pcap3
trace_2013-09-11_22:42:38.pcap4
trace_2013-09-11_22:42:38.pcap5
trace_2013-09-11_22:42:38.pcap6
trace_2013-09-11_22:43:08.pcap
trace_2013-09-11_22:43:08.pcap7
trace_2013-09-11_22:43:08.pcap8
trace_2013-09-11_22:43:08.pcap9
trace_2013-09-11_22:43:08.pcap10
trace_2013-09-11_22:43:08.pcap11
trace_2013-09-11_22:43:38.pcap
trace_2013-09-11_22:44:08.pcap

However with tcpdump 4.1.1 the -C option seems to be ignored, and tcpdump just rotates the logfiles without splitting them into smaller ones.

The production machine I need to install this on is running a customized version of debian squeeze which offers tcpdump 4.1.1 as the latest version in repos. libpcap is being used by other packages on the system so I really cannot update the dependencies needed to compile the latest version of tcpdump without updating the other packages too.
Is there a way to get this working with tcpdump 4.1.1 or compile tcpdump to use a localized and seperate version of libpcap and other needed libs that will not interfere with other applications?
I have tried compiling libpcap but it needs the latest version of flex which in turn needs the latest version of m4 ...

Any help and suggestions are very much appreciated.
Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h) not found OtagoHarbour Linux - Newbie 12 08-28-2012 02:59 PM
[SOLVED] No libpcap.so in tcpdump-4.1.1 spongetron Slackware 2 03-01-2011 04:31 AM
[SOLVED] CentOS problem with libpcap and tcpdump hogar.strashni Linux - Newbie 4 02-09-2011 08:44 AM
Two ethernet don't work simultaneously ilp Linux - Networking 9 11-14-2007 11:39 AM
Incorrect source/destination ports when reading tcpdump data with libpcap Nylex Programming 2 06-21-2007 05:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration