Rotating tcpdump Captures: Time-Limited Packet Captures

This is a short one just to document a really useful command. Packet capturing is obviously a major tool in the arsenal of both cyber security analysts and network administrators, and Wireshark is normally my go-to for that.

But, I had scenario where I had to capture traffic over a long time, and I didn't want to create a single massive file. So I turned to tcpdump.

The Command

Before you start, you need to create a directory for the captures and change the ownership to tcpdump. Otherwise it will throw a permission error when it tries to rotate the file, unless you're running as root (not sudo).

tcpdump -G 300 -n -i wlan0 -w wlan0_%Y-%m-%d_%H-%M-%S.pcap

By passing the -G 300 flag to tcpdump, it rotates to a new capture file every 300 seconds (5 minutes).

You can obviously adjust this as your own preference dictates, but this means I can capture traffic for an hour and have it packaged up into 12 manageable files.

Let's briefly run through the rest of the command:

-n - do not resolve hostnames

-i wlan0 - specifies the capture interface

-w wlan0_%Y-%m-%d_%H-%M-%S.pcap - specifies the filename with variables for date and time.

There is also an option to rotate based on filesize, but I haven't used that here. For those that are interested:

-C 1000 will rotate once the file reaches 1,000 MB.

Conclusion

What's nice about this is if you're looking for traffic but you don't know when it will occur you can set up a capture, then go back later and pull just the file you need.

For example, if you have a system with intermittent wireless, or

If you're unlucky and the traffic you need is split over 2 files, mergecap is your friend.

mergecap file1.pcap file2.pcap -w output.pcap

Neat, huh?