I would like to rotate the tcp dump saving every 100mS. Hence I am trying the following option:
tcpdump -i eth0 -G 0.1 -w '.pcap'
This dumps all the incoming data into file and do not rotate every 100mS. Could someone tell me where am I going wrong?
答案1
It creates file .pcap which it's hidden and since you are not using the timestamp to name the files to generate, it overwrites to the same file .pcap every time.
accepted timestamp format can be specified in known formats by "strftime(3)"
one example like:
tcpdump -i eth0 -G 0.1 -w %m-%d-%H-%M-%S-%s.pcap
please note that 0.1seconds you specified to -G option less than a second will not grantee that all captured packets will be written to the corresponding file, since there is no way in strftime(3) to define milliseconds formatting, so as long as traffic captured for age of a second those will still overwritten to the previous matched filename specified in -w ... option.
so change -G 0.1 to minimum 1second to don't miss any packets to be saved in files.
Important: Be warned about what timestamp you choice for formatting/rotating; for example with above timestamp since it generates a unique timestamp for a lifetime, so files will be generated until you have a free disk-space on the path you ran the tcpdump command.
choosing timestamps like %H-%M-%S.pcap will rotate for a day (24hours) and start overwrite to the oldest file for new day. so this timestamp plus with -G 1 would be your better choice to having 24hours rotation every seconds.