No dice. :( The chmod did not change anything. I started with and this worked.
tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 As soon as I added the "-C", I got the same error. tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 -C 4 jerome On Mon, Feb 6, 2012 at 5:54 AM, Mark W. Jeanmougin <[email protected]> wrote: > On 02/03/2012 07:04 PM, Jerome Yanga wrote: >> >> The permissions on the /data directory is ... >> # ls -alh /data/ >> total 4.1M >> drwxr-xr-x 2 root root 4.0K Feb 3 15:21 . >> dr-xr-xr-x. 23 root root 4.0K Feb 3 06:49 .. >> -rw-r--r-- 1 root root 4.0M Feb 3 07:29 502_capture-seed.txt > > > Try running 'chmod a+w /data/'. When I've done this, tcpdump drops root > permissions before it starts writing. > > For example, on my Fedora boxes, all of my tcpdump captures are owned by > tcpdump:tcpdump. So, you could also do something with that information. > > In my environment, any box that's setup doing the kind of packet capturing > you're talking about is locked down so that the only people with access to > that box also have root access to read the output files. So, blowing the > permissions wide open isn't a big deal. > >> FYI, I am running the command as root. >> >> The first command does not work even without the shell expansion date >> command. >> >> I created the seed file using the following command. >> >> dd if=/dev/zero of=/data/502_capture-seed.txt bs=$(( 1024 * 1024 )) >> count=4 >> >> All I am doing is trying to run tcpdump so that it will create another >> file once it has reached 4MB (-C 4). I also want it to be limited to >> just 10 files(-W 10), to rotate to the next file every 5 minutes (-G >> 300), and to be compressed everytime it creates a new file (-z bzip2). > > > I'd start with something simple and work my way up. Start with this: > > tcpdump -i eth0 -s 0 -w /data/capture_rotate_1.pcap > > Then, add your other parameters one by one (see when things break) until you > get back to your original: > > > tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap\ > -C 4 -W 10 -G 300 -z bzip2 -F /data/capture-seed.txt > > Hopefully, the permission change on the data directory will be all you need! > My gut tells me that the "-F" option is going to throw you. I've never used > it before, so I'm not sure... > > Finally, depending on your hardware, take a look at the pbzip2 package. It > is a parallel implementation of bzip2. It scales pretty linearly on > multicore x86_64 CPU's. I've been very happy with it. It's also pretty easy > to shoot yourself in the foot by overdoing the CPU utilization. > > MJ > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
