I don't have an answer to your original question other than to say I just duplicated it on a FreeBSD host but not on OS X. Smells like a bug to me.
I've done something similar in the past using -G and writing to something like /packets/%Y/%m/%d/%H%M%S.pcap (assuming those directories exist). This way when you are given a time when the problem occurred you can jump to that specific file much easier. Though, if you have to find the start of the session it may be in an earlier file. tcpdump -G 300 -w /packets/%Y/%m/%d/%H%M%S.pcap -- WXS > On Feb 18, 2015, at 12:38 AM, SJP Lists <sjp.li...@flashbsd.net> wrote: > > Hello all, > > Firstly, apologies if I missed info about this from a FAQ, documentation, > source README and CHANGES and Google or if I am just doing something > silly. I looked at the man page and performed a Google and case sensitive > searches via casesensitivesearch.com (to avoid all the -c results) but did > not find any info about this issue I am having. > > I have built a host for circular recording of WAN traffic onto 2TB worth of > storage, in order to hopefully catch pcaps after an event of intermittent > issues we are not able to replicate. Hoping that when a user complains and > gives us the time of the issue, I can just grab a copy of the pre-recorded > pcap which should contain the traffic associated with their issue. > > I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an > example, run as root: > > tcpdump -C 1 -W 10 -w filename -i em0 > > and I am finding that filename0 is created and captured to, but the capture > does not roll over to the next file and instead continues to capture to the > first file beyond the limit I thought would be imposed with "-C 1", until I > kill the process. > > I have tried the -Z option with "-Z root", in case the issue was that a new > file cannot be created once privs are dropped, but I get the same result. > > Thank you for reading and any help that you can give! > > > Shane > _______________________________________________ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
