I've got a patch for this at https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960.
Seems to work well but I would appreciate any testing anyone can do. I'm also going to make sure this is right from the capsicum perspective as I have no experience with that. Once I discuss it with those folks I'll send a pull request. On a somewhat related note, how is -G, -W and -C supposed to work together. The man page makes it sound like you can use all three together, but I'm not able to get anything to work. I would expect to do this: tcpdump -i em0 -G 5 -W 5 -C 1 -w foo.pcap and get foo.pcap0, foo.pcap1, foo.pcap2, foo.pcap3, foo.pcap4. Each output file should have 5 seconds worth of packets in them and then rotated. I can't seem to get this behavior. -- WXS > On Feb 18, 2015, at 12:38 AM, SJP Lists <sjp.li...@flashbsd.net> wrote: > > Hello all, > > Firstly, apologies if I missed info about this from a FAQ, documentation, > source README and CHANGES and Google or if I am just doing something > silly. I looked at the man page and performed a Google and case sensitive > searches via casesensitivesearch.com (to avoid all the -c results) but did > not find any info about this issue I am having. > > I have built a host for circular recording of WAN traffic onto 2TB worth of > storage, in order to hopefully catch pcaps after an event of intermittent > issues we are not able to replicate. Hoping that when a user complains and > gives us the time of the issue, I can just grab a copy of the pre-recorded > pcap which should contain the traffic associated with their issue. > > I've used FreeBSD 10.1 for this. With the following tcpdump syntax as an > example, run as root: > > tcpdump -C 1 -W 10 -w filename -i em0 > > and I am finding that filename0 is created and captured to, but the capture > does not roll over to the next file and instead continues to capture to the > first file beyond the limit I thought would be imposed with "-C 1", until I > kill the process. > > I have tried the -Z option with "-Z root", in case the issue was that a new > file cannot be created once privs are dropped, but I get the same result. > > Thank you for reading and any help that you can give! > > > Shane > _______________________________________________ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
