How can I capture the last N seconds of packets using tcpdump?
2
-
1"Give me" will not take you far here. Maybe you should show us what you have tried so far and where exactly you have problems you can not solve yourself.– matthias krullCommented Jun 15, 2011 at 13:27
-
The bash command you want is: "man tcpdump"– William PursellCommented Jun 15, 2011 at 18:00
Add a comment
|
6 Answers
If you just want tcpdump to run for n seconds and then quit, you could use timeout.
For example:
timeout 2 tcpdump -eni mon0
Otherwise I don't believe tcpdump has an option to do this.
-
Unfortunately the timeout command is not present in CentOS 5.x. It was added in a newer release of coreutils. Another motivation for me to upgrade the OS. Commented Jul 2, 2014 at 19:52
-
2I suppose if you don't have timeout, you could instead create something like timeout with a script:– siestaCommented Jul 3, 2014 at 20:47
-
Works great for me. I used this to monitor all traffic for a program that wasn't working. I started tcpdump with a timeout of N seconds. Then I started the program (which takes up to N seconds). Commented Nov 18, 2014 at 14:01
-
The question asks to capture the last N seconds. Your answer tells how to capture the first N seconds.– FlimzyCommented Oct 7, 2016 at 10:10
I think the best way to accomplish this is with tcpdump's -G flag, which, when used with -w, will save your dump to a new file every N seconds. For instance:
tcpdump -w outfile-%s -G 10
This will create a new file with the name of 'outfile-XXXX' (where XXXX represents the number of seconds since epoch) every 10 seconds.
See the man pages for tcpdump(8) and strftime(3) for additional details.
-
tcpdump 3.9.4 as shipped with CentOS 5.10 does not have the -G option. I really need to upgrade my OS. Commented Jul 2, 2014 at 19:53
-
-G does not stop the tcpdump command. It still runs forever. The timeout 2 tcpdump will stop the command after 2 seconds.– ciceronCommented Oct 7, 2016 at 9:26
-
@ciceron: The question wasn't about stopping tcpdump. It was about capturing the last N seconds. Your suggestion will capture the first N seconds. Decidedly not what the OP asked for.– FlimzyCommented Oct 7, 2016 at 10:09
You can use tethereal instead of tcpdump. You can use this command-line option:
-a duration:X
-
While this may answer the question, it would be a better answer if you could provide some explanation why it does so.– DavidPostill ♦Commented Dec 17, 2014 at 17:23
-
tcpdump itself doesn't allow for a time-limited packet trace but tshark does. (n.b. since this question was asked and answered, Ethereal became Wireshark)
tshark -a duration:600 -i eth0 -w $(hostname).10mins.pcapwill capture ten minutes' worth of traffic from interface eth0 into the file $(hostname).10mins.pcap Commented Dec 5, 2018 at 22:09
I was trying to solve the same issue so, I wrote a portable script to run tcpdump for n second.
#tcpdump_for_n_sec.sh
n=$1
shift #remove first arg from $@
tcpdump $@ & x=$!
sleep $n
kill $x
Usage ./tcpdump_for_n_sec.sh sec args for tcpdump
./tcpdump_for_n_sec.sh 5 -i any not port 22 -s0 -wfile.pcap
tcpdump options -w new.tcpdump
ps -ef |grep tcpdump
take note of PID, say it is 11193
at 11:00
kill 11193
now just wait til 11:00 comes and your capture will be killed but saved
-
fwiw pgrep is a much better alternative to ps|grep; especially here. Commented Oct 28, 2015 at 18:08
sudo tcpdump -i -w & this will run tcpdump is sleeping mode
- w: save output in the .pcap file &: tcpdump process will run in sleeping mode note: make sure you have enough space available if you want . to run it for a while. It wont interrupt if logoff until you kill the process.
