Date: Sat, 23 May 2009 20:52:14 +0100 From: Frank Shute <frank@shute.org.uk> To: Morgan =?iso-8859-1?Q?Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz> Cc: freebsd-questions@freebsd.org Subject: Re: how to rotate a tcpdump file Message-ID: <20090523195214.GA72411@melon.esperance-linux.co.uk> In-Reply-To: <4A1831CD.6080505@pp.dyndns.biz> References: <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002> <20090523160452.GA71919@melon.esperance-linux.co.uk> <4A1831CD.6080505@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 23, 2009 at 07:26:37PM +0200, Morgan Wesstrm wrote:
>
> Frank Shute wrote:
> > On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
> >> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.
> >>
> >> Which command should I use ?
> >>
> >
> > You should be able to set up newsyslog(8) to rotate the dumps.
> >
> > You want to have a look at newsyslog.conf(5) to craft a line to put in
> > your conf file. There are examples to work from in the conf file
> > already.
> >
> > Regards,
>
> Correct me if I'm wrong but wouldn't tcpdump have to be restarted after
> the logrotate? I'm under the impression that it would just continue to
> output to the old inode even if the file occupying it changes name and
> the restart functionality of newsyslog(8) isn't really bright enough to
> restart tcpdump with all its initial parameters.
I was thinking of using the -C and -w options to tcpdump(1). From the
manpage:
-C Before writing a raw packet to a savefile, check whether the
file is currently larger than file_size and, if so, close the
current savefile and open a new one. Savefiles after the first
savefile will have the name specified with the -w flag, with a
number after it, starting at 1 and continuing upward. The units
of file_size are millions of bytes (1,000,000 bytes, not
1,048,576 bytes).
and now looking at it more closely, you don't even have to use
newsyslog. Just include the args: -C 10000000 -w my_tcpdump_log
You would still need a script to rotate the logs though.
Probably, wrap tcpdump in a shell script that does some arithmetic
similar to what Matthew has written in his post.
> I'm using sysutils/cronolog for my Apache logs so I don't have to
> restart Apache at all for the logrotate. Unfortunately cronolog doesn't
> seem to have a size option to trigger the rotation though.
You can use newsyslog with Apache to rotate logs. From my conf:
/var/log/httpd-access.log 644 5 200 * B /var/run/httpd.pid 30
5 logfiles, 200Kb big, give Apache a SIGUSR1 (30) to stop & restart
the logging.
> Maybe there's another alternative for the OP?
>
> /Morgan
Regards,
--
Frank
Contact info: http://www.shute.org.uk/misc/contact.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090523195214.GA72411>