From owner-freebsd-questions@FreeBSD.ORG  Sat May 23 19:52:22 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F3208106564A
	for <freebsd-questions@freebsd.org>;
	Sat, 23 May 2009 19:52:21 +0000 (UTC)
	(envelope-from frank@esperance-linux.co.uk)
Received: from mailout.zetnet.co.uk (mailout.zetnet.co.uk [194.247.47.231])
	by mx1.freebsd.org (Postfix) with ESMTP id 7F5308FC27
	for <freebsd-questions@freebsd.org>;
	Sat, 23 May 2009 19:52:21 +0000 (UTC)
	(envelope-from frank@esperance-linux.co.uk)
Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk)
	by mailout.zetnet.co.uk with esmtp (Exim 4.63)
	(envelope-from <frank@esperance-linux.co.uk>)
	id 1M7xGW-0007np-0X; Sat, 23 May 2009 20:52:20 +0100
Received: from melon.esperance-linux.co.uk (54-144.adsl.zetnet.co.uk
	[194.247.54.144])
	by zetnet.co.uk (8.14.1/8.14.1/Debian-9) with ESMTP id n4NJqJoM013493; 
	Sat, 23 May 2009 20:52:19 +0100
Received: by melon.esperance-linux.co.uk (Postfix, from userid 1001)
	id 230E0FCA699; Sat, 23 May 2009 20:52:14 +0100 (BST)
Date: Sat, 23 May 2009 20:52:14 +0100
From: Frank Shute <frank@shute.org.uk>
To: Morgan =?iso-8859-1?Q?Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz>
Message-ID: <20090523195214.GA72411@melon.esperance-linux.co.uk>
Mail-Followup-To: Morgan =?iso-8859-1?Q?Wesstr=F6m?=
	<freebsd-questions@pp.dyndns.biz>, 
	freebsd-questions@freebsd.org
References: <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002>
	<20090523160452.GA71919@melon.esperance-linux.co.uk>
	<4A1831CD.6080505@pp.dyndns.biz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4A1831CD.6080505@pp.dyndns.biz>
User-Agent: Mutt/1.4.2.3i
X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5;
	VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL
X-Operating-System: FreeBSD 6.4-RELEASE-p2 i386
X-Organisation: 'http://www.shute.org.uk/'
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.1.7
	(zetnet.co.uk [194.247.46.1]);
	Sat, 23 May 2009 20:52:19 +0100 (BST)
Cc: freebsd-questions@freebsd.org
Subject: Re: how to rotate a tcpdump file
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Frank Shute <frank@shute.org.uk>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2009 19:52:22 -0000

On Sat, May 23, 2009 at 07:26:37PM +0200, Morgan Wesstrm wrote:
>
> Frank Shute wrote:
> > On Sat, May 23, 2009 at 02:57:08PM +0300, Yavuz Ma?lak wrote:
> >> I wish tcpdump to rotate tcpdump file whose size reaches 10Mbyte.
> >>
> >> Which command should I use ?
> >>
> > 
> > You should be able to set up newsyslog(8) to rotate the dumps.
> > 
> > You want to have a look at newsyslog.conf(5) to craft a line to put in
> > your conf file. There are examples to work from in the conf file
> > already.
> > 
> > Regards,
> 
> Correct me if I'm wrong but wouldn't tcpdump have to be restarted after
> the logrotate? I'm under the impression that it would just continue to
> output to the old inode even if the file occupying it changes name and
> the restart functionality of newsyslog(8) isn't really bright enough to
> restart tcpdump with all its initial parameters.

I was thinking of using the -C and -w options to tcpdump(1). From the
manpage:

-C     Before  writing  a  raw  packet to a savefile, check whether the
    file is currently larger than file_size and, if  so,  close  the
    current  savefile and open a new one.  Savefiles after the first
    savefile will have the name specified with the -w flag,  with  a
    number after it, starting at 1 and continuing upward.  The units
    of  file_size  are  millions  of  bytes  (1,000,000  bytes,  not
    1,048,576 bytes).

and now looking at it more closely, you don't even have to use
newsyslog. Just include the args: -C 10000000 -w my_tcpdump_log

You would still need a script to rotate the logs though.

Probably, wrap tcpdump in a shell script that does some arithmetic
similar to what Matthew has written in his post.

> I'm using sysutils/cronolog for my Apache logs so I don't have to
> restart Apache at all for the logrotate. Unfortunately cronolog doesn't
> seem to have a size option to trigger the rotation though. 

You can use newsyslog with Apache to rotate logs. From my conf:

/var/log/httpd-access.log   644  5   200  *   B  /var/run/httpd.pid  30

5 logfiles, 200Kb big, give Apache a SIGUSR1 (30) to stop & restart
the logging.

> Maybe there's another alternative for the OP?
> 
> /Morgan

Regards,

-- 

 Frank 


 Contact info: http://www.shute.org.uk/misc/contact.html