From owner-freebsd-questions@FreeBSD.ORG Sun May 24 06:49:43 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30430106564A for ; Sun, 24 May 2009 06:49:43 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id A05DA8FC19 for ; Sun, 24 May 2009 06:49:42 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n4O6nRIg004060; Sun, 24 May 2009 07:49:34 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.2 smtp.infracaninophile.co.uk n4O6nRIg004060 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1243147774; bh=yWDXptxKX7fTZ3zX23YfzuXcgUW0zWmY5kZe1e3Lzo4=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4A18EDF2.4020103@infracaninophile.co.uk>|Date:=20S un,=2024=20May=202009=2007:49:22=20+0100|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.21=20(X11/20090420)|MIME-Vers ion:=201.0|To:=20=3D?ISO-8859-1?Q?Morgan_Wesstr=3DF6m?=3D=20,=20=0D=0A=20FreeBSD=20Questions=20|Subject:=20Re:=20how=20to=20rotate=20a =20tcpdump=20file|References:=20<852FCD4FD0834115930F3DB05ADB7F3C@ desktop2002>=09<20090523160452.GA71919@melon.esperance-linux.co.uk >=09<4A1831CD.6080505@pp.dyndns.biz>=09<20090523195214.GA72411@mel on.esperance-linux.co.uk>=20<20090523200422.GB72411@melon.esperanc e-linux.co.uk>|In-Reply-To:=20<20090523200422.GB72411@melon.espera nce-linux.co.uk>|X-Enigmail-Version:=200.95.6|Content-Type:=20mult ipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"appli cation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig77008 F4D1D86B220EEED1CF3"; b=WjyXhH4eRFJHuT/9oYR8cJ4jI4IB9e0oPQIuAlHCHOmYwOZMXxwV0lhFoAO/CYhfr d9G9486c0MtyNyXw1JAB4hoDVmceXVHLlNeROysTI3tndfL9+wyboyM8kOm/4kY/GL clDB0ay0r+UNaqHB/CBsoBXZIgrpCxm37ZH1Mc1w= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4A18EDF2.4020103@infracaninophile.co.uk> Date: Sun, 24 May 2009 07:49:22 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.21 (X11/20090420) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= , FreeBSD Questions References: <852FCD4FD0834115930F3DB05ADB7F3C@desktop2002> <20090523160452.GA71919@melon.esperance-linux.co.uk> <4A1831CD.6080505@pp.dyndns.biz> <20090523195214.GA72411@melon.esperance-linux.co.uk> <20090523200422.GB72411@melon.esperance-linux.co.uk> In-Reply-To: <20090523200422.GB72411@melon.esperance-linux.co.uk> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig77008F4D1D86B220EEED1CF3" X-Virus-Scanned: clamav-milter 0.95.1 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: Subject: Re: how to rotate a tcpdump file X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 May 2009 06:49:43 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig77008F4D1D86B220EEED1CF3 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Frank Shute wrote: > On Sat, May 23, 2009 at 08:52:14PM +0100, Frank Shute wrote: >> I was thinking of using the -C and -w options to tcpdump(1). From the >> manpage: >> >> -C Before writing a raw packet to a savefile, check whether th= e >> file is currently larger than file_size and, if so, close the >> current savefile and open a new one. Savefiles after the first >> savefile will have the name specified with the -w flag, with a >> number after it, starting at 1 and continuing upward. The units >> of file_size are millions of bytes (1,000,000 bytes, not >> 1,048,576 bytes). >> >> and now looking at it more closely, you don't even have to use >> newsyslog. Just include the args: -C 10000000 -w my_tcpdump_log >=20 > Oops! should be: -C 10 -w my_tcpdump_log >=20 > I assume the OP is not too bothered whether it's megabytes or > mebibytes or whatever the hell they call them (using base 10 rather > than 2). Hmmm... so when I said "tcpdump(1) doesn't have options to support rotati= ng dump files based on size" I was in fact *completely* wrong. Memo to self= : RTFM. Sorry for the noise folks. Given it's a built-in function please ignore = all my blethering about shell scripts. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig77008F4D1D86B220EEED1CF3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkoY7fcACgkQ8Mjk52CukIz/RQCgjsZJk8GTTPAP2ycryMPHm6q7 z00AmwZs6KVAbi/WIDMEyRUkz3Sb6HUa =Frl1 -----END PGP SIGNATURE----- --------------enig77008F4D1D86B220EEED1CF3--