Tcpdump stop ungracefully

Question

I am looking for a reliable solution to do package capture for test automation.

Right now, tcpdump has been used with the following command.

sudo tcpdump -i ens160  -w filename.pcap -G 60 -W 1 

I stop tcpdump with:

kill -s SIGINT <pid>

1 out of 20 time tcpdump fails to exit properly, and the pcap file will be damaged.

Is there any way to make sure tcpdump will exit properly?

Answer 1

There are two ways to avoid a truncated dump file:

1. As suggested by Doug Smythies, use termination signal (SIGTERM) instead of SIGINT to kill the tcpdump process:

   kill <pid>
   

2. Tell tcpdump to write packet directly to file as each packet is saved (option -U). This way, even using SIGINT, the file will not be truncated. From man tcpdump :

   -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

          If the -w option is specified, make  the  saved  raw  packet
          output  ``packet-buffered'';  i.e., as each packet is saved,
          it will be written to the output  file,  rather  than  being
          written only when the output buffer fills.

          The  -U flag will not be supported if tcpdump was built with
          an older version of libpcap that lacks the pcap_dump_flush()
          function.