16

How can I capture the last N seconds of packets using tcpdump?

Tom Newton
  • 71
  • 1
  • 7

6 Answers6

22

If you just want tcpdump to run for n seconds and then quit, you could use timeout.

For example:

timeout 2 tcpdump -eni mon0

Otherwise I don't believe tcpdump has an option to do this.

siesta
  • 329
  • 2
  • 2
  • Unfortunately the timeout command is not present in CentOS 5.x. It was added in a newer release of coreutils. Another motivation for me to upgrade the OS. – Mister_Tom Jul 02 '14 at 19:52
  • 2
    I suppose if you don't have timeout, you could instead create something like timeout with a script: – siesta Jul 03 '14 at 20:47
  • Works great for me. I used this to monitor all traffic for a program that wasn't working. I started tcpdump with a timeout of N seconds. Then I started the program (which takes up to N seconds). – Trevor Boyd Smith Nov 18 '14 at 14:01
  • The question asks to capture the *last* N seconds. Your answer tells how to capture the *first* N seconds. – Flimzy Oct 07 '16 at 10:10
4

I think the best way to accomplish this is with tcpdump's -G flag, which, when used with -w, will save your dump to a new file every N seconds. For instance:

tcpdump -w outfile-%s -G 10

This will create a new file with the name of 'outfile-XXXX' (where XXXX represents the number of seconds since epoch) every 10 seconds.

See the man pages for tcpdump(8) and strftime(3) for additional details.

Flimzy
  • 4,374
  • 21
  • 41
  • tcpdump 3.9.4 as shipped with CentOS 5.10 does not have the -G option. I really need to upgrade my OS. – Mister_Tom Jul 02 '14 at 19:53
  • -G does not stop the tcpdump command. It still runs forever. The timeout 2 tcpdump will stop the command after 2 seconds. – ciceron Oct 07 '16 at 09:26
  • @ciceron: The question wasn't about stopping tcpdump. It was about capturing the *last N seconds*. Your suggestion will capture the *first* N seconds. Decidedly not what the OP asked for. – Flimzy Oct 07 '16 at 10:09
2

You can use tethereal instead of tcpdump. You can use this command-line option:

-a duration:X
Excellll
  • 12,627
  • 11
  • 51
  • 78
Ugo
  • 21
  • 1
  • While this may answer the question, it would be a better answer if you could provide some explanation **why** it does so. – DavidPostill Dec 17 '14 at 17:23
  • tcpdump itself doesn't allow for a time-limited packet trace but tshark does. (n.b. since this question was asked and answered, Ethereal became Wireshark) `tshark -a duration:600 -i eth0 -w $(hostname).10mins.pcap` will capture ten minutes' worth of traffic from interface eth0 into the file $(hostname).10mins.pcap – Andrew Beals Dec 05 '18 at 22:09
1

I was trying to solve the same issue so, I wrote a portable script to run tcpdump for n second.

#tcpdump_for_n_sec.sh
n=$1
shift #remove first arg from $@ 
tcpdump $@ & x=$!
sleep $n
kill $x

Usage ./tcpdump_for_n_sec.sh sec args for tcpdump

./tcpdump_for_n_sec.sh 5 -i any not port 22 -s0 -wfile.pcap
lafferc
  • 111
  • 4
0

tcpdump options -w new.tcpdump

ps -ef |grep tcpdump

take note of PID, say it is 11193

at 11:00 kill 11193

now just wait til 11:00 comes and your capture will be killed but saved

spartacus
  • 1
-1

sudo tcpdump -i -w & this will run tcpdump is sleeping mode

  • w: save output in the .pcap file &: tcpdump process will run in sleeping mode note: make sure you have enough space available if you want . to run it for a while. It wont interrupt if logoff until you kill the process.
Lin-man
  • 1