How to capture tcpdump to a compress file in linux

Question

I have a DNS server and I want to capture DNS traffic to get all the IPs which use my DNS server.

For this I start using following tcpdump command and capture them to a file:

tcpdump -n -i eth0 dst port 53 >> dns_data.log

But the file size is high when I run this for long time. How can I capture this to a compress file? I tried below command but its not working.

tcpdump -n -i eth0 dst port 53 | bzip2 -c >> dns_data.bz2

guessing that `bzip` doesn't know when the stream is closed, so it keeps waiting for more data. Check `man tcpdump` to see if there is an option "run for X (mins, secs, bytes) ? . Good luck. — shellter, May 19 '16 at 04:28

score 5 · Answer 1 · edited Oct 12 '16 at 18:15

5

Try something like tcpdump -G 3600 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -z gzip

-G N means rotate every N (3600) seconds. -z command means run command(gzip) after rotation.

edited Oct 12 '16 at 18:15

Community

answered May 19 '16 at 14:48

Anatoliy Orlov

maybe you mean `...-w "$(date +trace_%Y-%m-%d_%H:%M:%S.pcap)" -z ...` ? Good luck. – shellter May 23 '16 at 00:01
1

@shellter on a new enough tcpdump the `-G` option causes the `-w` option to be passed to `strftime` each time the file is rotated – Alnitak May 09 '17 at 16:21
@Alnitak : Thanks! Good to know. – shellter May 09 '17 at 16:26

1 Answers1