[tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-17 Thread SJP Lists 
Hello all,

Firstly, apologies if I missed info about this from a FAQ, documentation,
source README and CHANGES and Google or if I am just doing something
silly.  I looked at the man page and performed a Google and case sensitive
searches via casesensitivesearch.com (to avoid all the -c results) but did
not find any info about this issue I am having.

I have built a host for circular recording of WAN traffic onto 2TB worth of
storage, in order to hopefully catch pcaps after an event of intermittent
issues we are not able to replicate.  Hoping that when a user complains and
gives us the time of the issue, I can just grab a copy of the pre-recorded
pcap which should contain the traffic associated with their issue.

I've used FreeBSD 10.1 for this.  With the following tcpdump syntax as an
example, run as root:

tcpdump -C 1 -W 10 -w filename -i em0

and I am finding that filename0 is created and captured to, but the capture
does not roll over to the next file and instead continues to capture to the
first file beyond the limit I thought would be imposed with "-C 1", until I
kill the process.

I have tried the -Z option with "-Z root", in case the issue was that a new
file cannot be created once privs are dropped, but I get the same result.

Thank you for reading and any help that you can give!


Shane
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] -C option not working? FreeBSD 10.1

2015-02-18 Thread SJP Lists 
Wow this was quick!

Thanks so much Wesley and Guy.


Shane


On 19 February 2015 at 09:11, Wesley Shields  wrote:

> Thanks! I've submitted a pull request (please ignore my first one, it was
> made on the master branch of my fork).
>
> https://github.com/the-tcpdump-group/tcpdump/pull/433
>
> I'm still not clear how -G, -C and -W are meant to work together though.
> The manage is a bit unclear to me. Any pointers on how it is supposed to
> work so I can try and make sure that is true would be appreciated.
>
> -- WXS
>
> > On Feb 18, 2015, at 4:23 PM, Guy Harris  wrote:
> >
> >
> > On Feb 18, 2015, at 10:18 AM, Wesley Shields  wrote:
> >
> >> I've got a patch for this at
> https://github.com/wxsBSD/tcpdump/commit/84998745a29a0ffb3a680c29692c15426a1ce960
> .
> >
> > I've checked into the trunk a change to check for pcap_dump_ftell()
> failing (which it should *always* have done; had it done that, the symptoms
> of this problem would have been a bit less obscure), so your changes might
> at least need to get the indentation readjusted.
> >
>
>
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers