How to configure a packet trace to run for several days without consuming large amounts of disk space
This document (7011281) is provided subject to the disclaimer at the end of this document.
Environment
All Linux-based network applications
SUSE Linux Enterprise Server
tcpdump
Network trace
Packet capture
Buffer: Circular, ring, rotating
SUSE Linux Enterprise Server
tcpdump
Network trace
Packet capture
Buffer: Circular, ring, rotating
Situation
If the frequency of a problem is intermittent and/or random, it may be necessary to leave a packet trace running for several hours or even days in order to capture the events leading up to the failure. How is it possible to do this without consuming large amounts of disk space?
Resolution
Use a command line similar to the following which will capture ten files of 100Mb each (1Gb in total) to /tmp/trace.cap0 ... trace.cap9 and then start overwriting at trace.cap0 again.
For further information refer to man tcpdump.
tcpdump -i eth0 -s0 -w /tmp/trace.cap -C 100 -W 10Where
-i Interface to listen onCheck that there is sufficient disk space available and adjust the -C and -W parameters accordingly to ensure that a sufficient amount of traffic is captured prior to a failure.
-s0 Capture maximum possible packet size
-w Trace file location
-C Maximum capture file size in Mbytes
-W Maximum number of capture files
For further information refer to man tcpdump.
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011281
- Creation Date: 30-Oct-2012
- Modified Date:03-Mar-2020
-
- SUSE End of Life
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
