Looking to port mirror a network firewall interface, connect that interface to a Linux server, and have that Linux server constantly run a tcpdump and storing the output in files.
Specifically, my requirement is to have pcap files saved over and over again as the size of that file reaches a specific number.
For example:
Juniper firewall port 2 mirrors all traffic on port 1. Port 2 connects to eth0 on the Linux server. Linux server has a tcpdump process running constantly on eth0. Linux server is configured to save the traffic to a file named "tcpdump.pcap", but when the pcap file exceeds a specific size, then it will then compress and rename to "tcpdump.pcap.0.gz". As the second file exceeds a specific size, then it will be renamed to "tcpdump.pcap.1.gz", etc.
This will allow me to view network traffic within the past X amount of time (for now, I'm looking to have visibility in the past 72 hours).
The problem here is that I don't know how to accomplish the above. Specifically, how do I get tcpdump to run continously, and automatically save pcaps, and automatically compress and re-name chronologically?
Best Answer
Let's break down the problem in the following parts:
tcpdumpsave the dump in pcap format: you can use the-woption. As alway, read the man page carefullytcpdump: you can usescreento runtcpdump, than detach/attach at your will; the process will continue to run until you stop it;-Coption to lettcpdumprotate the pcap file or, alternatively, you can configure and uselogrotateto automatically rename/rotate the logfile when a specific size is reached