SYSTEM Cited by 1 source
tcpdump¶
tcpdump is a libpcap-based command-line packet capture tool for Linux and BSD. It captures packets matching a BPF filter expression and writes them to stdout or to pcap files for later analysis (e.g. in Wireshark).
Features relevant to wiki sources¶
- Time-bucketed rotation.
-W N -G S -w 'fmt.pcap'rotates the output file every S seconds, keeping N rotations. Combined with a time-templated filename (strftimesyntax), this produces a rolling window of fixed-duration pcap slices that are small enough to grep or load into Wireshark individually. - Interface promiscuous and
anycapture.-i anycaptures on all interfaces โ useful for hosts where the traffic of interest might traverse a virtual interface, loopback, or a VPN tunnel. - BPF filter expressions.
port 53,host 10.0.0.2, etc. narrow the capture to traffic of interest without requiring userspace filtering.
Seen in¶
- Stripe โ The secret life of DNS packets (2024-12-12). Stripe
used
tcpdump -n -tt -i any -W 30 -G 60 -w '%FT%T.pcap' port 53to capture 30 rolling 60-second windows of DNS traffic named by ISO-8601 timestamp โ bounding per-file size, aligning the capture window with the observed hourly spike cadence, and letting engineers grep a specific slice without loading gigabytes. Canonical patterns/time-bucketed-tcpdump-capture instance.