Re: tcpdump rotating issue with newsyslog

Sun, 10 Apr 2022 14:01:07 -0700 

On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote:

Good Evening Community,

I am running the following command in the OpenBSD 6.2.

*"tcpdump -Nneqt -w tcpdump.pcap -i vic0 &"*

and using the following newsyslog.conf entry for rotating the tcpdump.pcap

# logfile_name          owner:group     mode count size when  flags
/home/logs/tcpdump.pcap        644       5     10     *        z

So when newsyslog checks and  >=10KB size hits, the *tcpdump.pcap* file
will be rotated and  *tcpdump.pcap.0.gz* will be created.

But after this, the size of the file is not increasing.

run the following command to check the file


*#tcpdump -r tcpdump.pcaptcpdump: bad dump file format*

*and the above tcpdump command is still running in the background.*

*So the question is the tcpdump have any issue with rotating the files with
newsyslog?*
*Or am I missing something?*
*Can you please suggest a solution for this?*


I see a couple potential problems.

1) tcpdump -w is writing raw packets out, you probably don't want newsyslog
adding a text log rotated message to your dump file. Look at the "B" flag.

2) You didn't do anything to tell tcpdump to stop dumping to the old file
and use a new one.

So ... I suspect something like this is happening:
 * tcpdump is putting data to a file pointed to by the link "tcpdump.pcap"
 * newsyslog rotates the log file and triggers the compression process.
 * the old file is read by gzip and a new file is created.  (note, the old
   file isn't compressed "in place" -- a new file is created!)
 * gzip deletes the old file link.  Except tcpdump is still sending data to
   the file, but there's no way to access the data.  Kinda cool, you could
   fill your disk with no way to get your data.

So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump.
You can validate my second point by disabling the compression, I suspect
you will see your .0 file continue to grow in size, until it becomes .1, etc.

newsyslog sends a SIGHUP to syslogd, but your output isn't going through
syslogd in this case -- it is coming directly from tcpdump.

I probably got a few things wrong here. :)

Nick.

Reply via email to