The most surprising thing about tcpdump’s ring buffer is that it doesn’t actually discard old packets; it just makes them inaccessible until the capture stops.
Let’s see tcpdump in action, capturing traffic and writing it to multiple files. Imagine you’re troubleshooting a network issue on a busy server and need to capture traffic for an extended period without running out of disk space. You can use tcpdump’s ring buffer functionality to manage this.
Here’s how we’d set it up to capture packets and write them to files, each up to 100 megabytes in size, creating a maximum of 5 such files:
sudo tcpdump -i eth0 -w traffic_capture_%Y%m%d_%H%M%S.pcap -C 100 -W 5
In this command:
-i eth0: Specifies the network interface to capture from (e.g.,eth0).-w traffic_capture_%Y%m%d_%H%M%S.pcap: Defines the output file name pattern.tcpdumpwill use this pattern to create multiple files. The%Y%m%d_%H%M%Spart is a timestamp that gets embedded into the filename, making it easy to identify when each file was created.-C 100: This is the crucial part for the ring buffer. It tellstcpdumpto start a new file after every 100 megabytes of data.-W 5: This option limits the number of filestcpdumpwill create. Oncetcpdumphas written 5 files, it will start overwriting the oldest file. This creates the "ring buffer" effect.
When you run this, tcpdump will start capturing packets on eth0. It will write to a file named something like traffic_capture_20231027_103000.pcap. Once that file reaches approximately 100MB, tcpdump will close it and start a new one, say traffic_capture_20231027_103515.pcap. This continues until tcpdump has created 5 files. At that point, the next file it attempts to create will overwrite the very first file it made. This cycle repeats, ensuring you always have the most recent data while preventing disk space exhaustion.
The problem this solves is the finite nature of disk storage. Without -C and -W, a long tcpdump session on a busy network could quickly fill up a disk, potentially crashing the system or losing valuable diagnostic data. The ring buffer allows for continuous capture over long periods, keeping only the most recent traffic.
Internally, tcpdump manages a list of filenames. When -W is set, it maintains a circular list. When the file count reaches the limit specified by -W, tcpdump reuses the first filename in its list. The timestamp in the filename pattern helps distinguish between different capture sessions if you were to restart tcpdump, but within a single running instance, the -W option dictates the overwriting behavior. The -C option triggers the file rotation based on size, and the system manages which file gets overwritten next based on the -W limit.
The real magic of -C is that it’s not just about file size; it’s about data written, not disk space used. This means if you have a very slow disk or a very busy network, tcpdump might not be able to keep up with writing data to disk. In such scenarios, it will still rotate files at the specified size, but the capture might drop packets that it can’t buffer and write in time. The -s option (snapshot length) also plays a role here, as capturing full packets (-s 0) uses more I/O than capturing truncated packets.
You might find that even with a ring buffer, you’re still missing packets. This usually means the system is I/O bound or the network is saturated beyond what tcpdump can process and write to disk.
The next step after mastering continuous capture is understanding how to efficiently analyze these segmented capture files, often by concatenating them or using tools that can read multiple pcap files as a single stream.