Articles

tcpdump Rotate Capture Files: Manage Long-Running Captures (2026)

April 6, 2026 6 min read

tcpdump can fill up your disk faster than you can say "packet loss" if you’re not careful.

Let’s say you’re trying to debug a persistent, intermittent network issue. You fire up tcpdump to capture everything, hoping to catch the elusive problem in the act. You run tcpdump -w capture.pcap and walk away. Hours later, you come back to find your disk is 100% full, tcpdump has crashed, and you might have missed the very thing you were looking for because the capture stopped prematurely. This is where file rotation comes in, allowing tcpdump to manage its own disk space by creating new files as old ones fill up.

The core option for this is -C. It tells tcpdump to switch to a new file after it reaches a certain size in megabytes. So, if you want to rotate every 100MB, you’d use -C 100. But that’s not all; you also need to tell tcpdump how many files to keep. Otherwise, it’ll just keep creating new ones indefinitely, and you’ll eventually run out of disk space again. That’s where -W comes in. It specifies the maximum number of files to retain. If you set -W 5, tcpdump will keep the five most recent files. When the sixth file is created, the oldest one (file 1) will be deleted.

Here’s a common scenario: debugging a busy web server. You want to capture traffic for a few hours, but you don’t want a single massive file, and you certainly don’t want to fill your root partition.

sudo tcpdump -i eth0 -C 100 -W 5 -w /var/log/tcpdump/capture_%Y%m%d_%H%M%S.pcap

Let’s break this down:

  • sudo: tcpdump usually needs root privileges to capture network traffic.
  • -i eth0: Specifies the network interface to listen on. Replace eth0 with your actual interface name (e.g., ens18, wlan0). You can find your interfaces with ip a.
  • -C 100: This is the magic number. It tells tcpdump to start a new file every 100 megabytes. The files will be named sequentially (e.g., capture_....pcap.1, capture_....pcap.2, etc., if you don’t use the % formatting).
  • -W 5: This limits the number of rotated files to 5. Once the 6th file is about to be created, the oldest one will be deleted.
  • -w /var/log/tcpdump/capture_%Y%m%d_%H%M%S.pcap: This is the output file path and naming convention. The %Y%m%d_%H%M%S part is crucial for creating uniquely named files based on the timestamp when the rotation starts. This is often more useful than sequential numbering. When tcpdump rotates, it will append a sequence number to this base name. For example, if the first file is capture_20231027_103000.pcap, the next rotated file might be capture_20231027_103000.pcap.1.

Why does %Y%m%d_%H%M%S work with -C?

When you use -C with a filename pattern containing %Y, %m, etc., tcpdump uses that pattern for the first file it creates. When it rotates based on size (-C), it will then append .1, .2, etc., to that initial timestamped filename. This ensures that even if rotations happen very quickly, you can still distinguish the files.

Common Pitfalls and Solutions:

  1. Not enough disk space for the current file: Even with rotation, a single file can grow quite large. If you set -C 100 and your disk only has 50MB free, tcpdump will fail to create the first file or the next rotated file.

    • Diagnosis: Check available disk space with df -h.
    • Fix: Increase disk space or decrease -C value (e.g., -C 50).
    • Why it works: Ensures there’s enough contiguous space for the file tcpdump is trying to write.

  2. Forgetting -W and filling the disk: This is the classic problem. You set -C but not -W, and tcpdump keeps creating files until the disk is full.

    • Diagnosis: ls -l /var/log/tcpdump/ shows hundreds or thousands of files. df -h shows disk full.
    • Fix: Add -W <number> to your tcpdump command. For example, sudo tcpdump -i eth0 -C 100 -W 10 -w /var/log/tcpdump/capture.pcap.
    • Why it works: Explicitly limits the number of files tcpdump will retain, automatically deleting the oldest when the limit is reached.

  3. Incorrect directory permissions: tcpdump needs to be able to write to the specified directory.

    • Diagnosis: tcpdump exits with a "Permission denied" error when trying to write the file.
    • Fix: Ensure the directory exists (sudo mkdir -p /var/log/tcpdump) and that the user running tcpdump (often root) has write permissions. If running as a non-root user (e.g., via setcap), ensure that user has write access.
    • Why it works: Allows the tcpdump process to create and write to the log files.

  4. Using -W without -C (or vice-versa): These options are meant to be used together for effective rotation. -C without -W leads to disk fill; -W without -C has no effect on file size management.

    • Diagnosis: Either the disk fills up (missing -W), or files are not rotated by size (missing -C).
    • Fix: Use both -C <size_in_MB> and -W <number_of_files>.
    • Why it works: -C defines the rotation trigger (size), and -W defines the cleanup policy (number of files).

  5. Timestamp format issues: If you use a filename pattern with % but tcpdump doesn’t interpret it correctly or the underlying filesystem has issues with special characters, it might behave unexpectedly.

    • Diagnosis: Files might be named capture.pcap.1, capture.pcap.2 instead of timestamped names, or tcpdump might error out.
    • Fix: Ensure your tcpdump version supports strftime(3) format specifiers in filenames. A simpler, though less informative, alternative is sudo tcpdump -i eth0 -C 100 -W 5 -w /var/log/tcpdump/capture.pcap. This will create capture.pcap.1, capture.pcap.2, etc.
    • Why it works: Avoids potential interpretation issues with the timestamp formatting, relying on tcpdump’s default sequential numbering.

  6. Interface not specified or incorrect: Capturing on the wrong interface means you won’t see the traffic you’re interested in, even if tcpdump is rotating files perfectly.

    • Diagnosis: Captured files are empty or don’t contain the expected network activity.
    • Fix: Use ip a or ifconfig to identify the correct network interface and specify it with -i <interface_name>.
    • Why it works: Directs tcpdump’s capture engine to the physical or virtual network connection carrying the relevant packets.

After fixing these, the next error you might encounter is a "Cannot open log file" error, usually indicating a deeper permission or filesystem issue beyond simple disk space.

More Deep Dives in Tcpdump

Want structured learning?

Take the full Tcpdump course →