Tcpdump is very famous tool in network traffic capture and packet analyzer. It has so many options and one of them is the ability of writing captured traffic to a file (normally called a PCAP file which is short for Packet Capture). This is invoked with the -w <capture_file> option. The command below instructs tcpdump to write the network traffic to the file "trace.pcap".
tcpdump -w trace.pcap
Another option for tcdump is that it can capture network traffic every N seconds and write it to a different file. This can be done with the -G <num_secs> option and using time format string on the capture file. Let see an example.
tcpdump -G 60 -w 'trace_%Y%m%d-%H%M%S.pcap'
This command instructs tcpdump to capture network traffic every 60 seconds and write it to trace file which has time format directives. When you cancel the tcpdump, the listing files will see network capture every 60 seconds (1 minute).
# ls -l
-rw-r--r-- 1 root root 9085 Jan 13 08:15 trace_20150113-081412.pcap
-rw-r--r-- 1 root root 9302 Jan 13 08:16 trace_20150113-081512.pcap
-rw-r--r-- 1 root root 9360 Jan 13 08:17 trace_20150113-081612.pcap
-rw-r--r-- 1 root root 14689 Jan 13 08:18 trace_20150113-081713.pcap
-rw-r--r-- 1 root root 5902 Jan 13 08:18 trace_20150113-081813.pcap
For the time format directives, refer to this link but these are the ones used above
- %Y = Year in 20XX decimal format
- %m = Month in decimal format
- %d = Day of the month in decimal format
- %H = Hour in 24-hour clock decimal format
- %M = Minutes in decimal format
- %S = Seconds in decimal format
- 5 minutes = 300 seconds
- 10 minutes = 600 seconds
- 1 hour = 3600 secs
- 24 hours = 86400 secs
Recording and rotating capture files every interval in tcpdump is very useful particularly for very heavy network traffic. Big capture files are difficult to process as such breaking them down to smaller and manageable ones is recommended. Moreover, if you tcpdump process crashes while capturing network traffic (i.e. memory exhaust), all the effort is not lost if your using rotated capture files.