tcpdump -W 5 -C 10 -w capfile

What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.

So your directory will have 5 files rotating with constant capture data:






Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).

It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.