https://stackoverflow.com/questions/21567963/how-to-save-a-new-file-when-tcpdum-file-size-reaches-10mb


tcpdump -W 5 -C 10 -w capfile


What the above command does is create a rotating buffer of 5 files (-W 5) and tcpdump switches to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes). The prefix of the files will be capfile (-w capfile), and a one-digit integer will be appended to each.


So your directory will have 5 files rotating with constant capture data:


capfile0

capfile1

capfile2

capfile3

capfile4


Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received). If you want to have a larger rolling data set your -W to a higher count (-W 50).


It is also very important that the user and group tcpdump have access to write to the location where you are storing these files. Even if you are running as root.