How do I exit tcpdump immediately after reaching the specified saved file size，No more files are generated？

[pxyove]

I am using tcpdump on Linux version 3.10.0-123.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014

tcpdump version 4.5.1
libpcap version 1.5.3

When i try to run this command:
tcpdump -ennXXSs0 -i any -C 20 -w /usr/admin/config/2.cap

How do I exit tcpdump immediately after reaching the specified saved file size，No more files are generated？

Please help me.

[pxyove]

thanks

[fxlb]

A hack here with -W 2 and -z:
https://unix.stackexchange.com/questions/409210/tcpdump-capture-packets-to-a-non-rotating-file
(rm with file_name1 and not file_name0)

[pxyove]

@fxlb Thank you very much, but it hasn't been solved yet

[JokerQyou]

Currently the only workaround seems to be using -z option to run a script when tcpdump closes a file (as it reached the file size limit of -C). In that script you can then send SIGINT to the tcpdump process to stop it. But you'll have to cleanup the remaining file yourself, because when tcpdump is killed, the script will also be stopped, so nothing more can be done.

Here is an example:

• Run tcpdump with tcpdump -C 1 -W 2 -z on-file-closed.sh -w dumpfile
• When the file dumpfile reaches 1MB, tcpdump would close the fd, and opens another file dumpfile0, it would also execute on-file-closed.sh script
• In on-file-closed.sh script you can use killall -s SIGINT tcpdump or kill -SIGINT $(pidof -s tcpdump) to stop the tcpdump process
• Then you are left with two files dumpfile and dumpfile0, you'll need to delete dumpfile0, and dumpfile is ready for use.