Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

where tcpdump store and it's storage status

How to check the storage status if I run and save the tcpdump in /var/tmp for 3hours?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi William,

You can check directly file, for example if you lunch this command:

tcpdump -nni 0.0 host 1.1.1.1 -w /var/tmp/file.cap

then regularly check the size of the captured file with this following command:

ls -la /var/tmp/file.cap

It will give you size of packet Up-to-date.

Hope it help you.

regards,

0
Comments on this Answer
Comment made 1 week ago by youssef 3418

If you need info about tcpdump:

https://support.f5.com/csp/article/K13637

0
Comment made 6 days ago by williamtan 3

Hi Youssef,

Thank you for your fast respond. But due to the traffic is huge and I will capture for at least 3 hours at midnight, I can't keep check the file size. Since I have 380GB free space in disk management, tcpdump will use this until it's full?

0
Comment made 6 days ago by youssef 3418

You can capture traffic to a (until) specific size:

if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.

https://www.tcpdump.org/manpages/tcpdump.1.html

Additional in your capture add as many filters as you can to reduce the file size.

Regards

0
Comment made 6 days ago by williamtan 3

I cannot use filter and specific size cause I need to capture all traffic passing through F5 in 3 hours.

0
Comment made 3 days ago by youssef 3418

Find a solution for you:

You can plug an external hard disk an mount it to F5. Then store your file in this external hard disk

Take exemple wit this article:

Saving large tcpdump packet traces in limited disk space scenarios --> https://support.f5.com/csp/article/K16793

regards

0
Comment made 3 days ago by williamtan 3

OK, I will try that.

0