/usr/lib/systemd/system/tcpdumpd.service
[Unit] After=network.target [Service] Restart=always RestartSec=30 Environment="TCPDUMP_FORMAT=%%Y-%%m-%%d__%%H-%%M" ExecStartPre=/bin/mkdir -p /var/log/tcpdumpd/ ExecStart=/sbin/tcpdump -i eth0 port 5060 -G 1800 -s 65535 -w '/var/log/tcpdumpd/sipdump_${TCPDUMP_FORMAT}.pcap' ExecStop=/bin/kill -s QUIT $MAINPID [Install] WantedBy=multi-user.target
/etc/logrotate.d/tcpdumpd
/var/log/tcpdumpd/*.pcap { daily missingok rotate 30 compress notifempty }
Suggesting to kill the process with `-s TERM`, kills the process gracefully and files are not cut in the middle of a packet.
Do it without systemd. Works on linux and freebsd (at least).
void daemonize_tcpdumpr()
{
pid_t pid;
int rtn;
pid = fork();
if(pid) {
exit(0);
} else {
setsid();
freopen(“/tmp/tmpfile”, “w”, stdout);
freopen( “/dev/null”, “w”, stderr);
rtn = execl(“/usr/bin/nice”, “-0″, “/usr/sbin/tcpdump”, “-n”, “-e”, “-s”, “0”, “-i”, “eth0″, NULL);
printf( “Failed to start tcpdump. Error is %d\n”, rtn);
_exit(rtn);
}
}