Linux technical support - [email protected]


run tcpdump in daemon mode

/usr/lib/systemd/system/tcpdumpd.service

[Unit]
After=network.target

[Service]
Restart=always
RestartSec=30
Environment="TCPDUMP_FORMAT=%%Y-%%m-%%d__%%H-%%M"
ExecStartPre=/bin/mkdir -p /var/log/tcpdumpd/
ExecStart=/sbin/tcpdump -i eth0 port 5060 -G 1800 -s 65535 -w '/var/log/tcpdumpd/sipdump_${TCPDUMP_FORMAT}.pcap'
ExecStop=/bin/kill -s QUIT $MAINPID

[Install]
WantedBy=multi-user.target

/etc/logrotate.d/tcpdumpd

/var/log/tcpdumpd/*.pcap {
        daily
        missingok
        rotate 30
        compress
        notifempty
}

2 thoughts on “run tcpdump in daemon mode

  1. SEA

    Suggesting to kill the process with `-s TERM`, kills the process gracefully and files are not cut in the middle of a packet.

    Reply
  2. jiml8

    Do it without systemd. Works on linux and freebsd (at least).

    void daemonize_tcpdumpr()
    {
    pid_t pid;
    int rtn;

    pid = fork();
    if(pid) {
    exit(0);
    } else {
    setsid();
    freopen(“/tmp/tmpfile”, “w”, stdout);
    freopen( “/dev/null”, “w”, stderr);
    rtn = execl(“/usr/bin/nice”, “-0″, “/usr/sbin/tcpdump”, “-n”, “-e”, “-s”, “0”, “-i”, “eth0″, NULL);
    printf( “Failed to start tcpdump. Error is %d\n”, rtn);
    _exit(rtn);
    }
    }

    Reply

Leave a Reply to jiml8 Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>