Skip to main content

How can we help you?

Druva Documentation

How to take circular packet capture on Linux



You should consider using this procedure under the following condition:

  • You are troubleshooting intermittent network issues.

The tcpdump utility is a command line packet sniffer with many features and options. For a full description, refer to the tcpdump manual pages by typing the following command:

man tcpdump

When troubleshooting intermittent network issues, gathering relevant data can be challenging. You can use the tcpdump utility to capture traffic that is pertinent to intermittent issues and store the information in rotating binary packet capture files. When the utility captures and saves a set number of files, it then overwrites the oldest file with the newest. Using a combination of the -W <file size>, -C <value>, and -w <filename> tcpdump command options, you can specify the size and quantity of packet capture files for tcpdump to save and retain before it rolls over and begins replacing them with newer ones.

  • -W <value> sets the number of packet capture files that the utility collects before it rolls over and begins overwriting the oldest collected file.

  • -C <file size> sets the maximum size of each packet capture file.
    Note: File size values are rounded to millions of bytes. For example, 1 MB is rounded to 1,000,000 bytes, instead of 1,048,576 bytes.

  • -w <filename> specifies the path and file name (/path/filename) where the utility saves packet capture files.
    Note: Saved packet capture files are numbered in capture order, based on the filename you provide. For example, <filename>1, <filename>2, and so on.


Procedure title

Running tcpdump with circular captures

The following procedure describes how to use tcpdump to run a packet capture and save the information to a rotating set of binary packet capture files.

Note: You can use additional tcpdump flags, as necessary for your specific environment and troubleshooting purposes.

Impact of procedure: You should only run tcpdump packet captures during active troubleshooting sessions. The amount of data captured and the frequency of capture file rotation depends on your specific environment and the values specified in your tcpdump commands. To ensure that the utility doesn't overwrite the packet capture relevant to the issue you are troubleshooting, you need to manually stop the packet capture as soon as the intermittent issue you're troubleshooting occurs.


  1. Log in to the command line interface.

  2. To start tcpdump, use the following command syntax:
    tcpdump -ni <interface> -W <file count value> -C <size value> -w <filename>

    • <interface> is the interface on which you want the utility to capture packets.

    • <file count value> is the number of files you want the utility to save before overwriting older files.

    • <size value> is the maximum file size in megabytes (MB) you want the utility to save before creating a new file.

    • <filename> is the location and file name where you want the utility to save the binary capture files.

For example, to have tcpdump capture packets on all interfaces and create up to ten 100MB files, named test1, test2, and so on, in the /tmp directory before overwriting the oldest file, type the following command:

tcpdump -ni 0.0 -W 10 -C 100 -w /tmp/test.pcap

Note: The tcpdump utility does not print data to the screen while it is capturing to a file.

3. After the issue you're troubleshooting occurs, press Ctrl+C to stop the capture.