This command will capture the first 350 bytes of the packet and will save 20 files of 100MB each while also overwriting the old captures:

sudo tcpdump -i eth0 -s 350 -C 100 -W 20 -w /var/tmp/capture-$(date +%Y-%m-%d:%H:%M:%S).pcap

Breakdown of the options:

  • -i eth0: capture on the eth0 interface. Replace eth0 with all to capture on all interfaces.
  • -s 350: snapshot length. Capture 350 bytes of each packet.
  • -C 100: filesize. keep each file at 100 Megabytes.
  • -W 20: filecount. Capture 20 files.
  • -w /var/tmp/capture-$(date +%Y-%m-%d:%H:%M:%S).pcap: write timestamped file to /var/tmp/

Bonus tip

On an AWS EC2 instance, you can use the instance metadata URL to add the instance ID to the filename. Useful when you have multiple captures on different servers.