topic Re: How to control/limit the output file size from fw monitor in General Topics

How to control/limit the output file size from fw monitor

ironshirt — Fri, 29 Jan 2021 15:26:33 GMT

Hi,

i would like to record a trace with fw monitor over a few weeks period. How can i control the file size in order to not accidentaly fill the whole disk?

Even if i let the trace run for a week or two it would be sufficient for me to just have tha last 24 Hours from the moment i stop the trace.

Regards and thanks,

Mark

Re: How to control/limit the output file size from fw monitor

PhoneBoy — Fri, 29 Jan 2021 17:48:52 GMT

fw monitor was never designed to be run long-term like that.
Not sure there’s a great way to achieve what you’re looking for.

Re: How to control/limit the output file size from fw monitor

Timothy_Hall — Sat, 30 Jan 2021 14:34:21 GMT

fw monitor (both -e and -F) does not have any built-in abilities to limit the file size of the capture, nor can it automatically rotate the capture files as the capture is running to keep them from getting too large. It can set a "dead man's switch" limit of total packets to capture before terminating itself with the -ci and -co options. Also a fw monitor -e capture will not survive a policy installation on the gateway (but fw monitor -F will). So fw monitor is probably not the tool you should use here.

On the other hand tcpdump does have the ability to automatically rotate & limit log files for running captures (-C and -G flags) and cppcap also picked up this ability in R81 via the -w and -W flags. These tools will also survive a policy installation while executing a long-running capture, but I'd advise capturing only on a single interface and use an extremely specific filter if possible.