Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ironshirt
Explorer

How to control/limit the output file size from fw monitor

Hi,

 

i would like to record a trace with fw monitor over a few weeks period. How can i control the file size in order to not accidentaly fill the whole disk?

Even if i let the trace run for a week or two it would be sufficient for me to just have tha last 24 Hours from the moment i stop the trace.

 

Regards and thanks,

Mark

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

fw monitor was never designed to be run long-term like that.
Not sure there’s a great way to achieve what you’re looking for. 

0 Kudos
Timothy_Hall
Legend Legend
Legend

fw monitor (both -e and -F) does not have any built-in abilities to limit the file size of the capture, nor can it automatically rotate the capture files as the capture is running to keep them from getting too large.  It can set a "dead man's switch" limit of total packets to capture before terminating itself with the -ci and -co options.  Also a fw monitor -e capture will not survive a policy installation on the gateway (but fw monitor -F will).  So fw monitor is probably not the tool you should use here.

On the other hand tcpdump does have the ability to automatically rotate & limit log files for running captures (-C and -G flags) and cppcap also picked up this ability in R81 via the -w and -W flags.  These tools will also survive a policy installation while executing a long-running capture, but I'd advise capturing only on a single interface and use an extremely specific filter if possible.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events