How can you limit the file size in tcpdump on Linux?

In Linux, you can limit the size of the tcpdump output file by using the following parameters with the tcpdump command.

1. -C : specifies the maximum size of each output file. The file size can be specified in kilobytes (K), megabytes (M), or gigabytes (G). For example, using -C 10M will limit the size of each output file to 10 megabytes.
2. -W : specifies the maximum number of output files. Once the specified number of files is reached, tcpdump will automatically overwrite the oldest file.
3. -G : specifies the maximum lifespan of the output file. You can use seconds (s) or minutes (m) as units. For example, using -G 10m will limit the lifespan of the output file to 10 minutes.

Here’s an example command that limits the size of each output file to 10 megabytes and keeps a maximum of 3 files.

tcpdump -C 10M -W 3 -w output.pcap

This command will generate an output file named output.pcap, and will create a new file once the size reaches 10 megabytes, keeping a maximum of 3 files.