Hi, I got the following question regarding tcpdump and I would appreciate your help/feedback:

--Scenario
I am instructed to capture the network traffic by getting the tcpdump data/files of our network for every hour.

--Problem
Some of the connections are still open when the capture is done at the end of 30 minutes. How do I link these open connections in different tcpdump files?

--example
Connection A: 192.168.10.1:1686 --> 192.168.10.22:139
connection A starts: 12:25
connection A ends: 12:45
Data capture: 12:00-12:30 (file1), 12:30-1:00 (file2)

Will there be two connections (for connection A) -- one in file1, the other in file2? Will their connection start time be the SAME or DIFFERENT?

Please help!!

Thanks!!

Jay

This is kind of unclear to me, how do you create the files ? Is it >> (append) or > (redirect), what format is that ? What is the OS ? How are you sure what's happening with the connections ? What if they got closed for some reason ? Given the conditions you've posted, Connection A will be the same in the second file, but tcpdump will eavesdrop the current flow, i.e. timestamp will be different.
Please post more details, as well as log snippets, if possible, so we can answer this correctly, in case I got it wrong.