A v čem je problém? Man to popisuje naprosto jasně:
tcpdump ... [ -C file_size ] ... [ -w file ]
-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if
so, close the current savefile and open a new one. Savefiles after the first savefile will have the name spec-
ified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size
are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r
option. Standard output is used if file is ``-''.
Všimni si, že s "-w" se neukládá textový popis paketů, ale samotná data tak, jak jsou. To je úspornější. Další možnost úspory je vyfiltrovat jenom to, co tě zajímá.