Tcpdump 非正常停止

Question

有两种方法可以避免转储文件被截断：

根据Doug Smythies的建议，使用终止信号（SIGTERM）而不是SIGINT来终止tcpdump进程：
```
kill <pid>
```
指定tcpdump在保存每个数据包时直接将数据包写入文件（选项-U）。这样，即使使用 SIGINT，文件也不会被截断。从tcpdump 命令：

   -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

          If the -w option is specified, make  the  saved  raw  packet
          output  ``packet-buffered'';  i.e., as each packet is saved,
          it will be written to the output  file,  rather  than  being
          written only when the output buffer fills.

          The  -U flag will not be supported if tcpdump was built with
          an older version of libpcap that lacks the pcap_dump_flush()
          function.

Answer 1

有两种方法可以避免转储文件被截断：

根据Doug Smythies的建议，使用终止信号（SIGTERM）而不是SIGINT来终止tcpdump进程：
```
kill <pid>
```
指定tcpdump在保存每个数据包时直接将数据包写入文件（选项-U）。这样，即使使用 SIGINT，文件也不会被截断。从tcpdump 命令：

   -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

          If the -w option is specified, make  the  saved  raw  packet
          output  ``packet-buffered'';  i.e., as each packet is saved,
          it will be written to the output  file,  rather  than  being
          written only when the output buffer fills.

          The  -U flag will not be supported if tcpdump was built with
          an older version of libpcap that lacks the pcap_dump_flush()
          function.

Tcpdump 非正常停止

答案1

相关内容