我正在寻找一个可靠的解决方案来进行测试自动化的包捕获。
目前,tcpdump 已与以下命令一起使用。
sudo tcpdump -i ens160 -w filename.pcap -G 60 -W 1
我使用以下命令停止 tcpdump:
kill -s SIGINT <pid>
每 20 次中就有 1 次 tcpdump 无法正常退出,并且 pcap 文件将被损坏。
有什么方法可以确保 tcpdump 能够正常退出?
答案1
有两种方法可以避免转储文件被截断:
根据Doug Smythies的建议,使用终止信号(
SIGTERM
)而不是SIGINT
来终止tcpdump
进程:kill <pid>
指定
tcpdump
在保存每个数据包时直接将数据包写入文件(选项-U
)。这样,即使使用 SIGINT,文件也不会被截断。从tcpdump 命令:
-U --packet-buffered If the -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a ter‐ minal, being written only when the output buffer fills. If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills. The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.