Tcpdump 非正常停止

Tcpdump 非正常停止

我正在寻找一个可靠的解决方案来进行测试自动化的包捕获。

目前,tcpdump 已与以下命令一起使用。

sudo tcpdump -i ens160  -w filename.pcap -G 60 -W 1 

我使用以下命令停止 tcpdump:

kill -s SIGINT <pid>

每 20 次中就有 1 次 tcpdump 无法正常退出,并且 pcap 文件将被损坏。

有什么方法可以确保 tcpdump 能够正常退出?

答案1

有两种方法可以避免转储文件被截断:

  1. 根据Doug Smythies的建议,使用终止信号(SIGTERM)而不是SIGINT来终止tcpdump进程:

    kill <pid>
    
  2. 指定tcpdump在保存每个数据包时直接将数据包写入文件(选项-U)。这样,即使使用 SIGINT,文件也不会被截断。从tcpdump 命令

   -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

          If the -w option is specified, make  the  saved  raw  packet
          output  ``packet-buffered'';  i.e., as each packet is saved,
          it will be written to the output  file,  rather  than  being
          written only when the output buffer fills.

          The  -U flag will not be supported if tcpdump was built with
          an older version of libpcap that lacks the pcap_dump_flush()
          function.

相关内容