当我使用 tcpdump 捕获流量时,如何才能看到流量?
当我使用 -w 时,它不会显示捕获期间的数据包。
sudo tcpdump -i enp2s0 -w test.pcap
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
7 packets received by filter
0 packets dropped by kernel
答案1
经过一些实验后,答案如下:
sudo tcpdump -i enp2s0 -U -w - | tee test.pcap | tcpdump -r -
-w -:写入标准输出。
-U:数据包到达后立即写入。不要等到缓冲区已满。
Tee将写入文件,并tcpdump -r -从标准输入读取数据包。
答案2
-w选项是将 tcpdump 输出写入文件。如果您想在终端上打印,可以删除该选项。
答案3
由于您使用了选项 -w,因此数据包将被保存到文件中,而不会显示在标准输出中。以下是来自 tcpdumup 手册页的内容:
https://www.tcpdump.org/manpages/tcpdump.1.html
-w file
Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.
This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.
The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended.
See pcap-savefile(5) for a description of the file format.
如果您想同时执行这两项操作,可以采用以下方法:
答案4
要将新进程附加到正在进行的转储,请尝试:
tail -F -n+0 $dumpfile | tcpdump -r -