如何在使用tcpdump捕获数据包时查看数据包

分享于 

3分钟阅读

互联网

  繁體 雙語

问题:

当我用tcpdump捕获它时,如何才能看到流量。

当我使用-w时,它不会在捕获过程中显示数据包。


sudo tcpdump -i enp2s0 -w test.pcap


tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes


^C6 packets captured


7 packets received by filter


0 packets dropped by kernel




回答 1:

-w 选项是将tcpdump输出写入文件。 如果你想在终端上打印,你可以删除该选项。


回答 2:

由于你使用的是选项 -w,所以数据包被保存到文件并且不显示在标准输出中。 从tcpdumup手册手册中:

https://www.tcpdump.org/manpages/tcpdump.1.html


-w file


 Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. 


 This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received. 


 The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension. pcap appears to be the most commonly used along with. cap and. dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g.. pcap) is recommended. 


 See pcap-savefile(5) for a description of the file format. 



如果你想同时执行这两个操作,下面是一种实现这里操作的方法:

如何让tcpdump写入文件和标准输出的适当数据


回答 3:

因此,经过一些实验后,anwser会发生以下情况:


sudo tcpdump -i enp2s0 -U -w - | tee test.pcap | tcpdump -r -



-w -: 写入标准输出。

-U: 在数据包到达时立即写入它们。 缓冲区已满,不要等待。

Tee 将写入文件,tcpdump -r - 从标准输入读取数据包。



PAC  PACK  cap  TCP  Packet  Packets  
相关文章