我正在运行以下版本的 tcpdump:
我想让 tcpdump 为它捕获的每个数据包写入一个文件。目前,如果我退出 tcpdump,我只能看到捕获的数据包。
tcpdump -i em1 -w /tmp/pkts.pcap -s 1500
我需要退出才能打开/tmp/pkts.pcap- 在此之前我认为 tcpdump 正在缓冲。有没有办法让 tcpdump 立即写入文件而不是缓冲?
将该-U选项与该-w选项结合使用,并检查您是否有支持pcap_dump_flush(). 从手册页(版本 4.3.0-1):
-U If the -w option is not specified, make the printed packet output ``packet-
buffered''; i.e., as the description of the contents of each packet is printed, it
will be written to the standard output, rather than, when not writing to a terminal,
being written only when the output buffer fills.
If the -w option is specified, make the saved raw packet output ``packet-buffered'';
i.e., as each packet is saved, it will be written to the output file, rather than
being written only when the output buffer fills.
The -U flag will not be supported if tcpdump was built with an older version of
libpcap that lacks the pcap_dump_flush() function.
| 归档时间: |
|
| 查看次数: |
20487 次 |
| 最近记录: |