Tcpdump
為什麼 tcpdump 輸出文件為空?
在我使用該選項將擷取
Red Hat Enterprise Linux Server release 6.5保存到文件時,結果文件為空:tcpdump``-w[root@plop ~]# tcpdump -n -w tcpdump.cap listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C217 packets captured 217 packets received by filter 0 packets dropped by kernel [root@plop ~]# cat tcpdump.cap [root@plop ~]# ll tcpdump.cap -rw-r-----. 1 root root 0 Aug 25 14:13 tcpdump.cap [root@plop ~]#我也嘗試使用
>and重定向命令的輸出&>,但我總是得到一個空文件……這可能是什麼原因?
注意:
- 未重定向到文件時,我可以在終端中看到正確的輸出(許多數據包)
- 我做了同樣的
thsark事情,它按預期工作(輸出文件是正確的)- 的版本
tcpdump是tcpdump version 4.1-PRE-CVS_2012_02_01- 的版本
libpcap是libpcap version 1.4.0- 我嘗試了
-U選項,它沒有解決問題。
有一個已知問題
tcpdump,如果它無法寫入輸出文件(例如權限或磁碟已滿),它不會報告這一事實。在這種情況下,由於輸出文件創建正常,但沒有寫入數據,因此文件系統可能已滿。
可以通過重新執行通過
strace並觀察寫入失敗來確認。解決方案是清除相關文件系統中的空間或指向
tcpdump存在空間的文件系統。
嘗試添加
-U選項。從手冊頁:
-U --packet-buffered If the -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills. If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills. The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.