因为 tcpdump 默认情况下只抓取 68 个字节,我们可以在 tcpdump 的 man 手册中看到:
-s Snarf snaplen bytes of data from each packet rather than the
default of 68 (with SunOS’s NIT, the minimum is actually 96).
68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate
protocol information from name server and NFS packets (see
below). Packets truncated because of a limited snapshot are
indicated in the output with ‘‘[|proto]’’, where proto is the
name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of
time it takes to process packets and, effectively, decreases the
amount of packet buffering. This may cause packets to be lost.
You should limit snaplen to the smallest number that will cap-
ture the protocol information you’re interested in. Setting
snaplen to 0 means use the required length to catch whole pack-
ets.
这大堆的英文大致意思就是说 68 个字节对于大部分的网络协议来说足够了,而且性能还不错。
但是我们在抓取数据包时,却想得到完整的数据包,那就添加一个参数 -s 0,就ok了。
比如这样子:
tcpdump -s 0 -c 200 -w filename.cap host www.google.com
抓取完整的(-s 0)数据包200(-c 200)个,写到文件 filename.cap中(-w filename.cap)去。

Leave a Reply

Your email address will not be published.

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

This site uses Akismet to reduce spam. Learn how your comment data is processed.