tcpdump后台不间断抓包

版本1的抓包命令

这两天排查一个小问题，需要在服务器上使用tcpdump24小时不间断抓包，这里简单记录下。

先看下tcpdump的语法：

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
               [ -c count ]
               [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
               [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
               [ --number ] [ -Q|-P in|out|inout ]
               [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
               [ --time-stamp-precision=tstamp_precision ]
               [ --immediate-mode ] [ --version ]
               [ expression ]

一开始使用的命令基本长下面这样：

nohup tcpdump -i ens192 tcp port 5432 -C 1 -w /root/pg5432.pcap &

这个语句的前后分别是nohup 和 &, 这个是为了断开ssh后也能在后台运行，剩下部分才是主体：

tcpdump -i ens192 tcp port 5432 -C 1  -w /root/pg5432.pcap

• -i ens192，指定网卡

• tcp port 5432，指定捕获表达式

• -C 1，表示当捕获文件的大小超过1M时，就新打开一个文件，我昨天是为了测试，就弄的1M。

  -C file_size
  
  Before writing a raw packet to a savefile, check whether the file is currently larger
  
  than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not1,048,576 bytes).

• -w /root/pg5432.pcap，将抓的包存到该路径指定的文件。

  这个选项有一点，就是捕获的内容会被缓存，不会马上写入文件，除非指定-U选项。

  This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.

  Use the -U flag to cause packets to be written as soon as they are received.

结果执行这个语句，报错：

tcpdump: /root/pg5432.pcap: Permission denied

我都有点懵，我是尊贵的root，还能没权限吗？

后面再想，是不是变成用tcpdump用户执行了，检查了下这个用户的权限，看着没问题，后面还是在网上找到了答案：

https://serverfault.com/questions/478636/tcpdump-out-pcap-permission-denied

意思就是说，加了-C选项后，会放弃自己root的身份，这段英文有点拗口，自己看吧：

Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile

不过吧，这句提示，在centos 7上安装的tcpdump版本中，甚至没出现，看来文档还是有点问题。

解决的办法，就是加上-Z选项，我这边就是-Z root。

-Z user

--relinquish-privileges=user

If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output,change the user ID to user and the group ID to the primary group of user.

This behavior can also be enabled by default at compile time.

版本二的抓包命令

nohup tcpdump -i ens192 tcp port 5432 -C 1 -Z root -w /root/pg5432.pcap &

这个命令就可以用了。

抓包效果如下：

扩展选项

当然，可以看到抓到的包很多，如果流量大，可能担心磁盘会炸，此时，可以再加上 -W 选项来限制最多生成多少个文件，如-W 100，最多生成100个，超过100后，就会覆盖最早的文件。

-W

Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin over‐writing files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

除了达到一定大小就新建文件，也可以每隔n秒新建文件：

-G rotate_seconds

If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the namespecified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file

will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of `file'.

在麒麟操作系统如何安装tcpdump

银河麒麟V10

我这次查问题是要在两端同时抓包，一端是centos，另一端结果发现是信创操作系统，麒麟V10。

首先说下，怎么辨别是中标麒麟，还是银河麒麟。

[root@xc-website-db-dev ~]# cat /etc/os-release
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Tercel)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Tercel)"
ANSI_COLOR="0;31"

如果是V10，就是银河麒麟；如果是V7，是中标麒麟。

参考：https://www.cnblogs.com/shuiche/p/16334092.html

我这边也看了下麒麟的官网，服务器端，主要就是这几个版本：

官方文档在这里：

https://www.kylinos.cn/support/document/60.html

银河麒麟高级服务器操作系统 V10系统管理员手册V3.0-20221024.pdf

配置yum源

我看了下上面的文档，已经使用dnf源了，但我们这个系统，不知道谁装的，也还是搞了yum。

但是yum是个本地源，不知道为啥还用不了，配外部yum源吧，内网机器还不能上外网，另外，麒麟的官方的yum源也不知道在哪里，服了，另外，我怀疑是不是必须得用他们的光盘来搞本地源啊。。

我在这台机器上发现个备份的麒麟repo，就记录在这里吧：

###Kylin Linux Advanced Server 10 - os repo###

[ks10-adv-os]
name = Kylin Linux Advanced Server 10 - Os
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/base/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1

[ks10-adv-updates]
name = Kylin Linux Advanced Server 10 - Updates
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/updates/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1

[ks10-adv-addons]
name = Kylin Linux Advanced Server 10 - Addons
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/addons/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 0

我想装个tcpdump也很不容易。

这块大家自己百度搜一下吧，我后面是直接rpm安装的：（仅针对x86架构）

https://update.cs2c.com.cn/KY/V10/8U2/os/adv/lic/BaseOS/x86_64/Packages/

里面有tcpdump-4.9.2-6.el8.x86_64.rpm，下载下来rpm -ivh 安装即可。

参考文件

https://www.cnblogs.com/cnhk19/p/16273102.html

https://serverfault.com/questions/478636/tcpdump-out-pcap-permission-denied

https://blog.csdn.net/Xeon_CC/article/details/132142880 (给银河麒麟v10添加yum源)