为什么tcpdump只捕获过滤器接收到的一半数据包? [英] Why does tcpdump capture only half the packets that is received by the filter?

问题描述

操作系统:Ubuntu 16.04

OS:Ubuntu 16.04

我使用 Scapy 数据包创建工具创建了一些数据包.数据包的目标地址是我的本地主机(即)127.0.0.1

I created some packets using Scapy packet creator tool. The destination address for the packets is my localhost (ie) 127.0.0.1

    while(True):
         packet = IP(src='127.0.1.1',dst="127.0.0.1")/TCP(dport=80)/"from scapy packet"
         send(packet)
         print "tcp sent"

现在，当我在我的机器上运行 tcpdump 并在一段时间后停止时，捕获的数据包只是过滤器接收到的数据包数量的一半，但没有任何数据包被丢弃.这是 tcpdump 的输出:

Now,when i run a tcpdump on my machine and stop after some time, the packets captured is only half the number of packets received by the filter, but none of the packets are dropped. Here is the output of tcpdump:

 sudo tcpdump -i any dst 127.0.0.1

 OUTPUT:
     119 packets captured
     238 packets received by filter
     0 packets dropped by kernel

即使我运行 tcpdump -i lo ，我也会遇到同样的问题.使用 tshark 而不是 tcpdump 也会显示捕获的相同数量的数据包.

Even if i run tcpdump -i lo , i get the same problem. Using tshark instead of tcpdump also displays the same number of packets captured.

为什么会这样?是因为 tcpdump 缓冲区大小小吗?我怎样才能捕获其余的数据包?

Why does this happen? Is it due to small tcpdump buffer size? How can i capture rest of the packets?

推荐答案

来自 tcpdump 手册页:

From the tcpdump manual page:

tcpdump 抓包完成后，会报告:

When tcpdump finishes capturing packets, it will report counts of:

捕获的数据包(这是tcpdump拥有的数据包数量收到并处理)；

packets captured (this is the number of packets that tcpdump has received and processed);

过滤器收到的数据包(意思是这取决于您运行 tcpdump 的操作系统，以及可能在配置操作系统的过程中 - 如果指定了过滤器在命令行上，在某些操作系统上，它会计算数据包，而不管它们是否与过滤器表达式匹配，即使它们被过滤器表达式匹配，无论是否 tcpdump已经读取并处理了它们，在其他操作系统上它只计算数据包与过滤器表达式匹配的，无论是否tcpdump 已经读取并处理了它们，并且在其他操作系统上它很重要仅与过滤器表达式匹配的数据包由 tcpdump 处理)；

packets received by filter (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);

数据包被内核丢弃"(这是由于缺少缓冲区空间而丢弃的数据包数运行 tcpdump 的操作系统中的数据包捕获机制，如果操作系统将该信息报告给应用程序；如果没有，它将是报告为 0).

packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).

http://www.tcpdump.org/tcpdump_man.html

因此，我猜在您的情况下，捕获了 238 个数据包，其中 119 个通过了过滤器(以 localhost 作为目的地).这是因为数据包被捕获两次(离开和到达同一接口)并且 tcpdump 删除了这些重复项.如果您尝试 ping 127.0.0.1，也会发生同样的情况.

Thus, I guess that, in your case, 238 packets were capture and 119 of them passed the filter (had localhost as destination). This is because packets are captured twice (leaving and arriving at the same interface) and tcpdump removes these duplicates. The same happens if you try to ping to 127.0.0.1.

这篇关于为什么tcpdump只捕获过滤器接收到的一半数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！