1. tcpdump默认是捕捉第一个网卡上的数据, 要指定网卡, 请使用-i选项
2. tcpdump 的 -p 选项: -p Don’t put the interface into promiscuous mode. 表示不打开“混杂模式”, 打开的话即捕捉所有的报文, 一般我们只捕捉到本机收发的数据报文, 所以关掉
3. 只dump出带SYN标记的tcp报文: tcpdump -i eth1 -n -vv dst port 3306 and 'tcp[13] & 2 == 2' , 这个是在老外的坛子上看到的
4. N packets dropped by kernel 这里dropped by kernel的意思, 并不是说kernel把正常传输的packet 丢弃了, 而是kernel把 tcpdump处理不过来的那部分丢掉了。 (man tcpdump: packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).)
再看下老外的解释: This means that there were packets on the wire, and handled by the kernel, that weren't read fast enough by tcpdump, and thus weren't displayed by tcpdump. It does not mean anything is wrong with the networking - tcpdump just wasn't keeping up.
It means that a packet was either received or transmitted, and handed to the kernel mechanism used for packet capture, and that mechanism didn't have enough buffer space for it, so it wasn't supplied to tcpdump.
It says nothing about whether the packet was dropped by the regular OS mechanism for transmitting or receiving packets;
it probably wasn't - it was just dropped by the mechanism tcpdump used to capture traffic (which is the same mechanism Ethereal and Tethereal and snort and... use).
另外, 使用-n 来关掉地址映射, 可能会减少这个丢包数。
阅读(1128) | 评论(0) | 转发(0) |
