tcpdump後臺不間斷抓包

版本1的抓包命令

這兩天排查一個小問題，需要在服務器上使用tcpdump24小時不間斷抓包，這裏簡單記錄下。

先看下tcpdump的語法：

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
               [ -c count ]
               [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
               [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
               [ --number ] [ -Q|-P in|out|inout ]
               [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
               [ --time-stamp-precision=tstamp_precision ]
               [ --immediate-mode ] [ --version ]
               [ expression ]

一開始使用的命令基本長下面這樣：

nohup tcpdump -i ens192 tcp port 5432 -C 1 -w /root/pg5432.pcap &

這個語句的前後分別是nohup 和 &, 這個是爲了斷開ssh後也能在後臺運行，剩下部分纔是主體：

tcpdump -i ens192 tcp port 5432 -C 1  -w /root/pg5432.pcap

• -i ens192，指定網卡

• tcp port 5432，指定捕獲表達式

• -C 1，表示當捕獲文件的大小超過1M時，就新打開一個文件，我昨天是爲了測試，就弄的1M。

  -C file_size
  Before writing a raw packet to a savefile, check whether the file is currently larger
  than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not1,048,576 bytes).

• -w /root/pg5432.pcap，將抓的包存到該路徑指定的文件。

  這個選項有一點，就是捕獲的內容會被緩存，不會馬上寫入文件，除非指定-U選項。

  This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.

  Use the -U flag to cause packets to be written as soon as they are received.

結果執行這個語句，報錯：

tcpdump: /root/pg5432.pcap: Permission denied

我都有點懵，我是尊貴的root，還能沒權限嗎？

後面再想，是不是變成用tcpdump用戶執行了，檢查了下這個用戶的權限，看着沒問題，後面還是在網上找到了答案：

https://serverfault.com/questions/478636/tcpdump-out-pcap-permission-denied

意思就是說，加了-C選項後，會放棄自己root的身份，這段英文有點拗口，自己看吧：

Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile

不過吧，這句提示，在centos 7上安裝的tcpdump版本中，甚至沒出現，看來文檔還是有點問題。

解決的辦法，就是加上-Z選項，我這邊就是-Z root。

-Z user
--relinquish-privileges=user
If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output,change the user ID to user and the group ID to the primary group of user.

This behavior can also be enabled by default at compile time.

版本二的抓包命令

nohup tcpdump -i ens192 tcp port 5432 -C 1 -Z root -w /root/pg5432.pcap &

這個命令就可以用了。

抓包效果如下：

擴展選項

當然，可以看到抓到的包很多，如果流量大，可能擔心磁盤會炸，此時，可以再加上 -W 選項來限制最多生成多少個文件，如-W 100，最多生成100個，超過100後，就會覆蓋最早的文件。

-W
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin over‐writing files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

除了達到一定大小就新建文件，也可以每隔n秒新建文件：

-G rotate_seconds
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the namespecified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file
will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of `file'.

在麒麟操作系統如何安裝tcpdump

銀河麒麟V10

我這次查問題是要在兩端同時抓包，一端是centos，另一端結果發現是信創操作系統，麒麟V10。

首先說下，怎麼辨別是中標麒麟，還是銀河麒麟。

[root@xc-website-db-dev ~]# cat /etc/os-release 
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Tercel)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Tercel)"
ANSI_COLOR="0;31"

如果是V10，就是銀河麒麟；如果是V7，是中標麒麟。

參考：https://www.cnblogs.com/shuiche/p/16334092.html

我這邊也看了下麒麟的官網，服務器端，主要就是這幾個版本：

官方文檔在這裏：

https://www.kylinos.cn/support/document/60.html

銀河麒麟高級服務器操作系統 V10系統管理員手冊V3.0-20221024.pdf

配置yum源

我看了下上面的文檔，已經使用dnf源了，但我們這個系統，不知道誰裝的，也還是搞了yum。

但是yum是個本地源，不知道爲啥還用不了，配外部yum源吧，內網機器還不能上外網，另外，麒麟的官方的yum源也不知道在哪裏，服了，另外，我懷疑是不是必須得用他們的光盤來搞本地源啊。。

我在這臺機器上發現個備份的麒麟repo，就記錄在這裏吧：

###Kylin Linux Advanced Server 10 - os repo###

[ks10-adv-os]
name = Kylin Linux Advanced Server 10 - Os 
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/base/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1

[ks10-adv-updates]
name = Kylin Linux Advanced Server 10 - Updates
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/updates/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1

[ks10-adv-addons]
name = Kylin Linux Advanced Server 10 - Addons
baseurl = http://update.cs2c.com.cn:8080/NS/V10/V10SP1.1/os/adv/lic/addons/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 0

我想裝個tcpdump也很不容易。

這塊大家自己百度搜一下吧，我後面是直接rpm安裝的：（僅針對x86架構）

https://update.cs2c.com.cn/KY/V10/8U2/os/adv/lic/BaseOS/x86_64/Packages/
裏面有tcpdump-4.9.2-6.el8.x86_64.rpm，下載下來rpm -ivh 安裝即可。

參考文件

https://www.cnblogs.com/cnhk19/p/16273102.html
https://serverfault.com/questions/478636/tcpdump-out-pcap-permission-denied
https://blog.csdn.net/Xeon_CC/article/details/132142880 (給銀河麒麟v10添加yum源)