如何同时通过eth0和lo抓包?
How to capture packages via both eth0 and lo at the same time?
我的电脑上有两个网络接口。
netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 27186 0 0 0 20784 0 0 0 BMRU
lo 65536 0 42025 0 0 0 42025 0 0 0 LRU
通过 lo 的包可以被捕获。
sudo tcpdump -i lo
通过 eth0 的包可以被捕获。
sudo tcpdump -i eth0
如何同时通过eth0和lo抓包?
sudo tcpdump -i eth0 -i lo 无法运行。
sudo tcpdump -i eth0 -i lo = sudo tcpdump -i eth0=sudo tcpdump
假设您的内核支持它,您可以 运行 tcpdump -i any,但这将捕获 all接口,而不仅仅是 lo 和 eth0 接口。此外,根据 tcpdump man page、"...在 ''any'' 设备上的捕获将不会在混杂模式下完成。",因此如果您需要将 NIC 置于混杂模式以捕获您感兴趣的流量,此解决方案可能不适合您。在这种情况下,您可以:
您可以尝试的另一个选项是 运行 在两个接口上并行处理 tcpdump,例如
sudo tcpdump -i lo &
sudo tcpdump -i eth0 &
& 将在后台运行
这样也可以解决"any"选项导致的包泛洪问题,可以实现只在两个接口上抓包的目的
来自 https://serverfault.com/questions/805006/tcpdump-on-multiple-interfaces
The way I would approach this is to dump on each interface to a
separate file and then merge them. The any interface also includes lo
traffic which can pollute the capture.
This also allows for analysis of the packet streams per interface
without complex filtering.
I would capture in 3 terminals or by backgrounding the command with &
The flags -nn turns off dns resolution for speed, -s 0 saves the full
packet and -w writes to a file.
tcpdump -i wan0 -nn -s 0 -w wan0.dump tcpdump -i wan1 -nn -s 0 -w
wan1.dump tcpdump -i lan0 -nn -s 0 -w lan0.dump I would then merge the
files with the mergecap command from wireshark:
mergecap -w merged.dump wan0.dump wan1.dump lan0.dump
我的电脑上有两个网络接口。
netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 27186 0 0 0 20784 0 0 0 BMRU
lo 65536 0 42025 0 0 0 42025 0 0 0 LRU
通过 lo 的包可以被捕获。
sudo tcpdump -i lo
通过 eth0 的包可以被捕获。
sudo tcpdump -i eth0
如何同时通过eth0和lo抓包?
sudo tcpdump -i eth0 -i lo 无法运行。
sudo tcpdump -i eth0 -i lo = sudo tcpdump -i eth0=sudo tcpdump
假设您的内核支持它,您可以 运行 tcpdump -i any,但这将捕获 all接口,而不仅仅是 lo 和 eth0 接口。此外,根据 tcpdump man page、"...在 ''any'' 设备上的捕获将不会在混杂模式下完成。",因此如果您需要将 NIC 置于混杂模式以捕获您感兴趣的流量,此解决方案可能不适合您。在这种情况下,您可以:
您可以尝试的另一个选项是 运行 在两个接口上并行处理 tcpdump,例如
sudo tcpdump -i lo & sudo tcpdump -i eth0 &
& 将在后台运行
这样也可以解决"any"选项导致的包泛洪问题,可以实现只在两个接口上抓包的目的
来自 https://serverfault.com/questions/805006/tcpdump-on-multiple-interfaces
The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.
This also allows for analysis of the packet streams per interface without complex filtering.
I would capture in 3 terminals or by backgrounding the command with &
The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.
tcpdump -i wan0 -nn -s 0 -w wan0.dump tcpdump -i wan1 -nn -s 0 -w wan1.dump tcpdump -i lan0 -nn -s 0 -w lan0.dump I would then merge the files with the mergecap command from wireshark:
mergecap -w merged.dump wan0.dump wan1.dump lan0.dump