ubuntu - 为什么 tcpdump 只捕获过滤器接收到的一半数据包？

Question

操作系统:Ubuntu 16.04

我使用 Scapy 数据包创建工具创建了一些数据包。数据包的目标地址是我的本地主机(即)127.0.0.1

    while(True):
         packet = IP(src='127.0.1.1',dst="127.0.0.1")/TCP(dport=80)/"from scapy packet"
         send(packet)
         print "tcp sent"

现在，当我在我的机器上运行一个 tcpdump 并在一段时间后停止时，捕获的数据包只有过滤器接收到的数据包数量的一半，但没有一个数据包被丢弃。这是 tcpdump 的输出:

 sudo tcpdump -i any dst 127.0.0.1

 OUTPUT:
     119 packets captured
     238 packets received by filter
     0 packets dropped by kernel

即使我运行 tcpdump -i lo ，我也会遇到同样的问题。使用 tshark 而不是 tcpdump 也会显示相同数量的捕获数据包。

为什么会这样？是因为 tcpdump 缓冲区太小了吗？我怎样才能捕获其余的数据包？

Answer 1

来自 tcpdump 手册页:

When tcpdump finishes capturing packets, it will report counts of:

packets captured (this is the number of packets that tcpdump has received and processed);

packets received by filter (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);

packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).

http://www.tcpdump.org/tcpdump_man.html

因此，我猜，在您的情况下，捕获了 238 个数据包，其中 119 个通过了过滤器(将本地主机作为目标)。这是因为数据包被捕获两次(离开和到达同一接口(interface))并且 tcpdump 删除了这些重复项。如果您尝试 ping 到 127.0.0.1，也会发生同样的情况。