【原創】如何選擇「定時抓包」方案

時間 2019-11-07

標籤原創如何選擇定時抓包方案简体版

原文原文鏈接

需求：能抓取指定時間長度的包，好比抓取 10s 長度的包；html

可選方案：node

使用 tcpdump 命令的 -G 和 -W 參數；
本身經過腳本實如今指定時間到達後經過 kill 命令殺掉 tcpdump 抓包進程；
使用 tshark 命令的 -a duration:xx 參數；

基於 `tcpdump` 的 `-G` `-W` 參數實現定時的方案

由於 tcpdump 太有名了，因此通常人十有八九會先想到這個工具；算法

查閱 tcpdump 的 man 手冊能夠發現與定時功能相關的參數以下：shell

-G rotate_secondsubuntu

若是設置了該參數，tcpdump 將會以 rotate_seconds 爲週期對經過 -w 選項指定命名的 dump 文件進行輪轉；保存文件命名經過 -w 選項指定，而且應該包含符合 strftime(3) 定義的時間戳格式；若是未指定時間格式，則每個新產生的文件將會覆蓋以前的文件；api

若是和 -C 選項配合使用，文件命名將會採用 'file<count>' 格式；網絡

-Wapp

和 -C 選項配合使用，能夠將建立文件數目限制指定值，而且咋達到該數值後，從頭開始進行文件覆蓋；從行爲上，相似於實現了一個 'rotating' buffer 的功能；另外，該選項會在爲文件命名時使用足夠多的前導 0 ，以便正確支持咱們要求的最大數目，同時容許基於該數值進行正確排序；ssh

和 -G 選項配合使用，能夠將 rotated dump 文件的數目限制在指定值，並在達到該數值的時候以狀態碼 0 退出；若是與 -C 選項配合使用，the behavior will result in cyclical files per timeslice.tcp

-C file_size

在將 raw packet 寫入存儲文件前，會先檢查當前文件的大小是否超過了 file_size 值；若是是，則關閉當前存儲文件，並重開一個新文件；在首個保存文件以後，文件命名的構成變成 -w 指定內容加上一個從 1 開始的數字；file_size 的單位爲兆字節（是 1,000,000 字節，不是 1,048,576 字節）；

看似只要使用 -G 和 -W 參數就能夠實現指定抓包時間長度的功能；試驗以下：

驗證沒有網絡流量時的狀況

說明：

time 用於計算 tcpdump 執行的時間；經過 tcpdump 抓取 22 端口上的 ssh 通訊包； -G 3 -W 1 用於設置只抓取一次 3 秒長度的通訊包；

試驗步驟：啓動以下命令後，不進行任何操做，過了 N 久後敲擊 enter 鍵；

root@vagrant-ubuntu-trusty:~# time tcpdump -i any tcp port 22 -G 3 -W 1 -w timer_test.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

(什麼都不作，等了 N 久後敲一下 enter)

Maximum file limit reached: 1

real	0m28.999s    -- 能夠看到過去的時間遠遠超過 3 秒
user	0m0.008s
sys	    0m0.000s
root@vagrant-ubuntu-trusty:~#
root@vagrant-ubuntu-trusty:~# capinfos timer_test.pcap
File name:           timer_test.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: 262144 bytes
Number of packets:   0    -- 一個包也沒抓到
File size:           24 bytes
Data size:           0 bytes
Capture duration:    n/a
Start time:          n/a
End time:            n/a
Data byte rate:      0 bytes/s
Data bit rate:       0 bits/s
Average packet size: 0.00 bytes
Average packet rate: 0 packets/sec
SHA1:                25b620a6d7e275a5b06401559e9c06bfd2e0f975
RIPEMD160:           60b5d5287c6e8fbd298ff2dac91e5a802e4b706a
MD5:                 3ad37ddb8fad5d769e0df74c7678ba15
Strict time order:   True
root@vagrant-ubuntu-trusty:~#

查看包的內容發現：確實一個包也沒抓到；

root@vagrant-ubuntu-trusty:~# tshark -r timer_test.pcap
Running as user "root" and group "root". This could be dangerous.
root@vagrant-ubuntu-trusty:~#

驗證存在少許網絡流量時的狀況

試驗步驟：啓動以下命令後，按照大概每秒一次的速度敲擊 enter 鍵；

root@vagrant-ubuntu-trusty:~# time tcpdump -i any tcp port 22 -G 3 -W 1 -w timer_test.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

(enter)
(enter)
(enter)

Maximum file limit reached: 1

real	0m3.000s   -- 此次恰好運行了 3 秒
user	0m0.000s
sys	    0m0.004s
root@vagrant-ubuntu-trusty:~#
root@vagrant-ubuntu-trusty:~# capinfos timer_test.pcap
File name:           timer_test.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: 262144 bytes
Number of packets:   3      -- 抓到了 3 個數據包
File size:           318 bytes
Data size:           246 bytes
Capture duration:    0 seconds
Start time:          Fri Dec 16 14:21:39 2016
End time:            Fri Dec 16 14:21:39 2016
Data byte rate:      719 kBps
Data bit rate:       5752 kbps
Average packet size: 82.00 bytes
Average packet rate: 8768 packets/sec
SHA1:                3edbbc777b6732fdc8817f9da1ce0f0f98542936
RIPEMD160:           95bbc3c5b4bdab0cfe1d719dcff30e757fe47c79
MD5:                 147792c10dbe9595cbfc63bf6fb8fe1b
Strict time order:   True
root@vagrant-ubuntu-trusty:~#

查看包的內容發現：抓取到 3 個包，3 個包均在 0.001 秒內發生；

root@vagrant-ubuntu-trusty:~# tshark -r timer_test.pcap
Running as user "root" and group "root". This could be dangerous.
  1   0.000000     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
  2   0.000136    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  3   0.000342     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=37 Ack=37 Win=65535 Len=0
root@vagrant-ubuntu-trusty:~#

驗證存在大量網絡流量時的狀況

試驗步驟：啓動以下命令後，按照大概每秒 3～4 次的速度連續敲擊 enter 鍵；

root@vagrant-ubuntu-trusty:~# time tcpdump -i any tcp port 22 -G 3 -W 1 -w timer_test.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

(enter)
(enter)
(enter)
(enter)
(enter)
(enter)
...
(enter)
(enter)
(enter)
(enter)
(enter)
(enter)

Maximum file limit reached: 1

real	0m2.998s    -- 此次也恰好運行了 3 秒
user	0m0.000s
sys 	0m0.000s
root@vagrant-ubuntu-trusty:~#
root@vagrant-ubuntu-trusty:~# capinfos timer_test.pcap
File name:           timer_test.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: 262144 bytes
Number of packets:   18    -- 抓到了 18 個數據包
File size:           1788 bytes
Data size:           1476 bytes
Capture duration:    1 seconds
Start time:          Fri Dec 16 14:29:33 2016
End time:            Fri Dec 16 14:29:34 2016
Data byte rate:      1955 bytes/s
Data bit rate:       15 kbps
Average packet size: 82.00 bytes
Average packet rate: 23 packets/sec
SHA1:                3d4c457b55ac7f496c5c15b1fbf60775aaab23e7
RIPEMD160:           b4a009650d64e5aa90e405d39a735e47e3f904e5
MD5:                 426dba1247972b13257eb12fea76817e
Strict time order:   True
root@vagrant-ubuntu-trusty:~#

查看包的內容發現：抓取到 18 個包，18 個包在 1 秒內發生；

root@vagrant-ubuntu-trusty:~# tshark -r timer_test.pcap
Running as user "root" and group "root". This could be dangerous.
  1   0.000000     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
  2   0.000138    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  3   0.000303     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=37 Ack=37 Win=65535 Len=0
  4   0.149969     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
  5   0.150119    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  6   0.150323     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=73 Ack=73 Win=65535 Len=0
  7   0.302591     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
  8   0.302728    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  9   0.302907     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=109 Ack=109 Win=65535 Len=0
 10   0.449231     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
 11   0.449369    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
 12   0.449550     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=145 Ack=145 Win=65535 Len=0
 13   0.600790     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
 14   0.600929    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
 15   0.601112     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=181 Ack=181 Win=65535 Len=0
 16   0.754338     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
 17   0.754482    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
 18   0.754697     10.0.2.2 -> 10.0.2.15    TCP 62 53815→22 [ACK] Seq=217 Ack=217 Win=65535 Len=0
root@vagrant-ubuntu-trusty:~#

小結

上面費了那麼多勁，其實就是想要告訴你，使用 tcpdump 的 -G -W 參數實現抓取指定時間長度的功能不那麼靠譜～～

定製 shell 腳本經過 `kill` 實現 `tcpdump` 的退出

該方案在網上能搜出不少，基本上大同小異；這裏想要說明的問題是，使用哪一種信號中止 tcpdump 的運行是靠譜的～

腳本是組內小夥寫的，簡單講經歷了三次主要變動：

初級階段

a. 後臺（&）啓動 tcpdump 進行抓包；

b. 經過 sleep 進行定時；

c. 在時間到達後經過 kill -9 殺掉 tcpdump 進程；

中級階段

將上述步驟 c 中的 kill -9 換成 kill -2 ；

或者換成先 kill 嘗試殺，經過 sleep 等 N 秒，發現 tcpdump 未退出再 kill -9 強殺；

高級階段

使用 timeout 命令運行 tcpdump ，直接替代掉上述 abc 步驟；

關於 timeout 的原理後面單獨介紹；

變動的緣由

變動的緣由和下面幾個問題有關：

kill -9 強殺致使保存的數據包出錯；
kill -2 優雅的殺，但會致使定時不夠準確；
經過 sleep 進行定時自己帶來的不許確性；

下面基於試驗進行說明，事先準備好三個抓包文件：

test_ctrl_c.pcap 爲經過 Ctrl+C 中止的抓包；
test_kill_2.pcap 爲經過 kill -2 中止的抓包；
test_kill_9.pcap 爲經過 kill -9 中止的抓包；

root@vagrant-ubuntu-trusty:~# ll
...
-rw-r--r-- 1 root root     2874 Dec 13 17:56 test_ctrl_c.pcap
-rw-r--r-- 1 root root    12746 Dec 13 17:56 test_kill_2.pcap
-rw-r--r-- 1 root root    12288 Dec 13 17:56 test_kill_9.pcap

分別確認每一個包中的數據狀態；

test_ctrl_c.pcap 中的數據沒有問題；

root@vagrant-ubuntu-trusty:~# tshark -r test_ctrl_c.pcap
Running as user "root" and group "root". This could be dangerous.
  1   0.000000    10.0.2.15 -> 10.0.2.2     SSH 100 Server: Encrypted packet (len=44)
  2   0.000196     10.0.2.2 -> 10.0.2.15    TCP 62 51858→22 [ACK] Seq=1 Ack=45 Win=65535 Len=0
  3   0.000289    10.0.2.15 -> 10.0.2.2     SSH 156 Server: Encrypted packet (len=100)
  4   0.000479    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
...
 29   9.941804   11.11.11.1 -> 11.11.11.15  TCP 80 5673→44144 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=32 TSval=973233923 TSecr=31683832 SACK_PERM=1
 30   9.941866  11.11.11.15 -> 11.11.11.1   TCP 68 44144→5673 [RST, ACK] Seq=1 Ack=1 Win=29248 Len=0 TSval=0 TSecr=973233923
root@vagrant-ubuntu-trusty:~#

test_kill_2.pcap 中的數據沒有問題；

root@vagrant-ubuntu-trusty:~# tshark -r test_kill_2.pcap
Running as user "root" and group "root". This could be dangerous.
  1   0.000000    10.0.2.15 -> 10.0.2.2     SSH 108 Server: Encrypted packet (len=52)
  2   0.000521     10.0.2.2 -> 10.0.2.15    TCP 62 51858→22 [ACK] Seq=1 Ack=53 Win=65535 Len=0
  3   0.381098     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
  4   0.381410    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
...
129  10.342446     10.0.2.2 -> 10.0.2.15    SSH 92 Client: Encrypted packet (len=36)
130  10.342960    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
131  10.343120     10.0.2.2 -> 10.0.2.15    TCP 62 51858→22 [ACK] Seq=1261 Ack=1461 Win=65535 Len=0
root@vagrant-ubuntu-trusty:~#

test_kill_9.pcap 中的數據存在問題，報 "appears to have been cut short in the middle of a packet." 錯誤；

root@vagrant-ubuntu-trusty:~# tshark -r test_kill_9.pcap
Running as user "root" and group "root". This could be dangerous.
  1   0.000000    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  2   0.000012     10.0.2.2 -> 10.0.2.15    TCP 62 51858→22 [ACK] Seq=1 Ack=37 Win=65535 Len=0
  3   0.000201    10.0.2.15 -> 10.0.2.2     SSH 92 Server: Encrypted packet (len=36)
  4   0.000388     10.0.2.2 -> 10.0.2.15    TCP 62 51858→22 [ACK] Seq=1 Ack=73 Win=65535 Len=0
...
123   7.513127  11.11.11.15 -> 11.11.11.1   TCP 68 44153→5673 [RST, ACK] Seq=1 Ack=1 Win=29248 Len=0 TSval=0 TSecr=973248843
124   8.513389  11.11.11.15 -> 11.11.11.1   TCP 76 44892→5674 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=31687833 TSecr=0 WS=64
125   8.513853   11.11.11.1 -> 11.11.11.15  TCP 80 5674→44892 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=32 TSval=973249841 TSecr=31687833 SACK_PERM=1

tshark: The file "test_kill_9.pcap" appears to have been cut short in the middle of a packet.
root@vagrant-ubuntu-trusty:~#

經過 wireshark 打開上述問題包，一樣會看到相應錯誤信息，以下圖：

原理分析

經過 `Ctrl + C` 中止 `tcpdump`

root@vagrant-ubuntu-trusty:~# strace -f -t -s 1024 -o ctrl_c.txt tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:48.372349 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 3659061230:3659061266, ack 2948511, win 40880, length 36
15:05:48.372504 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 36:72, ack 1, win 40880, length 36
15:05:48.372578 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 36, win 65535, length 0
15:05:48.372659 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 72, win 65535, length 0
...
15:05:50.412337 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 804:936, ack 37, win 40880, length 132
15:05:50.412660 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 936, win 65535, length 0
15:05:50.412728 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 936:980, ack 37, win 40880, length 44
15:05:50.413661 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 980:1128, ack 37, win 40880, length 148
15:05:50.413777 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 980, win 65535, length 0
15:05:50.413905 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1128, win 65535, length 0
15:05:50.414717 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1128:1324, ack 37, win 40880, length 196
15:05:50.414926 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1324, win 65535, length 0
^C
54 packets captured
58 packets received by filter
0 packets dropped by kernel
root@vagrant-ubuntu-trusty:~#

中止前瞬間

root@vagrant-ubuntu-trusty:~# cat ctrl_c.txt
...
27163 15:05:51 write(1, "15:05:50.413661 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 980:1128, ack 37, win 40880, length 148\n", 107) = 107
27163 15:05:51 write(1, "15:05:50.413777 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 980, win 65535, length 0\n", 91) = 91
27163 15:05:51 write(1, "15:05:50.413905 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1128, win 65535, length 0\n", 92) = 92
27163 15:05:51 write(1, "15:05:50.414717 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1128:1324, ack 37, win 40880, length 196\n", 108) = 108
27163 15:05:51 write(1, "15:05:50.414926 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1324, win 65535, length 0\n", 92) = 92
27163 15:05:51 poll([{fd=3, events=POLLIN}], 1, 1000) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
27163 15:05:52 --- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
27163 15:05:52 alarm(0)                 = 0
27163 15:05:52 rt_sigreturn()           = -1 EINTR (Interrupted system call)
27163 15:05:52 write(1, "\n", 1)        = 1
27163 15:05:52 open("/proc/net/dev", O_RDONLY) = 4
27163 15:05:52 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
27163 15:05:52 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa01099a000
27163 15:05:52 read(4, "Inter-|   Receive                                                |  Transmit\n face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed\n  eth0: 196882525  330484    0    0    0     0          0         0 18125005  192153    0    0    0     0       0          0\n  eth1: 7108624   89629    0    0    0     0          0         0 12262901  170044    0    0    0     0       0          0\n    lo:   99313     582    0    0    0     0          0         0    99313     582    0    0    0     0       0          0\n", 1024) = 571
27163 15:05:52 close(4)                 = 0
27163 15:05:52 munmap(0x7fa01099a000, 4096) = 0
27163 15:05:52 getsockopt(3, SOL_PACKET, PACKET_STATISTICS, {packets=58, drops=0}, [8]) = 0
27163 15:05:52 write(2, "54 packets captured", 19) = 19
27163 15:05:52 write(2, "\n", 1)        = 1
27163 15:05:52 write(2, "58 packets received by filter", 29) = 29
27163 15:05:52 write(2, "\n", 1)        = 1
27163 15:05:52 write(2, "0 packets dropped by kernel", 27) = 27
27163 15:05:52 write(2, "\n", 1)        = 1
27163 15:05:52 setsockopt(3, SOL_PACKET, PACKET_RX_RING, {block_size=0, block_nr=0, frame_size=0, frame_nr=0}, 16) = -1 EINVAL (Invalid argument)
27163 15:05:52 munmap(0x7fa00f989000, 2097152) = 0
27163 15:05:52 munmap(0x7fa010948000, 266240) = 0
27163 15:05:52 close(3)                 = 0
27163 15:05:52 exit_group(0)            = ?
27163 15:05:52 +++ exited with 0 +++

能夠看到 Ctrl+C 觸發的標識未 SI_KERNEL 的 SIGINT 信號被優雅的處理了；

經過 `kill -2` 殺 `tcpdump`

root@vagrant-ubuntu-trusty:~# strace -f -t -s 1024 -o kill_2.txt tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:17:33.533414 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 3659069618:3659069654, ack 2952795, win 40880, length 36
15:17:33.533592 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 36, win 65535, length 0
15:17:33.533693 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 36:72, ack 1, win 40880, length 36
15:17:33.534041 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 72, win 65535, length 0
15:17:33.534528 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 72:108, ack 1, win 40880, length 36
15:17:33.535004 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 108, win 65535, length 0
15:17:33.535179 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 108:144, ack 1, win 40880, length 36
15:17:33.535469 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 144, win 65535, length 0
...
15:17:34.635333 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 692:728, ack 1, win 40880, length 36
15:17:34.635443 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 728, win 65535, length 0
15:17:34.635617 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 728:764, ack 1, win 40880, length 36
15:17:34.635778 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 764, win 65535, length 0
15:17:34.635830 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 764:800, ack 1, win 40880, length 36
15:17:34.635903 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 800, win 65535, length 0

44 packets captured
65 packets received by filter
0 packets dropped by kernel
root@vagrant-ubuntu-trusty:~#

死前瞬間

root@vagrant-ubuntu-trusty:~# cat kill_2.txt
...
27205 15:17:35 write(1, "15:17:34.635617 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 728:764, ack 1, win 40880, length 36\n", 104) = 104
27205 15:17:35 write(1, "15:17:34.635778 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 764, win 65535, length 0\n", 91) = 91
27205 15:17:35 write(1, "15:17:34.635830 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 764:800, ack 1, win 40880, length 36\n", 104) = 104
27205 15:17:35 write(1, "15:17:34.635903 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 800, win 65535, length 0\n", 91) = 91
27205 15:17:35 poll([{fd=3, events=POLLIN}], 1, 1000) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
27205 15:17:36 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=26979, si_uid=0} ---
27205 15:17:36 alarm(0)                 = 0
27205 15:17:36 rt_sigreturn()           = -1 EINTR (Interrupted system call)
27205 15:17:36 write(1, "\n", 1)        = 1
27205 15:17:36 open("/proc/net/dev", O_RDONLY) = 4
27205 15:17:36 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
27205 15:17:36 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5a1cf33000
27205 15:17:36 read(4, "Inter-|   Receive                                                |  Transmit\n face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed\n  eth0: 196911929  330885    0    0    0     0          0         0 18150465  192387    0    0    0     0       0          0\n  eth1: 7108624   89629    0    0    0     0          0         0 12262901  170044    0    0    0     0       0          0\n    lo:   99313     582    0    0    0     0          0         0    99313     582    0    0    0     0       0          0\n", 1024) = 571
27205 15:17:36 close(4)                 = 0
27205 15:17:36 munmap(0x7f5a1cf33000, 4096) = 0
27205 15:17:36 getsockopt(3, SOL_PACKET, PACKET_STATISTICS, {packets=65, drops=0}, [8]) = 0
27205 15:17:36 write(2, "44 packets captured", 19) = 19
27205 15:17:36 write(2, "\n", 1)        = 1
27205 15:17:36 write(2, "65 packets received by filter", 29) = 29
27205 15:17:36 write(2, "\n", 1)        = 1
27205 15:17:36 write(2, "0 packets dropped by kernel", 27) = 27
27205 15:17:36 write(2, "\n", 1)        = 1
27205 15:17:36 setsockopt(3, SOL_PACKET, PACKET_RX_RING, {block_size=0, block_nr=0, frame_size=0, frame_nr=0}, 16) = -1 EINVAL (Invalid argument)
27205 15:17:36 munmap(0x7f5a1bf22000, 2097152) = 0
27205 15:17:36 munmap(0x7f5a1cee1000, 266240) = 0
27205 15:17:36 close(3)                 = 0
27205 15:17:36 exit_group(0)            = ?
27205 15:17:36 +++ exited with 0 +++

能夠看到 kill -2 觸發的標識未 SI_USER 的 SIGINT 信號被優雅的處理了；

經過 `kill -9` 殺 `tcpdump`

root@vagrant-ubuntu-trusty:~# strace -f -t -s 1024 -o kill_9.txt tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:51:26.838774 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 3659045002:3659045038, ack 2940875, win 40880, length 36
14:51:26.839029 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 36, win 65535, length 0
14:51:26.839111 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 36:72, ack 1, win 40880, length 36
14:51:26.839224 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 72, win 65535, length 0
14:51:26.839384 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 72:108, ack 1, win 40880, length 36
...
14:51:28.883676 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1252:1296, ack 1, win 40880, length 44
14:51:28.883884 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1296, win 65535, length 0
14:51:28.883949 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1296:1332, ack 1, win 40880, length 36
14:51:28.884059 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1332, win 65535, length 0
14:51:28.884331 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1332:1392, ack 1, win 40880, length 60
14:51:28.884497 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1392, win 65535, length 0
Killed
root@vagrant-ubuntu-trusty:~#

死前瞬間

root@vagrant-ubuntu-trusty:~# cat kill_9.txt
...
27090 14:51:29 write(1, "14:51:28.883949 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1296:1332, ack 1, win 40880, length 36\n", 106) = 106
27090 14:51:29 write(1, "14:51:28.884059 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1332, win 65535, length 0\n", 92) = 92
27090 14:51:29 write(1, "14:51:28.884331 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1332:1392, ack 1, win 40880, length 60\n", 106) = 106
27090 14:51:29 write(1, "14:51:28.884497 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1392, win 65535, length 0\n", 92) = 92
27090 14:51:29 poll([{fd=3, events=POLLIN}], 1, 1000 <unfinished ...>
27090 14:51:30 +++ killed by SIGKILL +++

能夠看到 kill -9 觸發的 SIGKILL 信號強殺了 tcpdump 進程，沒有任何優雅而言；

小結

Ctrl+C 和 kill -2 命令行爲基本等價，均可以令 tcpdump 優雅退出；
優雅退出的時間長度是不可控的，若採用 sleep 加 kill -9 的方式進行處理，理論上仍可能形成報數據不完整；
數據不完整的緣由是因爲抓包數據寫入文件時，會使用操做系統中的 buffer ，所以強殺會致使數據丟失；通常狀況下，即便出錯也可認爲對總體分析沒有影響（僅丟失最後的部分數據包）；
關於 tcpdump 的 buffer 控制，能夠查閱 -l 和 -U 參數；
關於 tcpdump 在收到 SIGINT 信號後能優雅退出的緣由，能夠經過 strace 進行追蹤；

包修復工具 pcapfix

pcapfix 工具用於嘗試修復有損毀的 pcap 和 pcapng 文件；爲了修復有損毀的 pcap 文件，該工具首先會檢查未通過任何處理的（intact）pcap global header ，若是存在損毀字節則進行相應修復；若是壓根不存在 global header ，那麼 pcapfix 會添加一個自行建立的 header 給文件；第二步，該工具會嘗試在文件內部查找 pcap packet headers ，該 header 位於 global header 的下方；以後再檢查其值是否正確（或者說是否看起來正確），若是存在錯誤，則會嘗試進行修復；

爲了修復 pcapng 文件，該工具會遍歷文件中所有 packet 的 headers ；並檢查 mandatory Section Header 和 Interface Description Block ，若不存在則進行建立； Pcapfix 會確認 block 大小的正確性，以及 option fields 的有效性；若是存在錯誤，則會按須要修復有問題的 fields 或者乾脆直接跳過，再進行調整以保證最終獲得一個正確可用的 pcapng 文件；

算法實現：

pcapfix will first step through the packets respectively blocks top down until it recognizes corrupted data by checking field validity and using plausibility checks. After that the tool will brute force further pcap packet headers respectively block headers by reading the file byte by byte. If another proper packet or block is found, pcapfix restores the data in between by adding a well-formed pcap packet header or skips it if unusable.

可用配置；

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix -h
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

Usage: ../pcapfix [OPTIONS] filename
OPTIONS:	-d        , --deep-scan          	Deep scan (pcap only)
		-n        , --pcapng             	force pcapng format
		-o <file> , --outfile <file>     	set output file name
		-t <nr>   , --data-link-type <nr>	Data link type
		-v        , --verbose            	Verbose output

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#

修復處理過程；

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix test_ctrl_c.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: test_ctrl_c.pcap
[*] Writing to file: fixed_test_ctrl_c.pcap
[*] File size: 2874 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[-] The global pcap header seems to be corrupt! ==> CORRECTED
[*] Analyzing packets...
[*] Progress:  20.04 %
[*] Progress:  41.68 %
[*] Progress:  60.61 %
[*] Progress:  81.07 %
[*] Progress: 100.00 %
[*] Wrote 30 packets to file.
[+] SUCCESS: 1 Corruption(s) fixed!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix test_kill_2.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: test_kill_2.pcap
[*] Writing to file: fixed_test_kill_2.pcap
[*] File size: 12746 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[-] The global pcap header seems to be corrupt! ==> CORRECTED
[*] Analyzing packets...
[*] Progress:  20.05 %
[*] Progress:  40.03 %
[*] Progress:  60.57 %
[*] Progress:  80.43 %
[*] Progress: 100.00 %
[*] Wrote 131 packets to file.
[+] SUCCESS: 1 Corruption(s) fixed!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix test_kill_9.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: test_kill_9.pcap
[*] Writing to file: fixed_test_kill_9.pcap
[*] File size: 12288 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[-] The global pcap header seems to be corrupt! ==> CORRECTED
[*] Analyzing packets...
[*] Progress:  20.67 %
[*] Progress:  40.27 %
[*] Progress:  60.11 %
[*] Progress:  80.86 %
[+] CORRECTED Packet #126 at position 12216 (1481621480 | 713328 | 56 | 68).
[*] Progress: 100.00 %
[*] Wrote 126 packets to file.
[+] SUCCESS: 2 Corruption(s) fixed!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ll
...
-rw-r--r-- 1 root root  2874 Dec 16 18:25 fixed_test_ctrl_c.pcap
-rw-r--r-- 1 root root 12746 Dec 16 18:25 fixed_test_kill_2.pcap
-rw-r--r-- 1 root root 12288 Dec 16 18:26 fixed_test_kill_9.pcap
-rw-r--r-- 1 root root  2874 Dec 13 17:56 test_ctrl_c.pcap
-rw-r--r-- 1 root root 12746 Dec 13 17:56 test_kill_2.pcap
-rw-r--r-- 1 root root 12288 Dec 13 17:56 test_kill_9.pcap
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix fixed_test_ctrl_c.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: fixed_test_ctrl_c.pcap
[*] Writing to file: fixed_fixed_test_ctrl_c.pcap
[*] File size: 2874 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[+] The global pcap header seems to be fine!
[*] Analyzing packets...
[*] Progress:  20.04 %
[*] Progress:  41.68 %
[*] Progress:  60.61 %
[*] Progress:  81.07 %
[*] Progress: 100.00 %
[*] Your pcap file looks proper. Nothing to fix!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix fixed_test_kill_2.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: fixed_test_kill_2.pcap
[*] Writing to file: fixed_fixed_test_kill_2.pcap
[*] File size: 12746 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[+] The global pcap header seems to be fine!
[*] Analyzing packets...
[*] Progress:  20.05 %
[*] Progress:  40.03 %
[*] Progress:  60.57 %
[*] Progress:  80.43 %
[*] Progress: 100.00 %
[*] Your pcap file looks proper. Nothing to fix!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#
root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles# ../pcapfix fixed_test_kill_9.pcap
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: fixed_test_kill_9.pcap
[*] Writing to file: fixed_fixed_test_kill_9.pcap
[*] File size: 12288 bytes.
[+] This is a PCAP file.
[*] Analyzing Global Header...
[+] The global pcap header seems to be fine!
[*] Analyzing packets...
[*] Progress:  20.67 %
[*] Progress:  40.27 %
[*] Progress:  60.11 %
[*] Progress:  80.86 %
[*] Progress: 100.00 %
[*] Your pcap file looks proper. Nothing to fix!

root@vagrant-ubuntu-trusty:~/workspace/WGET/pcapfix-1.1.0/testfiles#

經過 tshark 或者 wireshark 打開修復後的數據包，能夠發現不會再報出以前的錯誤信息；

基於 timeout 的定時功能殺 tcpdump

首先查看 man 手冊說明：

timeout: Run a command with a time limit

timeout 負責運行指定命令，若在指定時間間隔後，命令仍在運行則將其 kill 掉；語法以下：

timeout [option] duration command [arg]…

command 不能夠是某些特定 built-in 實用程序；

該程序能夠接受以下選項；全部選項必須在 operands 以前使用；

--preserve-status 返回受控 command 在超時後的 exit 狀態碼；而不是代表 timeout 半身的特定 exit 狀態碼；使用場景：受控 command 須要支持沒法肯定運行時間的狀況；
--foreground 不建立單獨的後臺程序組，以便受控 command 可以正常使用前臺 TTY ；使用場景：支持針對不是直接從交互 shell 上啓動的 command 的超時處理；存在兩種具體狀況：

command 自己是交互類型的，而且須要從 terminal 上進行讀取；
用戶想要從 terminal 上直接發送信號給 command （好比 Ctrl-C ）；

須要注意，在這種操做模式下，該 command 的任何孩子進程將不會出現超時行爲；一樣的，信號 SIGCONT 也不會被髮送給 command ，由於該信號對於前臺進程來講一般是不須要的；而且可能致使那些監督了自身的執行程序（好比 GDB）出現間歇性信號投遞問題；

-k duration
--kill-after=duration

在指定的 duration 過去後，將經過 KILL 信號確保受控 command 必定會被 kill 掉；若未指定該選項，在選用的信號未非致命的狀況下，timeout 可能出現沒法殺死 command 的狀況；

-s signal
--signal=signal

在超時發生後，發送指定 signal 信號給 command ，而不是採用默認的 TERM 信號；參數 signal 能夠指定爲像 HUP 同樣的信號名字，或者信號自己所對應的數字；

duration 爲一個浮點類型的數字，並能夠指定單位；

‘s’ for seconds (the default) ‘m’ for minutes ‘h’ for hours ‘d’ for days

若指定 duration 爲 0 則會去使能相應的超時行爲；須要注意的是，實際的超時 duration 值依賴於系統自己狀況，在須要指定秒級超時如下的超時值時須要考慮到該狀況；

Exit status:

124 if command times out 125 if timeout itself fails 126 if command is found but cannot be invoked 127 if command cannot be found 137 if command is sent the KILL(9) signal (128+9)

the exit status of command otherwise

經過 `timeout` 中止 `tcpdump`

root@vagrant-ubuntu-trusty:~# strace -f -t -s 1024 -o timeout.txt timeout 5 tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:59:03.337331 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 3659057082:3659057118, ack 2946567, win 40880, length 36
14:59:03.337602 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 36, win 65535, length 0
14:59:03.337662 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 36:72, ack 1, win 40880, length 36
14:59:03.337904 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 72:108, ack 1, win 40880, length 36
14:59:03.338026 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 72, win 65535, length 0
14:59:03.338033 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 108, win 65535, length 0
14:59:03.338117 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 108:144, ack 1, win 40880, length 36
14:59:03.338276 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 144, win 65535, length 0
...
14:59:05.385635 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1184:1324, ack 1, win 40880, length 140
14:59:05.385845 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1324, win 65535, length 0
14:59:05.386623 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1324:1528, ack 1, win 40880, length 204
14:59:05.386873 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1528, win 65535, length 0
14:59:06.331949 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1528:1764, ack 1, win 40880, length 236
14:59:06.332328 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1764, win 65535, length 0
14:59:06.332713 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1764:1880, ack 1, win 40880, length 116
14:59:06.332849 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1880, win 65535, length 0

70 packets captured
74 packets received by filter
0 packets dropped by kernel
root@vagrant-ubuntu-trusty:~#

死前瞬間

root@vagrant-ubuntu-trusty:~# cat timeout.txt
...
27143 14:59:07 write(1, "14:59:06.331949 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1528:1764, ack 1, win 40880, length 236\n", 107) = 107
27143 14:59:07 write(1, "14:59:06.332328 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1764, win 65535, length 0\n", 92) = 92
27143 14:59:07 write(1, "14:59:06.332713 IP 10.0.2.15.ssh > 10.0.2.2.51858: Flags [P.], seq 1764:1880, ack 1, win 40880, length 116\n", 107) = 107
27143 14:59:07 write(1, "14:59:06.332849 IP 10.0.2.2.51858 > 10.0.2.15.ssh: Flags [.], ack 1880, win 65535, length 0\n", 92) = 92
27143 14:59:07 poll([{fd=3, events=POLLIN}], 1, 1000 <unfinished ...>
27142 14:59:08 <... wait4 resumed> 0x7fff4ce181ac, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
27142 14:59:08 --- SIGALRM {si_signo=SIGALRM, si_code=SI_TIMER, si_pid=0, si_uid=0, si_value=34480176} ---
27142 14:59:08 kill(27143, SIGTERM)     = 0
27142 14:59:08 rt_sigaction(SIGTERM, {SIG_IGN, [TERM], SA_RESTORER|SA_RESTART, 0x7f892818c2f0}, {0x402710, [], SA_RESTORER|SA_RESTART, 0x7f8928531d10}, 8) = 0
27142 14:59:08 kill(0, SIGTERM)         = 0
27142 14:59:08 --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=27142, si_uid=0} ---
27142 14:59:08 kill(27143, SIGCONT)     = 0
27142 14:59:08 rt_sigaction(SIGCONT, {SIG_IGN, [CONT], SA_RESTORER|SA_RESTART, 0x7f892818c2f0}, {SIG_DFL, [], 0}, 8) = 0
27142 14:59:08 kill(0, SIGCONT)         = 0
27142 14:59:08 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=27142, si_uid=0} ---
27142 14:59:08 rt_sigreturn()           = 61
27142 14:59:08 wait4(27143,  <unfinished ...>
27143 14:59:08 <... poll resumed> )     = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
27143 14:59:08 --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=27142, si_uid=0} ---
27143 14:59:08 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=27142, si_uid=0} ---
27143 14:59:08 alarm(0)                 = 0
27143 14:59:08 rt_sigreturn()           = -1 EINTR (Interrupted system call)
27143 14:59:08 write(1, "\n", 1)        = 1
27143 14:59:08 open("/proc/net/dev", O_RDONLY) = 4
27143 14:59:08 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
27143 14:59:08 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fde1a24a000
27143 14:59:08 read(4, "Inter-|   Receive                                                |  Transmit\n face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed\n  eth0: 196847241  330005    0    0    0     0          0         0 18084721  191870    0    0    0     0       0          0\n  eth1: 7108624   89629    0    0    0     0          0         0 12262901  170044    0    0    0     0       0          0\n    lo:   99313     582    0    0    0     0          0         0    99313     582    0    0    0     0       0          0\n", 1024) = 571
27143 14:59:08 close(4)                 = 0
27143 14:59:08 munmap(0x7fde1a24a000, 4096) = 0
27143 14:59:08 getsockopt(3, SOL_PACKET, PACKET_STATISTICS, {packets=74, drops=0}, [8]) = 0
27143 14:59:08 write(2, "70 packets captured", 19) = 19
27143 14:59:08 write(2, "\n", 1)        = 1
27143 14:59:08 write(2, "74 packets received by filter", 29) = 29
27143 14:59:08 write(2, "\n", 1)        = 1
27143 14:59:08 write(2, "0 packets dropped by kernel", 27) = 27
27143 14:59:08 write(2, "\n", 1)        = 1
27143 14:59:08 setsockopt(3, SOL_PACKET, PACKET_RX_RING, {block_size=0, block_nr=0, frame_size=0, frame_nr=0}, 16) = -1 EINVAL (Invalid argument)
27143 14:59:08 munmap(0x7fde19239000, 2097152) = 0
27143 14:59:08 munmap(0x7fde1a1f8000, 266240) = 0
27143 14:59:08 close(3)                 = 0
27143 14:59:08 exit_group(0)            = ?
27143 14:59:08 +++ exited with 0 +++
27142 14:59:08 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 27143
27142 14:59:08 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=27143, si_status=0, si_utime=0, si_stime=0} ---
27142 14:59:08 close(1)                 = 0
27142 14:59:08 close(2)                 = 0
27142 14:59:08 exit_group(124)          = ?
27142 14:59:08 +++ exited with 124 +++

能夠看到 timeout 觸發的是 SIGALRM 信號，並將該信號轉換成 SIGTERM 後用於殺 tcpdump 進程，接着又以一樣的方式發送了 SIGCONT 信號；能夠看到 tcpdump 是以優雅的方式退出的；

基於 `tshark` 的 `-a duration:xx` 參數實現定時

TShark 是一個網絡協議分析器；其容許你實時捕獲網絡包數據，或者讀取以前抓取後保存的文件；其容許你將包解析後的內容直接輸出到 stdout 上，或者寫入一個文件中；TShark 使用的原生文件格式爲 pcap ，該格式也是 tcpdump 和其它各類相似工具的首選；

定時功能相關參數以下：

-a <capture autostop condition>

設置什麼時候 TShark 要中止寫捕獲文件的規則；規則的形式爲 test:value ，其中 test 爲如下值：

duration:value 在指定秒數過去後，中止寫入捕獲文件；

filesize:value 在文件大小達到 value kB 指定的大小後，中止寫入捕獲文件；若是該選項和 -b 選項一塊兒使用，TShark 會在達到 filesize 指定的字節數目時，中止寫入當前捕獲文件，轉而切換到下一個文件繼續寫入；當讀取捕獲文件時，TShark 會在讀取了指定數目的字節後中止讀取文件（完整的包將會被讀取，所以實際上會讀取超過這個數目的字節）；須要注意的是，filesize 最大值限制在 2 GiB ；

files:value 在 value 數目個文件被寫入以後，中止寫入捕獲文件；

驗證沒有網絡流量時的狀況

試驗步驟：啓動以下命令後，不進行任何操做；

root@vagrant-ubuntu-trusty:~# time tshark -i any -f "tcp port 22" -s 0 -a duration:3 -w tshark_3sec_0packet.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'


real	0m2.697s
user	0m0.136s
sys	0m0.028s
root@vagrant-ubuntu-trusty:~# time tshark -i any -f "tcp port 22" -s 0 -a duration:3 -w tshark_3sec_0packet.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'


real	0m3.199s
user	0m0.132s
sys	0m0.032s
root@vagrant-ubuntu-trusty:~# time tshark -i any -f "tcp port 22" -s 0 -a duration:3 -w tshark_3sec_0packet.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'


real	0m2.683s
user	0m0.124s
sys	0m0.028s
root@vagrant-ubuntu-trusty:~#

能夠看到，上面的定時彷佛也沒有那麼準；

查看包詳情

root@vagrant-ubuntu-trusty:~# capinfos tshark_3sec_0packet.pcap
File name:           tshark_3sec_0packet.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: (not set)
Number of packets:   0           -- 一個包也沒有
File size:           304 bytes
Data size:           0 bytes
Capture duration:    n/a
Start time:          n/a
End time:            n/a
Data byte rate:      0 bytes/s
Data bit rate:       0 bits/s
Average packet size: 0.00 bytes
Average packet rate: 0 packets/sec
SHA1:                24eca697b1a43c7fa5e4ca4ebbc3e29f693bcbdd
RIPEMD160:           cae57ebbfbef89df1d55be52015f0629e94725fa
MD5:                 91c2cbebf81065dc0a43b6e65cb6c0ba
Strict time order:   True
root@vagrant-ubuntu-trusty:~#

驗證存在少許網絡流量時的狀況

試驗步驟：啓動以下命令後，按照大概每秒一次的速度敲擊 enter 鍵；

root@vagrant-ubuntu-trusty:~# time tshark -i any -f "tcp port 22" -s 0 -a duration:3 -w tshark_3sec_few_packet.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'

(enter)
3
(enter)
10

real	0m2.440s
user	0m0.132s
sys	0m0.036s
root@vagrant-ubuntu-trusty:~#

查看包詳情

root@vagrant-ubuntu-trusty:~# capinfos tshark_3sec_few_packet.pcap
File name:           tshark_3sec_few_packet.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: (not set)
Number of packets:   10    -- 抓包 10 個包
File size:           1432 bytes
Data size:           800 bytes
Capture duration:    1 seconds
Start time:          Mon Dec 19 15:22:03 2016
End time:            Mon Dec 19 15:22:04 2016
Data byte rate:      729 bytes/s
Data bit rate:       5836 bits/s
Average packet size: 80.00 bytes
Average packet rate: 9 packets/sec
SHA1:                465d03d1995fc6f7672e8fd3bd705150ab1088ee
RIPEMD160:           4f6f428aa24b13e462a3887be426df6f1b19a565
MD5:                 694c0e0ebf095605099c363ae2a1e48a
Strict time order:   True
root@vagrant-ubuntu-trusty:~#

驗證存在大量網絡流量時的狀況

試驗步驟：啓動以下命令後，按照大概每秒 3～4 次的速度連續敲擊 enter 鍵；

root@vagrant-ubuntu-trusty:~# time tshark -i any -f "tcp port 22" -s 0 -a duration:3 -w tshark_3sec_many_packet.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'

(enter)
(enter)
1
(enter)
8
(enter)
(enter)
19
(enter)
28
(enter)
(enter)
38

real	0m2.683s
user	0m0.124s
sys	0m0.024s
root@vagrant-ubuntu-trusty:~#

查看包詳情

root@vagrant-ubuntu-trusty:~# capinfos tshark_3sec_many_packet.pcap
File name:           tshark_3sec_many_packet.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Linux cooked-mode capture
Packet size limit:   file hdr: (not set)
Number of packets:   38     -- 抓到 38 個包
File size:           4624 bytes
Data size:           3076 bytes
Capture duration:    2 seconds
Start time:          Mon Dec 19 15:19:48 2016
End time:            Mon Dec 19 15:19:50 2016
Data byte rate:      1752 bytes/s
Data bit rate:       14 kbps
Average packet size: 80.95 bytes
Average packet rate: 21 packets/sec
SHA1:                aa9ff5e321bae42c2dcee5357c9f844725d395c0
RIPEMD160:           b01396cce83f164165ca9032594f47a9f402db55
MD5:                 c126470f8254046029ad2e54ad8a5e6a
Strict time order:   True
root@vagrant-ubuntu-trusty:~#