Dumpcap在Debian上的使用案例
一 安装与权限配置
sudo apt update && sudo apt install wireshark wireshark-common wireshark-cli dumpcapsudo usermod -aG wireshark $USER(注销并重新登录生效)sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcapdumpcap --version 应返回版本号,表示安装成功。二 基础捕获与文件分割
sudo dumpcap -i any -w capture.pcapsudo dumpcap -i eth0 -c 100 -w capture_100.pcapsudo dumpcap -i eth0 -G 60 -W 5 -w capture_%Y-%m-%d_%H-%M-%S.pcapsudo dumpcap -i eth0 -C 10m -W 5 -w capture.pcapip a 或 ifconfig(先确认接口名再抓包)。三 捕获过滤与性能调优
sudo dumpcap -i eth0 -f "port 80" -w http.pcapsudo dumpcap -i eth0 -f "tcp port 80 and host example.com" -w example_http.pcapsudo dumpcap -i eth0 -f "icmp" -w icmp.pcapsudo dumpcap -i eth0 -f "udp port 53 or tcp port 53" -w dns.pcapsudo dumpcap -i eth0 -s 65535 -n -w capture_full.pcapsudo dumpcap -i eth0 -B 1048576 -w capture.pcap-n 可加快启动与减少解析开销。四 与Wireshark和Tshark的协同分析
.pcap 文件(File → Open),利用其强大的协议解析与显示过滤器进行排障。tshark -r http.pcap -Y "http" -T fields -e frame.number -e ip.src -e ip.dst -e http.host -e http.request.method -e http.request.uritshark -i eth0 -Y "http" -T fields -e frame.number -e ip.src -e ip.dst -e http.host -e http.request.method -e http.request.urisudo dumpcap -i eth0 -w - 'port 80' | tcpdump -r -(将 dumpcap 输出通过管道给 tcpdump 显示)。五 故障排查与最佳实践
