我已经将 tcpdump sidecar 附加到我的一个容器中,我正在尝试将捕获的数据输入到 macOS 上 Wireshark 的本地实例中。
这几乎是在它开始的时候就开始了,伴随着
Frame 1 too long# docker exec -it tcpdump-tcpdump-1 tcpdump -s 0 -Un -i eth0 -w - | wireshark -k -i -
** (wireshark:69470) 17:53:07.939482 [GUI WARNING] -- Populating font family aliases took 112 ms. Replace uses of missing font family ".AppleSystemUIFont" with one that exists to avoid this cost.
** (wireshark:69470) 17:53:09.214024 [Capture MESSAGE] -- Capture Start ...
** (wireshark:69470) 17:53:09.295301 [Capture MESSAGE] -- Capture started
** (wireshark:69470) 17:53:09.295325 [Capture MESSAGE] -- File: "/var/folders/ht/pffb_rd133jd1x12w50hdzcr0000gn/T/wireshark_-4ATK31.pcapng"
** (wireshark:69470) 17:53:09.348556 [Capture MESSAGE] -- Error message from child: "Frame 1 too long (1936288800 bytes)", ""
** (wireshark:69470) 17:53:12.191059 [Capture MESSAGE] -- Capture stopped.
#
从等式中删除 Wireshark,将其直接传输到 tcpdump 不会像我期望的那样解码数据包:
# tcpdump -s 0 -Un -i en0 -c 1 -w - | tcpdump -r -
tcpdump: listening on en0, link-type EN10MB (Ethernet), snapshot length 524288 bytes
tcpdump: unknown file format
1 packet captured
80 packets received by filter
0 packets dropped by kernel
%
#
省略管道工程,所以我可以相当有信心一切都完好无损地传递:
# docker exec -it tcpdump-tcpdump-1 tcpdump -s 0 -Un -i eth0 -c 1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:02:04.419247 IP 172.21.0.1.56032 > 172.21.0.7.389: Flags [S], seq 167416269, win 65495, options [mss 65495,sackOK,TS val 78109604 ecr 0,nop,wscale 7], length 0
1 packet captured
10 packets received by filter
0 packets dropped by kernel
#
我以为“未知文件格式”很重要,所以我尝试使用 -P 强制读取和写入 apple pcapng,但没有任何乐趣。
# tcpdump -P -s 0 -Un -i en0 -c 1 -w - | tcpdump -Pr -
tcpdump: listening on en0, link-type EN10MB (Ethernet), snapshot length 524288 bytes
tcpdump: 1 packet captured
unknown file format
38 packets received by filter
0 packets dropped by kernel
%
#
我遗漏了一些我无法确定的东西。