-w ÆÄÀÏ·Î ÀúÀå
Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.
This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received.
Use the -U flag to cause packets to be written as soon as they are received.
See pcap-savefile(5) for a description of the file format.
-W ÃÖ´ë ÆÄÀÏ°¹¼ö
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
-Z ±ÇÇÑ»ý¼º
If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root
-C ÆÄÀÏ»çÀÌÁî
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
# tcpdump -nn net 115.68 -G 5 -w test.pcap
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: aaa: Permission denied
# ls -l aaa
-rw-r--r-- 1 tcpdump tcpdump 80299 Sep 11 13:29 test.pcap
¡Ø ¿øÀÎÀº »ý¼ºµÈ ÆÄÀÏ ±ÇÇÑÀÌ tcpdump ±ÇÇÑÀ¸·Î »ý¼ºµÇ¾îÀֱ⠶§¹®
»ý¼ºµÈ ÆÄÀÏÀ» root À¯Àú±ÇÇÑÀ¸·Î 5ÃÊ´ÜÀ§·Î ÆÄÀϸí test.pcap ·Î ĸÃÄ (5ÃÊÁÖ±â·Î µ¤¾î¾²±â)
# tcpdump -nn net 115.68 -G 5 -w test.pcap -Z root
Example 1)
5ÃÊ´ÜÀ§·Î ²ö¾î¼ ½Ã°£¸íÀ¸·Î ÆÄÀÏ»ý¼º
# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root
# ls -al trace_2014-09-11*
-rw-r--r-- 1 root root 130470 Sep 11 13:36 trace_2014-09-11_13:35:55.pcap
-rw-r--r-- 1 root root 128020 Sep 11 13:36 trace_2014-09-11_13:36:00.pcap
-rw-r--r-- 1 root root 169068 Sep 11 13:36 trace_2014-09-11_13:36:05.pcap
-rw-r--r-- 1 root root 141378 Sep 11 13:36 trace_2014-09-11_13:36:10.pcap
-rw-r--r-- 1 root root 111066 Sep 11 13:36 trace_2014-09-11_13:36:15.pcap
-rw-r--r-- 1 root root 116596 Sep 11 13:36 trace_2014-09-11_13:36:21.pcap
-rw-r--r-- 1 root root 80460 Sep 11 13:36 trace_2014-09-11_13:36:26.pcap
-rw-r--r-- 1 root root 87421 Sep 11 13:36 trace_2014-09-11_13:36:31.pcap
-rw-r--r-- 1 root root 169819 Sep 11 13:36 trace_2014-09-11_13:36:37.pcap
-rw-r--r-- 1 root root 96685 Sep 11 13:36 trace_2014-09-11_13:36:42.pcap
-rw-r--r-- 1 root root 73052 Sep 11 13:36 trace_2014-09-11_13:36:47.pcap
Example 2)
5ÃÊ´ÜÀ§·Î ²ö¾î¼ ½Ã°£¸íÀ¸·Î ÆÄÀÏ»ý¼ºÇ쵂 ÃÒ´ë ÆÄÀÏ°¹¼ö´Â 5°³
# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root -W 5
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 5
# tcpdump -nn net 115.68 -G 5 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap' -Z root
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C2918 packets captured
2918 packets received by filter
0 packets dropped by kernel
# ls -al trace_2014-09-11*
-rw-r--r-- 1 root root 70984 Sep 11 13:39 trace_2014-09-11_13:39:15.pcap
-rw-r--r-- 1 root root 63027 Sep 11 13:39 trace_2014-09-11_13:39:20.pcap
-rw-r--r-- 1 root root 105150 Sep 11 13:39 trace_2014-09-11_13:39:25.pcap
-rw-r--r-- 1 root root 92381 Sep 11 13:39 trace_2014-09-11_13:39:30.pcap
-rw-r--r-- 1 root root 60955 Sep 11 13:39 trace_2014-09-11_13:39:36.pcap
Example 3)
ÆÄÀÏ»çÀÌÁî´ÜÀ§·Î ²ö¾î¼ ÀúÀå (1M ´ÜÀ§·Î ²ö¾î¼ ÀúÀå)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root
# ls -al packet.pcap*
-rw-r--r-- 1 root root 1000986 Sep 11 13:54 packet.pcap
-rw-r--r-- 1 root root 1000230 Sep 11 13:54 packet.pcap1
-rw-r--r-- 1 root root 1000063 Sep 11 13:54 packet.pcap2
-rw-r--r-- 1 root root 1000988 Sep 11 13:54 packet.pcap3
-rw-r--r-- 1 root root 1001466 Sep 11 13:54 packet.pcap4
-rw-r--r-- 1 root root 1000023 Sep 11 13:54 packet.pcap5
-rw-r--r-- 1 root root 1000261 Sep 11 13:54 packet.pcap6
-rw-r--r-- 1 root root 1001266 Sep 11 13:54 packet.pcap7
-rw-r--r-- 1 root root 1001003 Sep 11 13:54 packet.pcap8
Example 4)
ÆÄÀÏ»çÀÌÁî´ÜÀ§·Î ²ö¾î¼ ÀúÀåÇϸç ÃÖ´ë ÆÄÀÏ °¹¼ö´Â 3°³ (ÆÄÀÏÀÌ 3°³¸¸ »ý¼ºµÇ°í ¸ØÃß´Â°Ô ¾Æ´Ï°í ÆÄÀÏ°¹¼ö¸¸ 3°³·Î ÁöÁ¤µÇ¸é¼ °è¼ÓÇؼ µ¤¾î¾²±â)
# tcpdump -nn net 115.68 -C 1 -w packet.pcap -Z root -W 3