Linux
tcpdump:out.pcap:權限被拒絕
[root@localhost ~]# cat /etc/issue Fedora release 17 (Beefy Miracle) Kernel \r on an \m (\l) [root@localhost ~]# uname -a Linux localhost.localdomain 3.6.10-2.fc17.i686 #1 SMP Tue Dec 11 18:33:15 UTC 2012 i686 i686 i386 GNU/Linux [root@localhost ~]# tcpdump -i p3p1 -n -w out.pcap -C 16 tcpdump: out.pcap: Permission denied為什麼我得到錯誤?
我該怎麼辦?
我在 Centos 5 上試過,即使在 tmp 或根文件夾上也一樣。從 tcpdump 手冊頁中,在打開第一個保存文件之前與 -Z 選項(預設啟用)一起使用時會刪除特權。因為你指定了“-C 1”,權限被拒絕是因為文件大小已經達到1,並且當創建新文件時會引發權限被拒絕錯誤。所以只需指定 -Z 使用者
# strace tcpdump -i eth0 -n -w out.pcap -C 1 fstat(4, {st_mode=S_IFREG|0644, st_size=903, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aea31934000 lseek(4, 0, SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 903 read(4, "", 4096) = 0 close(4) = 0 munmap(0x2aea31934000, 4096) = 0 setgroups(1, [77]) = 0 setgid(77) = 0 setuid(77) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0\0\0\0\0\310\357k\0\0\0\0\0", 16) = 0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 recvfrom(3, 0x7fff9563d35f, 1, 32, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) fcntl(3, F_SETFL, O_RDWR) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\17\0\0\0\0\0P\327\233\7\0\0\0\0", 16) = 0 open("out.pcap", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) write(2, "tcpdump: ", 9tcpdump: ) = 9 write(2, "out.pcap: Permission denied", 27out.pcap: Permission denied) = 27 write(2, "\n", 1 ) = 1 exit_group(1) = ?您可以看到上面的 strace 結果,tcpdump 將權限放入使用者和組 pcap (77)。
# grep 77 /etc/group pcap:x:77: # grep 77 /etc/passwd pcap:x:77:77::/var/arpwatch:/sbin/nologin從 tcpdump 手冊頁,-C
# man tcpdump -C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are mil- lions of bytes (1,000,000 bytes, not 1,048,576 bytes). **Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile.** # tcpdump --help tcpdump version 3.9.4 libpcap version 0.9.4 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ]使用 -Z user 指定特定使用者
# tcpdump -i eth0 -n -w out.pcap -C 1 -Z root tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 35 packets captured 35 packets received by filter 0 packets dropped by kernel