1。查看我們xshell是否有抓包工具
輸入命令tcpdump。如果有圖下所示:就證明安裝有(一般都會自帶安裝有)
2.以下命令進行抓包
tcpdump -i ens192 host 192.168.0.66 -s 1024 -A (這個是抓ip的包)
tcpdump -i ens192 port 8080 -s 1024 -A (這個是抓port的)
tcpdump -i ens192 host 192.168.0.66 and port 20250 -s 1024 -A (指定服務器和端口號)
3.以下是抓到的包
其中“captured”的計數指的是應用層捕獲到的數據,“received by filter”和“dropped by kernel”的計數由內核維護,應用層通過getsockopt來獲取。收到一個包,“received by filter”會加1,如果sock的接收buffer被填滿時,則把這個數據包丟棄,將“dropped by kernel”加1。
if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= (unsigned)sk->sk_rcvbuf){
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_drops++;
spin_unlock(&sk->sk_receive_queue.lock);
}
通過調節/proc/sys/net/core/rmem_default和/proc/sys/net/core/rmem_max能夠改變sk_rcvbuf的大小。
正常“captured”加上“dropped by kernel”應該等於“received by filter”的大小,有的時候出現不等的情況應該是還有一些數據包在sk_rcvbuf中,還沒有被應用層收到的原因。
丟包原因:
經過google以及分析,造成這種丟包的原因是由於libcap抓到包后,tcpdump上層沒有及時的取出,導致libcap緩沖區溢出,從而覆蓋了未處理包,此處即顯示為dropped by kernel,注意,這里的kernel並不是說是被linux內核拋棄的,而是被tcpdump的內核,即libcap拋棄掉的
解決方法:
根據以上分析,可以通過改善tcpdump上層的處理效率來減少丟包率,下面的幾步根據需要選用,每一步都能減少一定的丟包率
1. 最小化抓取過濾范圍,即通過指定網卡,端口,包流向,包大小減少包數量
2. 添加-n參數,禁止反向域名解析
3. 添加-B參數,加大OS capture buffer size
4. 指定-s參數, 最好小於1000
5. 將數據包輸出到cap文件
6. 用sysctl修改SO_REVBUF參數,增加libcap緩沖區長度:/proc/sys/net/core/rmem_default和/proc/sys/net/core/rmem_ma
-B buffer_size
Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-s snaplen
--snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for backwards compatibility with recent older versions of tcpdump.