[root@localhost ~]# cat /etc/issue Fedora release 17 (Beefy Miracle) Kernel \r on an \m (\l) [root@localhost ~]# uname -a Linux localhost.localdomain 3.6.10-2.fc17.i686 #1 SMP Tue Dec 11 18:33:15 UTC 2012 i686 i686 i386 GNU/Linux [root@localhost ~]# tcpdump -i p3p1 -n -w out.pcap -C 16 tcpdump: out.pcap: Permission denied 为什么我得到错误?
我该怎么办?
我试过在Centos 5上,即使在tmp或根文件夹上也是如此。 从tcpdump手册页中,在使用-Z选项(默认情况下启用)之前删除权限,然后打开第一个savefile。 由于您指定了“-C 1”,因为文件大小已达到1,所以拒绝发生权限,创build新文件时会引发权限被拒绝错误。 所以只需指定-Z用户
# strace tcpdump -i eth0 -n -w out.pcap -C 1 fstat(4, {st_mode=S_IFREG|0644, st_size=903, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aea31934000 lseek(4, 0, SEEK_CUR) = 0 read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 903 read(4, "", 4096) = 0 close(4) = 0 munmap(0x2aea31934000, 4096) = 0 setgroups(1, [77]) = 0 setgid(77) = 0 setuid(77) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0\0\0\0\0\310\357k\0\0\0\0\0", 16) = 0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 recvfrom(3, 0x7fff9563d35f, 1, 32, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) fcntl(3, F_SETFL, O_RDWR) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\17\0\0\0\0\0P\327\233\7\0\0\0\0", 16) = 0 open("out.pcap", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) write(2, "tcpdump: ", 9tcpdump: ) = 9 write(2, "out.pcap: Permission denied", 27out.pcap: Permission denied) = 27 write(2, "\n", 1 ) = 1 exit_group(1) = ?
你可以看到上面的strace结果,tcpdump把权限放到用户和组pcap(77)中。
# grep 77 /etc/group pcap:x:77: # grep 77 /etc/passwd pcap:x:77:77::/var/arpwatch:/sbin/nologin
从tcpdump手册页,-C
# man tcpdump -C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are mil- lions of bytes (1,000,000 bytes, not 1,048,576 bytes). **Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile.** # tcpdump --help tcpdump version 3.9.4 libpcap version 0.9.4 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ]
用-Z用户指定特定的用户
# tcpdump -i eth0 -n -w out.pcap -C 1 -Z root tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 35 packets captured 35 packets received by filter 0 packets dropped by kernel
尝试从/tmp或任何其他世界可写目录运行命令。 我记得有tcpdump在不是世界上可写的目录的问题,我不知道为什么 – 🙂
cd /tmp tcpdump -i p3p1 -n -w out.pcap -C 16
您的tcpdump正在将权限下放到“tcpdump”用户,检查手册页(“-Z tcpdump”是默认值,并且tcpdump用户没有权限在root的homedir中写入)。 正如Daniel T.告诉你的,在/ tmp这样的可写入世界的目录中运行捕获,或者至less在一个目录中给出用户或组的tcpdump写入权限。
SELinux运行? 通过键入检查terminal:
/usr/sbin/getenforce
如果它说Enforcing ,你可以尝试禁用SELinux并再次尝试tcpdump,看看SE是否停止它。
当我碰到这个Permission denied问题,原来是我把一个.cap扩展名的文件,而不是.pcap 。 我不确定为什么会打破这些事情,但strace证实它来自操作系统。
# uname -a ; lsb_release -a Linux bidder-lb4 3.2.0-76-virtual #111-Ubuntu SMP Tue Jan 13 22:33:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04.5 LTS Release: 12.04 Codename: precise
错误信息对我来说没有多大意义。 尽pipeSELinux是一个可能的解释。 你可以仔细看看通过strace启动tcpdump发生了什么:
strace tcpdump -i p3p1 -n -w out.pcap -C 16
你应该改变运行tcpdump的目录的模式。
chmod 777
现在运行命令tcpdump -vv -i any -s0 -w file_name.pcap
它应该工作…!