使用 tcpdump 捕获时如何查看数据包

因此，经过一些实验后，如果出现以下情况：

sudo tcpdump -i enp2s0 -U -w - | tee test.pcap | tcpdump -r -

-w -: 写入标准输出。

-U：一旦数据包到达就写入数据包。不要等到缓冲区已满。

Tee将写入文件，并tcpdump -r -从标准输入读取数据包。

-w选项是将 tcpdump 输出写入文件。如果要在终端上打印，可以删除该选项。

由于您使用选项 -w，因此数据包将保存到文件中，并且不会显示在标准输出中。这里来自 tcpdumup 联机帮助页：

https://www.tcpdump.org/manpages/tcpdump.1.html

-w file
    Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. 
    This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received. 
    The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended. 
    See pcap-savefile(5) for a description of the file format.  

如果你想同时做这两件事，这里有一种方法可以实现：

如何让 tcpdump 写入文件和标准输出适当的数据？

要将新进程附加到正在进行的转储，请尝试：

tail -F -n+0 $dumpfile | tcpdump -r -