-U
--packet-buffered
If the -w option is not specified, make the printed packet
output ``packet-buffered''; i.e., as the description of the
contents of each packet is printed, it will be written to
the standard output, rather than, when not writing to a ter‐
minal, being written only when the output buffer fills.
If the -w option is specified, make the saved raw packet
output ``packet-buffered''; i.e., as each packet is saved,
it will be written to the output file, rather than being
written only when the output buffer fills.
The -U flag will not be supported if tcpdump was built with
an older version of libpcap that lacks the pcap_dump_flush()
function.
有两种方法可以避免截断转储文件:
正如 Doug Smythies 所建议的,使用终止信号 (
SIGTERM) 而不是SIGINT终止tcpdump进程:告诉
tcpdump在保存每个数据包时将数据包直接写入文件(选项-U)。这样,即使使用 SIGINT,文件也不会被截断。从man tcpdump: