tcpdump
捕获 netlink
包
NLMON
NLMON is a Netlink monitor device.
Use an NLMON device when you want to monitor system Netlink messages.
Here’s how to create an NLMON device:
1
2
3
| ip link add nlmon0 type nlmon
ip link set nlmon0 up
tcpdump -i nlmon0 -w nlmsg.pcap
|
This creates an NLMON device named nlmon0 and sets it up. Use a packet sniffer (for example, tcpdump) to capture Netlink messages. Recent versions of Wireshark feature decoding of Netlink messages.
1
2
3
4
5
6
7
| modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
tcpdump -i nlmon0 -s 0 -w nlmon.pcap
ip link set nlmon0 down
ip link del dev nlmon0
rmmod nlmon
|
1
2
3
4
5
6
| modprobe nlmon
ip netns add testing
ip -n testing link add nlmon0 type nlmon
ip -n testing link set dev nlmon0 up
# 必须使用 -w 保存到文件
ip netns exec tcpdump -i nlmon0 -w netlinik.pcap
|
参考链接