Answers:
Tcpdump可以选择-B设置捕获缓冲区的大小。然后将该值通过函数传递给libpcap(tcpdump使用的库来进行实际的数据包捕获)pcap_set_buffer_size()。Tcpdump联机帮助页没有指定使用-B指定缓冲区大小的单位,但是从源头看,它似乎是KiB。
的手册页pcap_set_buffer_size()未指定默认缓冲区大小(如果未调用此函数,则使用默认缓冲区大小),但是从libpcap来源来看,这至少是2 MiB,至少在linux上(但最有可能取决于系统)。
关于数据包缓冲和丢弃,还应注意相应地设置snaplen(-s)参数。man tcpdump:
-s Snarf snaplen bytes of data from each packet rather than the
default of 65535 bytes. Packets truncated because of a limited snapshot
are indicated in the output with ``[|proto]'', where proto is the name of
the protocol level at which the truncation has occurred. Note that taking
larger snapshots both increases the amount of time it takes to
process packets and, effectively, decreases the amount of packet buffering.
This may cause packets to be lost. You should limit snaplen to the
smallest number that will capture the protocol information you're
interested in. Setting snaplen to 0 sets it to the default of 65535, for
back-wards compatibility with recent older versions of tcpdump.
这意味着在缓冲区大小固定的情况下,可以通过减小快照大小来增加适合缓冲区(因此不会被丢弃)的数据包数量。