Jeg prøver å fange tcpdump for trafikk til en port i en fil, men dette ser ikke ut til å fange opp alle pakkene. Kommandoen jeg bruker er:

tcpdump-w tdump.dat port 22

Hvorfor er den ikke å fange alle pakker?

Her er mitt forsøk:
root @ pmode-client6 ADC-demo] # tcpdump port 22
tcpdump: lytte på eth0
00:06:45.290838 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 4216814594 seier 65415 (DF)
00:06:45.290865 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1:69 (68) ack 0 seier 11792 (DF) [tos 0x10]
00:06:45.995979 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1:69 (68) ack 0 seier 11792 (DF) [tos 0x10]
00:06:46.394715 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 69 seier 65347 (DF)
00:06:46.394750 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 69:513 (444) ack 0 seier 11792 (DF) [tos 0x10]
00:06:46.795739 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 513 seier 64903 (DF)
00:06:46.795751 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 513:809 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:47.300580 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 809 seier 64607 (DF)
00:06:47.300590 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 809:1105 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:47.697982 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1105 seier 64311 (DF)
00:06:47.697993 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1105:1401 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:48.106128 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1401 seier 65535 (DF)
00:06:48.106137 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1401:1697 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:48.598476 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1697 seier 65239 (DF)
00:06:48.598483 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1697:1993 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:49.007872 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1993 seier 64943 (DF)
00:06:49.007884 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1993:2289 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:49.512090 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2289 seier 64647 (DF)
00:06:49.512100 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2289:2585 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:49.913489 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2585 seier 64351 (DF)
00:06:49.913496 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2585:2881 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:50.315388 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2881 seier 65535 (DF)
00:06:50.315401 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2881:3177 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:50.813982 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 3177 seier 65239 (DF)
00:06:50.813989 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 3177:3473 (296) ack 0 seier 11792 (DF) [tos 0x10]
00:06:51.042979 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh: P 0:88 (88) ack 3177 seier 65239 (DF)

26 pakker mottas av filteret
0 pakker droppet av kjernen

[root @ pmode-client6 ADC-demo] # tcpdump-w tdump.dat port 22
tcpdump: lytte på eth0

6 pakker mottatt av filteret
0 pakker droppet av kjernen
[root @ pmode-client6 ADC-demo] # tcpdump-r tdump.dat port 22
00:08:56.741761 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 4216835054:4216835106 (52) ack 3917910214 seier 11792 (DF) [tos 0x10]
00:08:57.157589 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 52 seier 65483 (DF)
00:08:57.157610 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 52:120 (68) ack 1 seier 11792 (DF) [tos 0x10]
00:08:57.562987 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 120 seier 65415 (DF)
00:09:06.055469 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh: P 1:89 (88) ack 120 seier 65415 (DF)

Begge kommandoene ble kjørt i 10 sekunder. Faktisk Jeg kjørte kommandoen med-w-alternativet i 15 sek, men fremdeles fanget pakker i dump er bare 6 sammenlignet med 26 pakker uten filen lagre valget. Noen grunn? Hva jeg kan jeg gjøre for å fange opp alt?

-Satish