Re: tcpdump missing data with IP filtering

To: tech-net%netbsd.org@localhost
Subject: Re: tcpdump missing data with IP filtering
From: Ed Ravin <eravin%panix.com@localhost>
Date: Wed, 20 Oct 2010 12:10:13 -0400

I think I found the problem, this is the same as bug 33078.

The switch was mixing vLAN-tagged and untagged traffic in its mirror port
output, so to see the tagged traffic with tcpdump I needed to specify
"vlan" on the tcpdump filter.

Curiously, I haven't yet found a bpf expression that will show both tagged
and untagged traffic.  However, a Debian Linux box sniffing the same traffic
showed all the traffic without any fancy bpf expressions.


On Tue, Oct 19, 2010 at 09:36:12PM -0400, Ed Ravin wrote:
> We're using a NetBSD 5.0.2 i386 host for sniffing traffic from a
> switch mirror port.
> 
> When we try to see a host's traffic with an expression using its host
> name, or even using a general IP protocol as the filter expression,
> we only see the traffic one direction:
> 
>   # /usr/sbin/tcpdump -i fxp1 -s 1000 icmp
>   tcpdump: WARNING: fxp1: no IPv4 address assigned
>   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>   listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
>   21:08:18.427513 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 42
>   21:08:19.427896 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 43
>   21:08:20.428319 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 44
>   21:08:21.428749 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 45
>   ^C
>   4 packets captured
>   3059 packets received by filter
>   0 packets dropped by kernel
> 
> 
> But when we use the Ethernet MAC address, we can see all the traffic
> for that host:
> 
>   # /usr/sbin/tcpdump -i fxp1 -s 1000 ether host 00:60:69:10:8f:77
>   tcpdump: WARNING: fxp1: no IPv4 address assigned
>   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>   listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
>   21:08:24.429256 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 48
>   21:08:24.430016 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 48
>   21:08:25.429683 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 49
>   21:08:25.430443 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 49
>   21:08:26.430109 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 50
>   21:08:26.430874 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 50
>   ^C
>   6 packets captured
>   2663 packets received by filter
>   0 packets dropped by kernel
> 
> Any idea what might be going on?  We see similar behavior with another
> network port, a wm interface, on the same box.

-- 
Ed Ravin                   |  Warning - this email may contain rhetorical
                           |  devices, metaphors, analogies, typographical
eravin@                    |  errors, or just plain snarkiness.  A sense of
panix.com                  |  humor may be required for proper interpretation.

References:
- tcpdump missing data with IP filtering
  - From: Ed Ravin

Prev by Date: tcpdump missing data with IP filtering
Next by Date: squid proxy issue
Previous by Thread: tcpdump missing data with IP filtering
Next by Thread: squid proxy issue
Indexes:

Home | Main Index | Thread Index | Old Index