Ed Ravin
2010-10-20 01:36:12 UTC
We're using a NetBSD 5.0.2 i386 host for sniffing traffic from a
switch mirror port.
When we try to see a host's traffic with an expression using its host
name, or even using a general IP protocol as the filter expression,
we only see the traffic one direction:
# /usr/sbin/tcpdump -i fxp1 -s 1000 icmp
tcpdump: WARNING: fxp1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
21:08:18.427513 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 42
21:08:19.427896 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 43
21:08:20.428319 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 44
21:08:21.428749 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 45
^C
4 packets captured
3059 packets received by filter
0 packets dropped by kernel
But when we use the Ethernet MAC address, we can see all the traffic
for that host:
# /usr/sbin/tcpdump -i fxp1 -s 1000 ether host 00:60:69:10:8f:77
tcpdump: WARNING: fxp1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
21:08:24.429256 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 48
21:08:24.430016 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 48
21:08:25.429683 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 49
21:08:25.430443 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 49
21:08:26.430109 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 50
21:08:26.430874 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 50
^C
6 packets captured
2663 packets received by filter
0 packets dropped by kernel
Any idea what might be going on? We see similar behavior with another
network port, a wm interface, on the same box.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
switch mirror port.
When we try to see a host's traffic with an expression using its host
name, or even using a general IP protocol as the filter expression,
we only see the traffic one direction:
# /usr/sbin/tcpdump -i fxp1 -s 1000 icmp
tcpdump: WARNING: fxp1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
21:08:18.427513 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 42
21:08:19.427896 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 43
21:08:20.428319 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 44
21:08:21.428749 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 45
^C
4 packets captured
3059 packets received by filter
0 packets dropped by kernel
But when we use the Ethernet MAC address, we can see all the traffic
for that host:
# /usr/sbin/tcpdump -i fxp1 -s 1000 ether host 00:60:69:10:8f:77
tcpdump: WARNING: fxp1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
21:08:24.429256 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 48
21:08:24.430016 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 48
21:08:25.429683 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 49
21:08:25.430443 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 49
21:08:26.430109 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 50
21:08:26.430874 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 50
^C
6 packets captured
2663 packets received by filter
0 packets dropped by kernel
Any idea what might be going on? We see similar behavior with another
network port, a wm interface, on the same box.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de