From owner-freebsd-questions@FreeBSD.ORG  Sun Apr 29 19:10:43 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6577316A406
	for <freebsd-questions@freebsd.org>;
	Sun, 29 Apr 2007 19:10:43 +0000 (UTC)
	(envelope-from philipp@corpex.de)
Received: from canismajor.corpex-net.de (canismajor.corpex-net.de
	[62.67.202.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 2906113C465
	for <freebsd-questions@freebsd.org>;
	Sun, 29 Apr 2007 19:10:43 +0000 (UTC)
	(envelope-from philipp@corpex.de)
Received: from p5b223c4c.dip0.t-ipconnect.de ([91.34.60.76]
	helo=[192.168.0.101])
	by canismajor.corpex-net.de with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.66 (FreeBSD)) (envelope-from <philipp@corpex.de>)
	id 1HiEnC-000M3m-8d
	for freebsd-questions@freebsd.org; Sun, 29 Apr 2007 21:10:42 +0200
Message-ID: <4634EDAE.4090208@corpex.de>
Date: Sun, 29 Apr 2007 21:10:38 +0200
From: =?ISO-8859-1?Q?Philipp_Gasch=FCtz?= <philipp@corpex.de>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <4634A83D.8040908@corpex.de>
In-Reply-To: <4634A83D.8040908@corpex.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: problems with tcpdump filter on a switch mirroring port, 6.2
 RELEASE-p4
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Apr 2007 19:10:43 -0000

Hi,

> However, issuing the same ping, but tcpdump'ing on em1 only results in
> 
> # tcpdump -nli em1 host 81.91.161.70
> 15:56:00.512614 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
> 40484, seq 0, length 64
> 15:56:01.548077 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
> 40484, seq 1, length 64
> 
> ie. no replies are captured by tcpdump
> 
> Initially I thought this was somehow connected to the monitoring port on 
> the switch not working as expected. However:
> 
> # tcpdump -nli em1  | grep 81.91.161.70
> 15:57:48.447530 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
> 41508, seq 0, length 64
> 15:57:48.458767 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id 
> 41508, seq 0, length 64
> 
> ie. tcpdump without a filter captures the packets just fine.


took another while, now replying to myself...
The packets arrived encapsulated in VLANs, which you need to tell 
tcpdump in order to shift the offsets by 4 bytes.

Using
   tcpdump -nli em1 vlan and host 81.91.161.70

all works just fine.

Sorry for the trouble!

Best
Philipp