Date: Sun, 29 Apr 2007 21:10:38 +0200 From: =?ISO-8859-1?Q?Philipp_Gasch=FCtz?= <philipp@corpex.de> To: freebsd-questions@freebsd.org Subject: Re: problems with tcpdump filter on a switch mirroring port, 6.2 RELEASE-p4 Message-ID: <4634EDAE.4090208@corpex.de> In-Reply-To: <4634A83D.8040908@corpex.de> References: <4634A83D.8040908@corpex.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > However, issuing the same ping, but tcpdump'ing on em1 only results in > > # tcpdump -nli em1 host 81.91.161.70 > 15:56:00.512614 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id > 40484, seq 0, length 64 > 15:56:01.548077 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id > 40484, seq 1, length 64 > > ie. no replies are captured by tcpdump > > Initially I thought this was somehow connected to the monitoring port on > the switch not working as expected. However: > > # tcpdump -nli em1 | grep 81.91.161.70 > 15:57:48.447530 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id > 41508, seq 0, length 64 > 15:57:48.458767 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id > 41508, seq 0, length 64 > > ie. tcpdump without a filter captures the packets just fine. took another while, now replying to myself... The packets arrived encapsulated in VLANs, which you need to tell tcpdump in order to shift the offsets by 4 bytes. Using tcpdump -nli em1 vlan and host 81.91.161.70 all works just fine. Sorry for the trouble! Best Philipp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4634EDAE.4090208>