From owner-freebsd-questions@FreeBSD.ORG Fri Sep 27 14:15:17 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 84F2AE7C for ; Fri, 27 Sep 2013 14:15:17 +0000 (UTC) (envelope-from riaank@gmail.com) Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4B033245F for ; Fri, 27 Sep 2013 14:15:17 +0000 (UTC) Received: by mail-qc0-f174.google.com with SMTP id n9so1760110qcw.33 for ; Fri, 27 Sep 2013 07:15:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=QMS60SrjobulcIiEP+obLOIlh7dJIj1ht0zLyws4n4k=; b=WgQJFojgbkSVNV/ZI+be7A+A9S9THc9zudc8NDVaa/GxwMPXGPAi4oQqrJNCVKpN0P fPdA1/Sdj3sQA/jbR69yAavkg6yVMA/ORA4H3bFIkuTdJTeTChwFDlJJB1/jEcrlDckq ZWachEQqPR2wBj7tWsU0266UhzKHE0AjE/+nqUQReOIjDgNCqK/c4neWY7nnKBuFEtQX U6tp+Ogf+m2b4ceGbBLd7+1w7sbUwJsUfSpMuc/bqD7v7cM1NfLYvLIev9ePJnMLzRyS 2DUm27SRvY3petBNGoFnthNG1FwIqGQpZTRnlncXpUIL5kO3tcjl1a3NwwppQjiZH+uC lsww== MIME-Version: 1.0 X-Received: by 10.49.63.39 with SMTP id d7mr9152950qes.78.1380291316385; Fri, 27 Sep 2013 07:15:16 -0700 (PDT) Received: by 10.49.15.129 with HTTP; Fri, 27 Sep 2013 07:15:16 -0700 (PDT) Date: Fri, 27 Sep 2013 16:15:16 +0200 Message-ID: Subject: tcpdump behavior with netgraph From: Riaan Kruger To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Sep 2013 14:15:17 -0000 I am trying to troubleshoot my netgraph setup. I have a custom node connected to ng_ether's orphan and upper hooks. This node inserts a special ethernet tag into certain UDP broadcast packets going out and strip it coming back in. With tcpdump I see two entries for each packet sent, one without the special ethernet tag and one with it. 1. Is it correct that tcpdump sees the packet twice, and why? According to the following diagram it does not make sense that tcpdump should see it twice: http://people.freebsd.org/~julian/layer2-current.pdf If the system has been running a while some of the UDP broadcast packets are not sent and I only see (with tcpdump) the packet without the special ethernet tag. 2. Is this an indication that the packet gets lost in the netgraph chain? Last question: 3. How can I better/debug troubleshoot what is going on in whole netgraphsubsystem, not just mode netgraph node that I inserted in the chain. Thanks PS. Questions numbered for your convenience :)