problems with tcpdump filter on a switch mirroring port, 6.2
RELEASE-p4
Philipp Gaschütz
philipp at corpex.de
Sun Apr 29 19:10:43 UTC 2007
Hi,
> However, issuing the same ping, but tcpdump'ing on em1 only results in
>
> # tcpdump -nli em1 host 81.91.161.70
> 15:56:00.512614 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id
> 40484, seq 0, length 64
> 15:56:01.548077 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id
> 40484, seq 1, length 64
>
> ie. no replies are captured by tcpdump
>
> Initially I thought this was somehow connected to the monitoring port on
> the switch not working as expected. However:
>
> # tcpdump -nli em1 | grep 81.91.161.70
> 15:57:48.447530 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id
> 41508, seq 0, length 64
> 15:57:48.458767 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id
> 41508, seq 0, length 64
>
> ie. tcpdump without a filter captures the packets just fine.
took another while, now replying to myself...
The packets arrived encapsulated in VLANs, which you need to tell
tcpdump in order to shift the offsets by 4 bytes.
Using
tcpdump -nli em1 vlan and host 81.91.161.70
all works just fine.
Sorry for the trouble!
Best
Philipp
More information about the freebsd-questions
mailing list