tcpdump stopped working / changes to pcap since 5.2.1-RELEASE?
    Markus 
    universe at truemetal.org
       
    Tue Mar 25 16:28:58 PDT 2008
    
    
  
Hello,
we've had a FreeBSD 5.2.1-RELEASE machine with four Intel 100/1000 NICs
(em(4)). The monitoring port of our HP 4140gl switch was hooked up to
one of the four NICs. This has allowed us to do traffic accounting and
detecting network problems by utilizing tcpdump. We've recently upgraded
the machine to at first FreeBSD 6.3, afterwards to FreeBSD 7.0. In both
versions commands like
tcpdump -n -i em3 host 217.172.x.y  (em3 is the NIC that goes to the
4140gl monitoring port)
don't produce any output anymore. In general, tcpdump does work, as
through a normal non-monitoring port at e.g. em0, all tcpdump commands
(host xyz, net xyz, arp etc.) work like expected and produce the
appropriate results. 
If tcpdump is being invoked without any arguments (tcpdump -n -i em3) it
shows all packets coming in through the monitoring port, however, as
soon as we try to filter by specific tcpdump expressions, it doesn't
show any results.
Were there any changes to tcpdump, the em driver, pcap or another part
of the OS in recent history which could lead to such a behavior? Again,
regular packets on any em-interface we can collect just fine, just the
packets coming in through the monitoring port are being "ignored"... 
Any advise?
Thanks
Markus
$ ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:e0:81:62:1c:7a
        inet 217.172.a.b netmask 0xffffff00 broadcast 217.172.a.c
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
$ ifconfig em3
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:e0:81:62:1c:7b
        inet 192.168.200.2 netmask 0xffffff00 broadcast 192.168.200.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
    
    
More information about the freebsd-questions
mailing list