tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

tcpdump missing data with IP filtering



We're using a NetBSD 5.0.2 i386 host for sniffing traffic from a
switch mirror port.

When we try to see a host's traffic with an expression using its host
name, or even using a general IP protocol as the filter expression,
we only see the traffic one direction:

  # /usr/sbin/tcpdump -i fxp1 -s 1000 icmp
  tcpdump: WARNING: fxp1: no IPv4 address assigned
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
  21:08:18.427513 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 42
  21:08:19.427896 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 43
  21:08:20.428319 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 44
  21:08:21.428749 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 45
  ^C
  4 packets captured
  3059 packets received by filter
  0 packets dropped by kernel


But when we use the Ethernet MAC address, we can see all the traffic
for that host:

  # /usr/sbin/tcpdump -i fxp1 -s 1000 ether host 00:60:69:10:8f:77
  tcpdump: WARNING: fxp1: no IPv4 address assigned
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on fxp1, link-type EN10MB (Ethernet), capture size 1000 bytes
  21:08:24.429256 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 48
  21:08:24.430016 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 48
  21:08:25.429683 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 49
  21:08:25.430443 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 49
  21:08:26.430109 IP 10.0.0.252 > 10.0.0.223: icmp 64: echo request seq 50
  21:08:26.430874 IP 10.0.0.223 > 10.0.0.252: icmp 64: echo reply seq 50
  ^C
  6 packets captured
  2663 packets received by filter
  0 packets dropped by kernel

Any idea what might be going on?  We see similar behavior with another
network port, a wm interface, on the same box.


Home | Main Index | Thread Index | Old Index