tcpdump mailing list archives
Re: Loosing half the conversion when any BFP is used
From: "Bill Richardson" <wrichardson () llbean com>
Date: Thu, 20 Dec 2007 08:19:15 -0500
I created the test.pcap file on one of my Centos 4.5 systems and took that same file and got the same results on 5 different systems. The only one that would show me both sides of the conversation was the F5 BigIP. Once I found out it was VLAN tagging related I was able to see the other side of the conversation when I did the following: tcpdump -r test.pcap vlan and host 172.21.89.75 But doing the above you still only get one half of the conversation. Just like the MAN page states: vlan [vlan_id] True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only true is the packet has the specified vlan_id. Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet. And based on the above there is no way to get both sides of the conversation "grep is not an option". Once you do any filtering based on VLAN you cant see the IP data. With that I mind I wonder what F5 did to libpcap to get tcpdump to work? They must have made some changes? tcpdump -r test.pcap -nn host 172.21.89.75 "From BigIp box" 08:05:28.729250 802.1Q vlan#88 P0 172.21.89.75.4000 > 172.21.89.70.45647: . 1555:1569(14) ack 3496 win 202 08:05:28.729258 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569 win 5840 (DF) 08:05:28.739994 802.1Q vlan#88 P0 172.21.89.75.4000 > 172.21.89.70.45647: . 1569:1583(14) ack 3496 win 202 08:05:28.740003 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583 win 5840 (DF) The F5 BigIP tcpdump was able to see both sides using "tcpdump -r test.pcap host 172.21.89.75" I would like to get the source and recompile to have this functionality. I really need to so both tagged and untagged. -----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris Sent: Wednesday, December 19, 2007 8:06 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] Loosing half the conversion when any BFP is used On Dec 19, 2007, at 11:09 AM, Bill Richardson wrote:
Looking at the one system that works I see it is related to Vlan tagging:
Is the "test.pcap" file the same file in all three examples? If so, does the "From ..." at the end of the command indicate the machine on which you're running tcpdump? If not, does it indicate the machine on which the test.pcap file was captured - and are you running "tcpdump -r" on the same machine on which the test.pcap file was captured, or on a different machine? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
- Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
- Re: Loosing half the conversion when any BFP is used Guy Harris (Dec 19)
- Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 20)
- Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
- Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 20)
- Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
- Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 21)
- Re: Loosing half the conversion when any BFP is used Guy Harris (Dec 19)
- Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)