tcpdump mailing list archives

Re: Loosing half the conversion when any BFP is used

From: "Bill Richardson" <wrichardson () llbean com>
Date: Wed, 19 Dec 2007 14:09:10 -0500

Looking at the one system that works I see it is related to Vlan
tagging:
tcpdump -r test.pcap -nn host 172.21.89.75 "From BigIp box"
08:05:28.729250 802.1Q vlan#88 P0 172.21.89.75.4000 >
172.21.89.70.45647: . 1555:1569(14) ack 3496 win 202
08:05:28.729258 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569 win
5840 (DF)
08:05:28.739994 802.1Q vlan#88 P0 172.21.89.75.4000 >
172.21.89.70.45647: . 1569:1583(14) ack 3496 win 202
08:05:28.740003 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583 win
5840 (DF)

tcpdump -r test.pcap -nn host 172.21.89.75 "From Redhat 5, Centos 4.5,
Windump or Fedora Core"
08:05:28.713883 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3456:3476(20) ack 1555 win 5840
08:05:28.718513 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3476:3496(20) ack 1555 win 5840
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840

tcpdump -r test.pcap -nn vlan and host 172.21.89.75 "From Redhat 5,
Centos 4.5, Windump or Fedora Core using the BFP vlan"
08:05:28.718505 IP 172.21.89.75.4000 > 172.21.89.70.45647: . ack 3457
win 202
08:05:28.723877 IP 172.21.89.75.4000 > 172.21.89.70.45647: . ack 3477
win 202
08:05:28.729250 IP 172.21.89.75.4000 > 172.21.89.70.45647: .
1554:1568(14) ack 3477 win 202
08:05:28.739994 IP 172.21.89.75.4000 > 172.21.89.70.45647: .
1568:1582(14) ack 3477 win 202 

How can I get tcpdump to show me the full capture while using BPFs like
in the very first example?


-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Bill
Richardson
Sent: Wednesday, December 19, 2007 11:07 AM
To: tcpdump-workers () lists tcpdump org
Subject: [tcpdump-workers] Loosing half the conversion when any BFP is
used

This may not be the right list to ask but thought I would give this a
try. I have looked and looked and have not seen anyone with this
problem. 
 
In the past I have been able to take large inclusive tcpdump files and
read them back in with the -r option using tcpdump and BFP them to a
host or port and save to a smaller more usable file that I would view
with wireshark.
For example:
tcpdump -r large.pcap host 192.168.0.1 -w small.pcap
 
This has worked in the past but have noticed it not working about 2
months ago I'm only seeing half the conversion when I apply any BFP's
 
Here is an example of the problem looking at the last 4 packets in a
capture. The first example is using no BFP and I see both sides of the
conversation. The last 3 examples using BFP and I only see one side of
the conversation. 
 
tcpdump -r test.pcap -nn |grep 172.21.89.75 08:05:28.729250 IP
172.21.89.75.4000 > 172.21.89.70.45647: .
1555:1569(14) ack 3496 win 202
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.739994 IP 172.21.89.75.4000 > 172.21.89.70.45647: .
1569:1583(14) ack 3496 win 202
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 
tcpdump -r test.pcap -nn host 172.21.89.75
08:05:28.713883 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3456:3476(20) ack 1555 win 5840
08:05:28.718513 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3476:3496(20) ack 1555 win 5840
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 

tcpdump -r test.pcap -nn src host 172.21.89.75
 
nothing shows at all ?????????????
 
tcpdump -r test.pcap -nn dst host 172.21.89.75
08:05:28.713883 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3456:3476(20) ack 1555 win 5840
08:05:28.718513 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3476:3496(20) ack 1555 win 5840
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 
I am seeing the same results from the following systems:
 
Centos 4.5 with tcpdump-3.8.2-10.RHEL4 Kernel=2.6.9-55.0.12.ELsmp Redhat
5 with tcpdump-3.9.4-11.el5 Kernel=2.6.18-53.1.4.el5 WinXP with
winpcap4.0.2 and windump 3.9.5
 
I have one system that the BPF's work. Its a F5 BigIP running Redhat?
"uname -a" gives the following:
Kernel= 2.4.21-9.1.2.37.0smp
Its running tcpdump-3.7.2-9.1.2.39.0
 
At first I thought it was a Kernel problem between 2.4 and 2.6 but when
Windump didn't work???? Is this a Libpcap problem? Anyone one else
seeing this problem?
 
 
Thanks for your help
Bill 
 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
- Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
  - Re: Loosing half the conversion when any BFP is used Guy Harris (Dec 19)
    - Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 20)
    - Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
    - Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 20)
    - Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
    - Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 21)