tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

From: Alexander Dupuy <alex.dupuy () mac com>
Date: Wed, 10 Sep 2008 11:45:44 -0400
You wrote:
...matched by the filter expression, so with a filter, tcpdump can only process 3984 out of 1091656 ip packets.... And also, the port I'm monitoring on is a mirror of the department building uplink, it should have a major component of ip packets.
As Guy Harris pointed out, , the filter "ip" will match only IPv4, not IPv6, traffic. However, if you feel that you are not seeing all the IP traffic that you expect to, it may be that the uplink is using VLAN tagging for some (or most of the) packets - the default "ip" filter will not recognize this traffic.
To see all IPv4 traffic on a port where some of the traffic is using 802.1q VLAN tagging, use a filter like "ip or (vlan and ip)" instead. Note that the order of the subexpressions is important - everything to the right of the "vlan" keyword will generate filters that only recognize VLAN tagged packets (and everything to the left of the vlan keyword will generate filters that only recognize non-VLAN tagged packets.
This means that the expression "tcp and (ip or (vlan and ip))" will not work as you would hope - it will only match non-VLAN TCP. You must write the filter "(tcp and ip) or (vlan and tcp and ip)" instead, to match IPv4 TCP with or without vlan.
If you still don't see all the IP traffic you expect with a filter that matches VLAN traffic, it is possible that other IP encapsulations are in use (e.g. if there is bridged traffic from an 802.3 network that is using SNAP for IP) but these are much less likely to be the case (and I'm not sure if tcpdump can actually filter them). 

@alex

--
mailto:alex.dupuy () mac com

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: