tcpdump mailing list archives

Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

From: "lei wei" <weilei1983 () gmail com>
Date: Wed, 10 Sep 2008 14:46:23 -0400

Thanks alot Alex, that's exactly the problem since the university uses VLAN
based on packet tags.
Actually I'm using pcap to do some packet payload processing on FreeBSD. It
seems right now that
if I use the filter "ip or (vlan and ip)", the packet returned from pcap
contains the VLAN tag. I wonder
if there's a way to let the OS to strip off the tag before deliverying?

Thanks.
Lei


On Wed, Sep 10, 2008 at 11:45 AM, Alexander Dupuy <alex.dupuy () mac com>wrote:

You wrote:

...matched by the filter expression, so with a filter, tcpdump can only
process
3984 out of 1091656 ip packets....  And also, the port I'm monitoring on
is a mirror of the
department building uplink, it should have a major component of ip
packets.


As Guy Harris pointed out, , the filter "ip" will match only IPv4, not
IPv6, traffic.  However, if you feel that you are not seeing all the IP
traffic that you expect to, it may be that the uplink is using VLAN tagging
for some (or most of the) packets - the default "ip" filter will not
recognize this traffic.

To see all IPv4 traffic on a port where some of the traffic is using 802.1q
VLAN tagging, use a filter like "ip or (vlan and ip)" instead.  Note that
the order of the subexpressions is important - everything to the right of
the "vlan" keyword will generate filters that only recognize VLAN tagged
packets (and everything to the left of the vlan keyword will generate
filters that only recognize non-VLAN tagged packets.

This means that the expression "tcp and (ip or (vlan and ip))" will not
work as you would hope - it will only match non-VLAN TCP.  You must write
the filter "(tcp and ip) or (vlan and tcp and ip)" instead, to match IPv4
TCP with or without vlan.

If you still don't see all the IP traffic you expect with a filter that
matches VLAN traffic, it is possible that other IP encapsulations are in use
(e.g. if there is bridged traffic from an 802.3 network that is using SNAP
for IP) but these are much less likely to be the case (and I'm not sure if
tcpdump can actually filter them).

@alex

--
mailto:alex.dupuy () mac com



-- 
Wei, Lei
Department of Computer Science
University of North Carolina at Chapel Hill,
NC 27599-3175
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 07)
- Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 08)
  - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 08)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 08)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 09)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 09)
- <Possible follow-ups>
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)
  - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 10)
    - Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 10)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)