tcpdump mailing list archives
10Gig Frames not searchable?
From: "Mark W. Jeanmougin" <mark.jeanmougin () cchmc org>
Date: Tue, 17 Jan 2012 15:28:43 -0500
Hello all, I'm experiencing a problem with tcpdump, and I hope you guys can point me in a good direction. Here's the short version: Running "tcpdump -r 10Gig.pcap host 1.1.1.1" returns zero frames. Running the same thing without the filter shows tcp packets from that IP. System Configuration: * SuperMicro Motherboard with dual onboard Intel 82574L Ethernet ports (eth0 & eth2) * Intel X520-SR2 / 82599EB 10 Gigabit Ethernet controller (eth1 & eth3) * OpenSUSE 12.1, fully patched * tcpdump version 4.1.1 & libpcap 1.1.1 (installed through yast from default repo's) Here's a log which I hope shows what I'm talking about: vpslab05:/tmp # tcpdump -c 4 -s 0 -i eth1 -w $HOSTNAME-eth1.pcap tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 4 packets captured 2803 packets received by filter 2735 packets dropped by kernel vpslab05:/tmp # tcpdump -n -r vpslab05-eth1.pcap reading from file vpslab05-eth1.pcap, link-type EN10MB (Ethernet) 17:18:45.306552 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.], ack 2830032180, win 60816, length 0 17:18:45.306585 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.], ack 2897, win 57920, length 0 17:18:45.306608 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.], ack 5793, win 63712, length 0 17:18:45.306609 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.], ack 8689, win 60816, length 0 vpslab05:/tmp # tcpdump -n -r vpslab05-eth1.pcap host 10.1.20.23 reading from file vpslab05-eth1.pcap, link-type EN10MB (Ethernet) vpslab05:/tmp # So, we see that the packet is there in the pcap, but not available when searching. Doing the same thing with a 1 Gig Ethernet interface works fine: vpslab05:/tmp # tcpdump -c 4 -s 0 -i eth0 -w $HOSTNAME-eth0.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 4 packets captured 4 packets received by filter 0 packets dropped by kernel vpslab05:/tmp # tcpdump -n -r vpslab05-eth0.pcap reading from file vpslab05-eth0.pcap, link-type EN10MB (Ethernet) 17:22:26.606702 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq 3659169450:3659169498, ack 4085431622, win 193, options [nop,nop,TS val 102566305 ecr 351656910], length 48 17:22:26.606777 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq 48:160, ack 1, win 193, options [nop,nop,TS val 102566305 ecr 351656910], length 112 17:22:26.607195 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 48, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0 17:22:26.607255 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 160, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0 vpslab05:/tmp # tcpdump -n -r vpslab05-eth0.pcap host 10.7.41.86 reading from file vpslab05-eth0.pcap, link-type EN10MB (Ethernet) 17:22:26.606702 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq 3659169450:3659169498, ack 4085431622, win 193, options [nop,nop,TS val 102566305 ecr 351656910], length 48 17:22:26.606777 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq 48:160, ack 1, win 193, options [nop,nop,TS val 102566305 ecr 351656910], length 112 17:22:26.607195 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 48, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0 17:22:26.607255 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 160, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0 vpslab05:/tmp # Before doing the above tests, I was concerned about TOE, and other such things. So, I ran this to disable all of those things: for i in rx tx sg tso ufo gso gro lro rxvlan txvlan rxhash ; do ethtool -K eth1 $i off ; ethtool -K eth3 $i off ; done That may have been overkill, but I figured better safe than sorry. System purpose: I've got two identical boxes set up like this. I've got two 10Gbit port mirrors feeding each box. I'm trying to record the data to help troubleshoot a problem. It feels like the 10Gbit pcap is corrupt somehow, but I'm not sure what to do next. Wireshark / tshark does open the files OK. Any help will be greatly appreciated. Thanks, MJ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- 10Gig Frames not searchable? Mark W. Jeanmougin (Jan 17)
- Re: 10Gig Frames not searchable? sthaug (Jan 17)
- Re: 10Gig Frames not searchable? Mark W. Jeanmougin (Jan 17)
- Re: 10Gig Frames not searchable? sthaug (Jan 17)