10Gig Frames not searchable?

["Mark W. Jeanmougin" <mark.jeanmougin () cchmc org>]

Hello all,

I'm experiencing a problem with tcpdump, and I hope you guys can point
me in a good direction.

Here's the short version: Running "tcpdump -r 10Gig.pcap host 1.1.1.1"
returns zero frames. Running the same thing without the filter shows tcp
packets from that IP.

System Configuration:
* SuperMicro Motherboard with dual onboard Intel 82574L Ethernet ports
(eth0 & eth2)
* Intel X520-SR2 / 82599EB 10 Gigabit Ethernet controller (eth1 & eth3)
* OpenSUSE 12.1, fully patched
* tcpdump version 4.1.1 & libpcap 1.1.1 (installed through yast from
default repo's)

Here's a log which I hope shows what I'm talking about:

vpslab05:/tmp # tcpdump -c 4 -s 0 -i eth1 -w $HOSTNAME-eth1.pcap
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
65535 bytes
4 packets captured
2803 packets received by filter
2735 packets dropped by kernel
vpslab05:/tmp # tcpdump -n -r vpslab05-eth1.pcap
reading from file vpslab05-eth1.pcap, link-type EN10MB (Ethernet)
17:18:45.306552 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.],
ack 2830032180, win 60816, length 0
17:18:45.306585 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.],
ack 2897, win 57920, length 0
17:18:45.306608 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.],
ack 5793, win 63712, length 0
17:18:45.306609 IP 10.1.20.23.65005 > 10.200.15.224.28142: Flags [.],
ack 8689, win 60816, length 0
vpslab05:/tmp # tcpdump -n -r vpslab05-eth1.pcap host 10.1.20.23
reading from file vpslab05-eth1.pcap, link-type EN10MB (Ethernet)
vpslab05:/tmp #

So, we see that the packet is there in the pcap, but not available when
searching.

Doing the same thing with a 1 Gig Ethernet interface works fine:

vpslab05:/tmp # tcpdump -c 4 -s 0 -i eth0 -w $HOSTNAME-eth0.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
4 packets captured
4 packets received by filter
0 packets dropped by kernel
vpslab05:/tmp # tcpdump -n -r vpslab05-eth0.pcap
reading from file vpslab05-eth0.pcap, link-type EN10MB (Ethernet)
17:22:26.606702 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq
3659169450:3659169498, ack 4085431622, win 193, options [nop,nop,TS val
102566305 ecr 351656910], length 48
17:22:26.606777 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq
48:160, ack 1, win 193, options [nop,nop,TS val 102566305 ecr
351656910], length 112
17:22:26.607195 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 48,
win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0
17:22:26.607255 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack
160, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0
vpslab05:/tmp # tcpdump -n -r vpslab05-eth0.pcap host 10.7.41.86
reading from file vpslab05-eth0.pcap, link-type EN10MB (Ethernet)
17:22:26.606702 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq
3659169450:3659169498, ack 4085431622, win 193, options [nop,nop,TS val
102566305 ecr 351656910], length 48
17:22:26.606777 IP 10.1.97.105.22 > 10.7.41.86.49921: Flags [P.], seq
48:160, ack 1, win 193, options [nop,nop,TS val 102566305 ecr
351656910], length 112
17:22:26.607195 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack 48,
win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0
17:22:26.607255 IP 10.7.41.86.49921 > 10.1.97.105.22: Flags [.], ack
160, win 396, options [nop,nop,TS val 351657732 ecr 102566305], length 0
vpslab05:/tmp #

Before doing the above tests, I was concerned about TOE, and other such
things. So, I ran this to disable all of those things:

for i in rx tx sg tso ufo gso gro lro rxvlan txvlan rxhash ; do ethtool
-K eth1 $i off ; ethtool -K eth3 $i off ; done

That may have been overkill, but I figured better safe than sorry.

System purpose: I've got two identical boxes set up like this. I've got
two 10Gbit port mirrors feeding each box. I'm trying to record the data
to help troubleshoot a problem.

It feels like the 10Gbit pcap is corrupt somehow, but I'm not sure what
to do next. Wireshark / tshark does open the files OK.

Any help will be greatly appreciated.

Thanks,

MJ

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.