tcpdump mailing list archives
tcpdump (-i any) with vlan
From: Tsachi <tsachi.kimel () gmail com>
Date: Mon, 3 Jun 2013 11:18:15 +0300
I have a question regarding tcpdump (capturing all interfaces) and a strange capture I see. Environment: Linux Kernel 2.6.35.12 tcpdump version 4.4.0 libpcap version 1.4.0 2 Linux devices connected and configured with VLAN TAG (802.1q). I am pinging between the 2 device vlan interfaces, network wise everything works well. When using tcpdump to capture all interfaces tcpdump –i any –n –e. I am seeing this: The first 3 packets looks fine Received on the main interface (tagged): -6:-45:-40.2216 In 00:11:22:33:44:56 ethertype 802.1Q (0x8100), length 104: vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 487, length 64 Received on the vlan interface (untagged): -6:-45:-40.2217 In 00:11:22:33:44:56 ethertype IPv4 (0x0800), length 100: 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 487, length 64 Sent from the vlan interface (untagged): -6:-45:-40.2221 Out 00:11:22:33:44:55 ethertype IPv4 (0x0800), length 100: 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 487, length 64 But the fourth sent from the main interface looks erroneous: -6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length 100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04) Group, ssap Unknown (0x3e) Response, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Response], length 80 When defining the specific interface (eth0 or eth0.10) to tcpdump it looks well: "tcpdump -i usb0 -n -e" -6:-13:00.40042 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 2442, length 64 -6:-13:00.40100 00:11:22:33:44:55 > 00:11:22:33:44:56, ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 2442, length 64 "tcpdump -i usb0.10 -n –e" -6:-52:-14.5791 00:11:22:33:44:56 > 00:11:22:33:44:55, ethertype IPv4 (0x0800), length 98: 10.0.0.10 > 10.0.0.1: ICMP echo request, id 2452, seq 94, length 64 -6:-52:-14.5795 00:11:22:33:44:55 > 00:11:22:33:44:56, ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 2452, seq 94, length 64 Currently, I work with an usb network interface but the same goes for Ethernet (eth0 / eth0.10). The extra 2 bytes when using –i any are because Linux adds its Linux cooked 2 bytes. Saving to a file and watching it with wireshark, it seems that the 4 VLAN ID bytes are missing in the erroneous packet (only with -i any). Any idea why does tcpdump shows this line when using –i any ? Since traffic is working well, I guess it is libpcap/tcpdump issue ? -6:-45:-40.2223 Out 00:11:22:33:44:55 ethertype 802.1Q (0x8100), length 100: vlan 1280, p 2, ethertype Unknown, LLC, dsap SNA (0x04) Group, ssap Unknown (0x3e) Response, ctrl 0x0000: Information, send seq 0, rcv seq 0, Flags [Response], length 80 Thanks, _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- tcpdump (-i any) with vlan Tsachi (Jun 03)