Re: [tcpdump-workers] basic non-starter

Fri, 26 Apr 2002 20:22:19 -0700 

Guy Harris <[EMAIL PROTECTED]> writes:

> On Fri, Apr 26, 2002 at 06:32:34PM -0700, Harry Putnam wrote:
>> So I now have
>>         
>>            Internet
>>              |
>>          dsl modem
>>              |
>>        dsl/router/switch (.1)
>>              |
>>  _____NEW SIMPLE 8 port hub______
>>  |      |     |    |     |     |
>> mach2  m3    m4   m5    m7    m9
>>                   |
>>             Tcp dump running here
>
> So, in that configuration, you run tcpdump on m5, and:
>
>       you can see TCP traffic (such as HTTP traffic) between some
>       other machine on that hub ("other" as in "not m5") and the
>       Internet
>
> but
>
>       you can't see traffic other than ARPs (which are presumably
>       broadcast packets) from 192.168.0.4?
>

Yup... I checked it like this:
tcpdump -w FILE  (running on machine .5)

I went around to .2 .3 .4 and ran browsers for a few hits.  
Also mail and stuff is being tranferred and etc duing this dump.

Now play it back with:
 root # tcpdump host 192.168.0.2 -r FILE|wc -l
   1081
 root # tcpdump host 192.168.0.3 -r FILE|wc -l
    627

Quite a lot of the above lines are http 

 root # tcpdump host 192.168.0.4 -r FILE2|wc -l
      1
That one lonesome read is an arp
19:56:43.600929 arp who-has fw.local.lan tell satellite.local.lan

I probably never would have thought of something as straight forward
as your suggestion of changing the wires around...  I usually start by
thinking I'm doing something dumb.... ofter correctly. 

So switch them and the same proceedure as above still shows now traffic
at all.
 root # tcpdump host 192.168.0.4 -r FILE3|wc -l
      0

The machine at .4 is a dual booting laptop (toshiba) [...].4 is linux
(redhat) It is a pcmcia card.  Its connecting to the internet but no
traffic shows.  Apparently it doesn't matter which hole I put the wire
in.

On that same machine booted to [...].7 which is win98, same story.

Yeah, I'm stumped too.  But putting the simple hub did solve my
problem.  Fortuneately .4 isn't the machine I wanted to look at, but
still want to figure it out.

However I can continue my experiments now.
So getting the hub was the right move

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to