Hi Ron,
This sounds strangely familiar to an issue fixed in libpcap/tcpdump in
RHEL 5.2:
http://rhn.redhat.com/errata/RHBA-2008-0321.html
Under "Details section":
* The libpcap library did not work correctly with qeth devices when
layer2 mode was disabled.
Here's the title of the original Bugzilla:
"tcpdump does not show outgoing packets with fake_ll=1"
I've attached the patch. You may want to contact Novell support to see
if this patch has been included in the versions of libpcap/tcpdump
you're using.
-Brad
Ron Wells wrote:
Linux guy says---Ooops... you are correct.. but still why can not see
outbound traffic and only inbound
From:
John Summerfield <[email protected]>
To:
[email protected]
Date:
11/03/2009 07:49 PM
Subject:
Re: TCPDUMP
Sent by:
Linux on 390 Port <[email protected]>
Ron Wells wrote:
Not recv'ing / seeing packets being sent from Linux box..only see them
coming inbound??
Where can I start looking
Going through VSWITCH where OSA-Gig card is set
z/VM5.4
SLES 10 SP2
Linux agfzxt02 2.6.16.60-0.42.4-default #1 SMP Fri Aug 14 14:33:26 UTC
2009 s390x s390x s390x GNU/Linux
tcpdump command:
tcpdump -p -i eth0 -s 0 -vv -w /root/appwork01.lcap "src port not 22 or
dst port not 22"
When people start combining AND and NOT I have to think, and I don't
like thinking. But I wonder whether you mean and rather than or.
I'd use
port not 22
Something like this:
tcpdump -i eth0 -A -s9999 host terry and not port 22
which doesn't trace ssh activity.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
Email Disclaimer
This E-mail contains confidential information belonging to the sender,
which may be legally privileged information. This information is intended
only for the use of the individual or entity addressed above. If you are not
the intended recipient, or an employee or agent responsible for
delivering it to the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or the taking of any action in reliance on
the contents of the E-mail or attached files is strictly prohibited.
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
Brad Hinson <[email protected]>
Sr. Support Engineer Lead, System z
Red Hat, Inc.
(919) 754-4198
www.redhat.com/z
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
diff -up libpcap-0.9.4/pcap-linux.c.qeth libpcap-0.9.4/pcap-linux.c
--- libpcap-0.9.4/pcap-linux.c.qeth 2007-11-20 14:48:58.000000000 +0100
+++ libpcap-0.9.4/pcap-linux.c 2007-11-20 14:53:37.000000000 +0100
@@ -1323,6 +1323,54 @@ static void map_arphrd_to_dlt(pcap_t *ha
/* ===== Functions to interface to the newer kernels ================== */
+/* We need to use cooked mode if this is a qeth device
+ * which has attribute layer2 = 0 and fake_ll = 1, and
+ * RAW data link type if layer2 = 0 and fake_ll = 0 */
+
+static int qeth_l3(const char *device, int fake_ll)
+{
+ FILE *f;
+ char buf[200], name[100];
+ int l, l2, fl;
+
+ l = snprintf(name, sizeof (name),
+ "/sys/class/net/%s/device/driver", device);
+ if (l < 0 || l >= sizeof (name))
+ return 0;
+
+ l = readlink(name, buf, sizeof (buf));
+ if (l < 0 || l >= sizeof (buf))
+ return 0;
+
+ if (strncmp(buf + l - 4, "qeth", 4))
+ return 0;
+
+ l = snprintf(name, sizeof (name),
+ "/sys/class/net/%s/device/layer2", device);
+ if (l < 0 || l >= sizeof (name))
+ return 0;
+
+ if ((f = fopen(name, "r")) == NULL)
+ return 0;
+ l = fscanf(f, "%d", &l2);
+ fclose(f);
+
+ if (l != 1 || l2)
+ return 0;
+
+ l = snprintf(name, sizeof (name),
+ "/sys/class/net/%s/device/fake_ll", device);
+ if (l < 0 || l >= sizeof (name))
+ return 0;
+
+ if ((f = fopen(name, "r")) == NULL)
+ return 0;
+ l = fscanf(f, "%d", &fl);
+ fclose(f);
+
+ return l == 1 && fl == fake_ll;
+}
+
/*
* Try to open a packet socket using the new kernel interface.
* Returns 0 on failure.
@@ -1398,7 +1446,8 @@ live_open_new(pcap_t *handle, const char
handle->linktype == DLT_LINUX_IRDA ||
(handle->linktype == DLT_EN10MB &&
(strncmp("isdn", device, 4) == 0 ||
- strncmp("isdY", device, 4) == 0))) {
+ strncmp("isdY", device, 4) == 0 ||
+ qeth_l3(device, 1)))) {
/*
* Unknown interface type (-1), or a
* device we explicitly chose to run
@@ -1463,6 +1512,11 @@ live_open_new(pcap_t *handle, const char
fatal_err = 1;
break;
}
+
+ if (handle->linktype == DLT_EN10MB && qeth_l3(device, 0)) {
+ handle->linktype = DLT_RAW;
+ handle->offset = 0;
+ }
/* Hack to make things work on s390 ctc interfaces */
if (strncmp("ctc", device, 3) == 0)
handle->linktype = DLT_EN10MB;