Hi Ron,

This sounds strangely familiar to an issue fixed in libpcap/tcpdump in
RHEL 5.2:

http://rhn.redhat.com/errata/RHBA-2008-0321.html

Under "Details section":
* The libpcap library did not work correctly with qeth devices when
layer2 mode was disabled.

Here's the title of the original Bugzilla:
"tcpdump does not show outgoing packets with fake_ll=1"

I've attached the patch.  You may want to contact Novell support to see
if this patch has been included in the versions of libpcap/tcpdump
you're using.

-Brad

Ron Wells wrote:
Linux guy says---Ooops... you are correct.. but still why can not see
outbound traffic and only inbound




From:
John Summerfield <[email protected]>
To:
[email protected]
Date:
11/03/2009 07:49 PM
Subject:
Re: TCPDUMP
Sent by:
Linux on 390 Port <[email protected]>



Ron Wells wrote:
Not recv'ing / seeing packets being sent from Linux box..only see them
coming inbound??

Where can I start looking
Going through VSWITCH where OSA-Gig card is set
z/VM5.4
SLES 10 SP2
 Linux agfzxt02 2.6.16.60-0.42.4-default #1 SMP Fri Aug 14 14:33:26 UTC
2009 s390x s390x s390x GNU/Linux


tcpdump command:
tcpdump -p -i eth0 -s 0 -vv -w /root/appwork01.lcap "src port not 22 or
dst port not 22"

When people start combining AND and NOT I have to think, and I don't
like thinking.  But I wonder whether you mean and rather than or.
I'd use
port not 22
Something like this:
tcpdump  -i eth0 -A -s9999 host terry and not port 22

which doesn't trace ssh activity.





--

Cheers
John

-- spambait
[email protected]  [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

----------------------------------------------------------------------
Email Disclaimer
This  E-mail  contains  confidential  information  belonging to the sender, 
which  may be legally privileged information.  This information is intended 
only  for  the use of the individual or entity addressed above.  If you are not 
 the  intended  recipient, or  an  employee  or  agent responsible for 
delivering it to the intended recipient, you are hereby notified that any 
disclosure,  copying, distribution, or the taking of any action in reliance on 
the contents of the E-mail or attached files is strictly prohibited.

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

--
Brad Hinson <[email protected]>
Sr. Support Engineer Lead, System z
Red Hat, Inc.
(919) 754-4198
www.redhat.com/z

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
diff -up libpcap-0.9.4/pcap-linux.c.qeth libpcap-0.9.4/pcap-linux.c
--- libpcap-0.9.4/pcap-linux.c.qeth	2007-11-20 14:48:58.000000000 +0100
+++ libpcap-0.9.4/pcap-linux.c	2007-11-20 14:53:37.000000000 +0100
@@ -1323,6 +1323,54 @@ static void map_arphrd_to_dlt(pcap_t *ha

 /* ===== Functions to interface to the newer kernels ================== */

+/* We need to use cooked mode if this is a qeth device
+ * which has attribute layer2 = 0 and fake_ll = 1, and
+ * RAW data link type if layer2 = 0 and fake_ll = 0 */
+
+static int qeth_l3(const char *device, int fake_ll)
+{
+	FILE *f;
+	char buf[200], name[100];
+	int l, l2, fl;
+
+	l = snprintf(name, sizeof (name),
+			"/sys/class/net/%s/device/driver", device);
+	if (l < 0 || l >= sizeof (name))
+		return 0;
+
+	l = readlink(name, buf, sizeof (buf));
+	if (l < 0 || l >= sizeof (buf))
+		return 0;
+
+	if (strncmp(buf + l - 4, "qeth", 4))
+		return 0;
+
+	l = snprintf(name, sizeof (name),
+			"/sys/class/net/%s/device/layer2", device);
+	if (l < 0 || l >= sizeof (name))
+		return 0;
+
+	if ((f = fopen(name, "r")) == NULL)
+		return 0;
+	l = fscanf(f, "%d", &l2);
+	fclose(f);
+
+	if (l != 1 || l2)
+		return 0;
+
+	l = snprintf(name, sizeof (name),
+			"/sys/class/net/%s/device/fake_ll", device);
+	if (l < 0 || l >= sizeof (name))
+		return 0;
+
+	if ((f = fopen(name, "r")) == NULL)
+		return 0;
+	l = fscanf(f, "%d", &fl);
+	fclose(f);
+
+	return l == 1 && fl == fake_ll;
+}
+
 /*
  *  Try to open a packet socket using the new kernel interface.
  *  Returns 0 on failure.
@@ -1398,7 +1446,8 @@ live_open_new(pcap_t *handle, const char
 			    handle->linktype == DLT_LINUX_IRDA ||
 			    (handle->linktype == DLT_EN10MB &&
 			     (strncmp("isdn", device, 4) == 0 ||
-			      strncmp("isdY", device, 4) == 0))) {
+			      strncmp("isdY", device, 4) == 0 ||
+			      qeth_l3(device, 1)))) {
 				/*
 				 * Unknown interface type (-1), or a
 				 * device we explicitly chose to run
@@ -1463,6 +1512,11 @@ live_open_new(pcap_t *handle, const char
 					fatal_err = 1;
 				break;
 			}
+
+			if (handle->linktype == DLT_EN10MB && qeth_l3(device, 0)) {
+				handle->linktype = DLT_RAW;
+				handle->offset = 0;
+			}
 		/* Hack to make things work on s390 ctc interfaces */
 		if (strncmp("ctc", device, 3) == 0)
 			handle->linktype = DLT_EN10MB;

Reply via email to