Recently I ran into an interesting but frustrating problem when trying
to perform traffic accounting on a VLAN trunk port on a Linux 2.6 router.
Using libpcap tools like tcpdump, tethereal, and pmacctd to sniff
traffic on the physical ethernet port where 802.1Q trunking is enabled
will simply NOT work.
The only traffic that will be seen on ethX is traffic originating
(FORWARD or OUTPUT packets) from the router to the wire - no input
frames are ever seen. Somehow between the e1000 driver and the network
card, the VLAN tags are stripped from the frames and sent directly to
the virtual interfaces (vlanX).
The Windows Intel gigE drivers have a work around:
http://support.intel.com/support/network/sb/cs-005897.htm
... but I haven't been able to find a working Linux equivalent. Ben
Grear (802.1Q for Linux developer) has a kernel patch to make VLAN
Filtering an option using ethtool, but I couldn't get it to work. After
a whole bunch of research, poking around in network drivers, reading
EEPROM specs from Intel, testing, and so on, I ended up moving the VLAN
trunk from the e1000 card to an e100 card... works great now!
So if IP accounting is required on a gigabit VLAN enabled Linux router,
either a seperate port mirror is required, or use a non-e1000 driver
such as the Broadcom gigabit ones.
On other problem I ran into is that sniffing eth0 for VLAN packets with
other filtering criteria wouldn't work with a freshly compiled libpcap &
tcpdump (latest versions). It kept complaining that the filter discarded
all traffic. Same filter string worked fine with the Debian packages for
libpcap & tcpdump.
Wim
- [pmacct-discussion] VLAN woes with e1000 NICs Wim Kerkhoff
-
