Re: [tcpdump-workers] Loosing half the conversion when any BFP is used

Thu, 20 Dec 2007 05:20:16 -0800 

 I created the test.pcap file on one of my Centos 4.5 systems and took
that same file and got the same results on 5 different systems. The only
one that would show me both sides of the conversation was the F5 BigIP.

Once I found out it was VLAN tagging related I was able to see the other
side of the conversation when I did the following:

tcpdump -r test.pcap vlan and host 172.21.89.75

But doing the above you still only get one half of the conversation.

Just like the MAN page states:
 vlan [vlan_id]
                     True if the packet is an IEEE 802.1Q  VLAN  packet.
If
                     [vlan_id]  is specified, only true is the packet
has the
                     specified vlan_id.  Note that  the  first  vlan
keyword
                     encountered  in  expression changes the decoding
offsets
                     for the remainder of expression on the  assumption
that
                     the packet is a VLAN packet.

And based on the above there is no way to get both sides of the
conversation "grep is not an option". Once you do any filtering based on
VLAN you cant see the IP data. With that I mind I wonder what F5 did to
libpcap to get tcpdump to work? They must have made some changes?

tcpdump -r test.pcap -nn host 172.21.89.75 "From BigIp box"
08:05:28.729250 802.1Q vlan#88 P0 172.21.89.75.4000 >
172.21.89.70.45647: . 1555:1569(14) ack 3496 win 202
08:05:28.729258 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569 win
5840 (DF)
08:05:28.739994 802.1Q vlan#88 P0 172.21.89.75.4000 >
172.21.89.70.45647: . 1569:1583(14) ack 3496 win 202
08:05:28.740003 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583 win
5840 (DF)

 The F5 BigIP tcpdump was able to see both sides using "tcpdump -r
test.pcap host 172.21.89.75" I would like to get the source and
recompile to have this functionality. I really need to so both tagged
and untagged.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Harris
Sent: Wednesday, December 19, 2007 8:06 PM
To: [email protected]
Subject: Re: [tcpdump-workers] Loosing half the conversion when any BFP
is used


On Dec 19, 2007, at 11:09 AM, Bill Richardson wrote:

> Looking at the one system that works I see it is related to Vlan
> tagging:

Is the "test.pcap" file the same file in all three examples?

If so, does the "From ..." at the end of the command indicate the
machine on which you're running tcpdump?

If not, does it indicate the machine on which the test.pcap file was
captured - and are you running "tcpdump -r" on the same machine on which
the test.pcap file was captured, or on a different machine?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Reply via email to