Re: [tcpdump-workers] Request for a new LINKTYPE_/DLT_ type.

Sat, 29 Dec 2018 04:51:07 -0800 

The same packet - with [traced] metadata changes - will appear multiple times 
as the packet traverses the vpp forwarding graph. 

Simple example: from the driver layer, an ip4 transit packet will visit 
ethernet-input, ip4-input[-no-checksum], ip4-lookup, ip4-rewrite, 
interface-output, and the device driver TX node. Each of those visits results 
in a trace record. The dispatch framework traces vectors of packets, so one 
sees N x trace records from ethernet-input, the N x trace records from 
ip4-input, and so on. Folks typically filter by buffer-index in wireshark, to 
see what happens to one packet in a convenient sequential view. 

In terms of medatadata: at ethernet input, b->current_data will be zero. At 
ip4-input, b->current_data will be 14 (or more, if the packet has 1 or 2 vlan 
tags). At interface-output, b->current_data is often [but not always] zero.

TBH we've been using the dispatch tracer + not-yet-upstreamed wirshark 
dissector for a while. It's incredibly handy for chasing "new code" problems: 
broken L3 and/or L4 checksums, leaving b->current_data pointing to the wrong 
layer, forgetting to ask for hardware checksum offload insertion, and so on. 

Thanks... Dave

-----Original Message-----
From: Guy Harris <ghar...@sonic.net> 
Sent: Monday, December 24, 2018 6:47 PM
To: Dave Barach (dbarach) <dbar...@cisco.com>
Cc: tcpdump-workers <tcpdump-workers@lists.tcpdump.org>
Subject: Re: [tcpdump-workers] Request for a new LINKTYPE_/DLT_ type.

On Nov 28, 2018, at 4:34 AM, Dave Barach (dbarach) <dbar...@cisco.com> wrote:

> The buffer index is an opaque 32-bit cookie which allows consumers of these 
> data to easily filter/track single packets as they traverse the forwarding 
> graph. Multiple records per packet are normal, and to be expected.

In what form?

For example, might you see:

        an Ethernet packet, containing an IP datagram, containing a TCP segment 
or UDP datagram;

        an IP packet, containing the same IP datagram as the previous packet;

        a TCP segment or UDP datagram, containing the same segment/datagram as 
the previous packet;

or might you see the same {Ethernet,IP,TCP,UDP} packet more than once, or both?

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to