The same packet - with [traced] metadata changes - will appear multiple times as the packet traverses the vpp forwarding graph.
Simple example: from the driver layer, an ip4 transit packet will visit ethernet-input, ip4-input[-no-checksum], ip4-lookup, ip4-rewrite, interface-output, and the device driver TX node. Each of those visits results in a trace record. The dispatch framework traces vectors of packets, so one sees N x trace records from ethernet-input, the N x trace records from ip4-input, and so on. Folks typically filter by buffer-index in wireshark, to see what happens to one packet in a convenient sequential view. In terms of medatadata: at ethernet input, b->current_data will be zero. At ip4-input, b->current_data will be 14 (or more, if the packet has 1 or 2 vlan tags). At interface-output, b->current_data is often [but not always] zero. TBH we've been using the dispatch tracer + not-yet-upstreamed wirshark dissector for a while. It's incredibly handy for chasing "new code" problems: broken L3 and/or L4 checksums, leaving b->current_data pointing to the wrong layer, forgetting to ask for hardware checksum offload insertion, and so on. Thanks... Dave -----Original Message----- From: Guy Harris <ghar...@sonic.net> Sent: Monday, December 24, 2018 6:47 PM To: Dave Barach (dbarach) <dbar...@cisco.com> Cc: tcpdump-workers <tcpdump-workers@lists.tcpdump.org> Subject: Re: [tcpdump-workers] Request for a new LINKTYPE_/DLT_ type. On Nov 28, 2018, at 4:34 AM, Dave Barach (dbarach) <dbar...@cisco.com> wrote: > The buffer index is an opaque 32-bit cookie which allows consumers of these > data to easily filter/track single packets as they traverse the forwarding > graph. Multiple records per packet are normal, and to be expected. In what form? For example, might you see: an Ethernet packet, containing an IP datagram, containing a TCP segment or UDP datagram; an IP packet, containing the same IP datagram as the previous packet; a TCP segment or UDP datagram, containing the same segment/datagram as the previous packet; or might you see the same {Ethernet,IP,TCP,UDP} packet more than once, or both? _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers