(This is re-submitted mail: The previous attempt did not show up
in the mailing list correctly...)
I would like to inquire about some unexpected behaviour in tcpdump
with respect to the ARP protocol. I have been asked to investigate
why tcpdump will not pick up some arps from hosts on VLAN devices.
(This applies particularly to hosts configured with static IP
addresses.)
Self-arps from the host are picked up correctly, but not arps for the
DNS server, or for the gateway.
Here is some additional descriptive information that was passed on to
me:
-----------------------
This is what a VLAN packet from tcpdump should look like...
19:27:35.522141 ff:ff:ff:ff:0:e0 Broadcast 988e 346:
df36 0800 4500 0148 c503 0000 8011 74a2
0000 0000 ffff ffff 0044 0043 0134 3cfc
0101 0600 555d e627 d04f 0000 0000 0000
0000 0000 0000
This is what an "arp for gateway" VLAN packet looks like from
tcpdump:
19:18:14.382141 ff:ff:ff:ff:0:e0 Broadcast 2994 64:
a159 0806 0001 0800 0604 0001 00e0 2994
a159 2021 2223 0000 0000 0000 2021 2202
0000 2910 0001 0000 0000 0001 2046 4446
0000
It would seem that the person who added the VLAN awareness to
tcpdump has missed parsing these arp messages.
---------------------
Details of the test environment:
- tcpdump version 3.6, libpcap version 0.6.2;
- Servers are running Red Hat Linux 6.2;
- Hosts are either PCs (Linux or Windows), or laptops running Windows;
- The VLAN device is a Cisco Catalyst 2900.
If I can provide any further information about the problem or the
runtime environment, please let me know.
--
Ed Stevens
Senior Software Designer, Atreus Systems Corporation
(613) 233-1741 x226
http://www.atreus-systems.com
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
