https://bugzilla.novell.com/show_bug.cgi?id=340658#c6
Summary: libpcap problem? tcpdump and wireshark filter
expressions don't work on tagged 802.1q packets
Product: openSUSE 10.3
Version: Final
Platform: i586
OS/Version: openSUSE 10.3
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Network
AssignedTo: bnc-team-screening@forge.provo.novell.com
ReportedBy: nice@titanic.nyme.hu
QAContact: qa@suse.de
Found By: Other
A plugged my notebook in a HP ProCurve 2650 switch's port, and set that certain
port to be network monitoring port for another port, hosting the machine with
an IP address of 193.224.61.226. My IP address was in a different network:
milleniumfalcon:~ # ip address show dev eth0
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:17:08:42:e9:36 brd ff:ff:ff:ff:ff:ff
inet 172.23.6.120/22 brd 172.23.7.255 scope global eth0
inet6 fe80::217:8ff:fe42:e936/64 scope link
valid_lft forever preferred_lft forever
I wanted to monitor some tarffic of the other port with tcpdump. It seems to
meg that ProCurve 2650 sends the traffic of the observed port 802.1q tagged to
the monitoring port. These tagged packets may be malformed thus causing the
tcpdump error, but I assume for now that the packets are correct and libpcap is
guilty. You can judge it by yourselves, because I attach a binary file recorded
by tcpdump.
I issued the following command:
tcpdump -s 0 -w /home/tamas/wireshark/193.224.61.226.bin -n -i eth0 'not host
193.224.61.226'
I wanted to capture packets not with the ip address 193.224.61.226. When I read
back the saved capture, I see that there are packets in it, bearing the
excluded ip address:
milleniumfalcon:~ # tcpdump -n -r /home/tamas/wireshark/193.224.61.226.bin
reading from file /home/tamas/wireshark/193.224.61.226.bin, link-type EN10MB
(Ethernet)
18:24:22.812159 IP 172.23.6.120.36367 > 87.49.202.247.29866: UDP, length 34
18:24:22.888469 IP 87.49.202.247.29866 > 172.23.6.120.36367: UDP, length 375
18:24:22.892104 IP 172.23.6.120.36367 > 85.130.17.205.2222: UDP, length 118
18:24:22.908197 01:00:0c:cc:cc:cd > 00:15:62:e1:69:7b SNAP Unnumbered, ui,
Flags [Command], length 50
18:24:22.926665 00:15:62:e1:69:7b > 01:00:0c:cc:cc:cd SNAP Unnumbered, ui,
Flags [Command], length 50
18:24:22.933757 IP 85.130.17.205.2222 > 172.23.6.120.36367: UDP, length 20
18:24:23.002593 AT 255.57.90.6 > 0.0.6: at-#6 25
18:24:23.190337 IP 172.23.1.4.23 > 172.23.6.120.27410: P
1305755540:1305755549(9) ack 3020914689 win 8192
18:24:23.190385 IP 172.23.6.120.27410 > 172.23.1.4.23: . ack 9 win 501
18:24:23.215948 STP 802.1w, Rapid STP, Flags [Forward, Agreement], bridge-id
8000.00:18:71:22:a3:80.8005, length 43
18:24:23.217320 STP 802.1w, Rapid STP, Flags [Forward, Agreement], bridge-id
8000.00:18:71:22:a3:80.802d, length 43
18:24:23.217476 00:18:71:22:a3:d3 > 01:80:c2:00:00:0e, ethertype Unknown
(0x88cc), length 163:
0x0000: 0207 0400 1871 22a3 8004 0307 3435 0602 .....q".....45..
0x0010: 0078 0802 3435 0a0c 6173 772d 7365 7276 .x..45..asw-serv
0x0020: 6572 2d34 0c59 5072 6f43 7572 7665 204a er-4.YProCurve.J
0x0030: 3438 3939 4220 5377 6974 6368 2032 3635 4899B.Switch.265
0x0040: 302c 2072 6576 6973 696f 6e20 482e 3038 0,.revision.H.08
0x0050: 2e38 332c 2052 4f4d 2048 2e30 382e 3032 .83,.ROM.H.08.02
0x0060: 2028 2f73 772f 636f 6465 2f62 7569 6c64 .(/sw/code/build
0x0070: 2f66 6973 6828 7473 5f30 385f 3529 290e /fish(ts_08_5)).
0x0080: 0400 1400 0410 0c05 01ac 1701 0402 0000 ................
0x0090: 0000 0000 00 .....
18:24:23.764086 IP 193.224.61.228.2627 > 193.224.61.226.445: P
4205068401:4205068481(80) ack 3079020303 win 65535
18:24:23.764486 IP 193.224.61.226.445 > 193.224.61.228.2627: P 1:105(104) ack
80 win 16106
18:24:23.766412 IP 193.224.61.228.2627 > 193.224.61.226.445: P 80:160(80) ack
105 win 65535
18:24:23.766654 IP 193.224.61.226.445 > 193.224.61.228.2627: P 105:209(104) ack
160 win 17520
18:24:23.766665 IP 193.224.61.228.2627 > 193.224.61.226.445: . ack 209 win
65431
.
.
.
But whe I added a 8021.q tagged interface to my eth0 and captured it's traffic
on the plain eth0 interface, tcpdump seemed to work correctly!
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.