[tcpdump-workers] Tcpdump not showing packets while the TX counter increments.
guy at alum.mit.edu
Wed Nov 12 18:25:06 EST 2014
On Nov 12, 2014, at 3:07 PM, Matthew Schumacher <matt.s at aptalaska.net> wrote:
> On 11/11/2014 11:35 AM, Guy Harris wrote:
>>> But those aren't showing up with:
>>> # tcpdump -i eth1 -n -e -Q out
>> What happens with
>> tcpdump -i eth1 -n -e -p
>> i.e., not filtering only for outgoing packets, but also not running in promiscuous mode? (Just to make sure that the direction filtering is done correctly on Linux.)
> I see all of the ingress broadcast and multicast traffic which is what I
> would expect.
But no outgoing traffic, presumably, right?
> I ran the same test on a host running kernel 3.10.17 and it does show
> traffic when the TX counter increments as an ARP reply:
> 15:37:41.569057 00:22:75:d7:02:d4 > 00:50:56:86:17:6d, ethertype ARP
> (0x0806), length 42: Reply 192.168.7.99 is-at 00:22:75:d7:02:d4, length 28
> That's very odd that:
> 1. The 3.2.45 host doesn't show any traffic even though the TX increments.
I guess, for whatever reason, 3.2.45 isn't sending some outgoing packets to "taps" (that's what dev_queue_xmit_nit() does).
> 2. The 3.10.17 host shows all traffic that causes the TX to increment,
> but responds to arp on an interface that doesn't have an IP address.
Perhaps it's seen an ARP reply that says that 192.168.7.99 has the MAC address 00:22:75:d7:02:d4, so that's in its ARP cache, and is helpfully informing whoever asked for the MAC address of 192.168.7.99 that it's 00:22:75:d7:02:d4.
More information about the tcpdump-workers