[tcpdump-workers] Tcpdump not showing packets while the TX counter increments.

Guy Harris guy at alum.mit.edu
Wed Nov 12 18:25:06 EST 2014


On Nov 12, 2014, at 3:07 PM, Matthew Schumacher <matt.s at aptalaska.net> wrote:

> On 11/11/2014 11:35 AM, Guy Harris wrote:
>>> But those aren't showing up with:
>>> 
>>> # tcpdump -i eth1 -n -e -Q out
>> 
>> What happens with
>> 
>> 	tcpdump -i eth1 -n -e -p
>> 
>> i.e., not filtering only for outgoing packets, but also not running in promiscuous mode?  (Just to make sure that the direction filtering is done correctly on Linux.)
> 
> I see all of the ingress broadcast and multicast traffic which is what I
> would expect.

But no outgoing traffic, presumably, right?

> I ran the same test on a host running kernel 3.10.17 and it does show
> traffic when the TX counter increments as an ARP reply:
> 
> 15:37:41.569057 00:22:75:d7:02:d4 > 00:50:56:86:17:6d, ethertype ARP
> (0x0806), length 42: Reply 192.168.7.99 is-at 00:22:75:d7:02:d4, length 28
> 
> That's very odd that:
> 
> 1.  The 3.2.45 host doesn't show any traffic even though the TX increments.

I guess, for whatever reason, 3.2.45 isn't sending some outgoing packets to "taps" (that's what dev_queue_xmit_nit() does).

> 2.  The 3.10.17 host shows all traffic that causes the TX to increment,
> but responds to arp on an interface that doesn't have an IP address.

Perhaps it's seen an ARP reply that says that 192.168.7.99 has the MAC address 00:22:75:d7:02:d4, so that's in its ARP cache, and is helpfully informing whoever asked for the MAC address of 192.168.7.99 that it's 00:22:75:d7:02:d4.



More information about the tcpdump-workers mailing list