HPE Community
Switches, Hubs, and Modems
1753481 Members
3974 Online
108794 Solutions
New Discussion

Monitoring HP2810-24G via tcpdump - first syn packet not shown

 
Marcus Schultheiss
New Member

‎07-03-2009 01:22 AM

‎07-03-2009 01:22 AM

Monitoring HP2810-24G via tcpdump - first syn packet not shown

Hi everybody,

I am trying to monitor traffic on a linux host using tcpdump.

Our Setup:
Port 12 is our mirror-port - the linux host is connected to this port via eth2

Port 13-24 are our workstation ports we want to monitor. (especially port 17, the others are just to see different behaviour on other ports)

so we want to copy inbound and outbound traffic from 13-24 to 12
there is very low traffic. at the moment there are only 3 connected laptops in this location, using some webservices, no high volume traffic is generated.

our 2810 setup is the following:
(unneeded information removed)
mirror-port 12
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
exit
interface 13-24
monitor
exit

so no vlan tagging is in place

I try to monitor port 12 on the linux host in promiscous mode using:
# tcpdump -nni eth2 port 3389
(yes we want to filter on tcp/3389 (rdp)

On a system providing rdp service the following traffic is catched:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
11:08:53.898843 IP 192.168.34.104.3389 > 192.168.30.13.45239: S 3951069264:3951069264(0) ack 3637449641 win 65535
11:08:55.467809 IP 192.168.34.104.3389 > 192.168.30.13.45239: R 1:1(0) ack 3 win 0


I am wondering not to see the first packet (syn)
192.168.30.13.45239 > 192.168.34.104.3389

why this packet is not catched?

and the real problem on another port there is a workstation connected which is not responding to port 3389, and I can't see if the packet is transfered on this port (because I do never see the first syn packet).
I've never seen the first syn packet on any of the ports. So it is not only an tcp/3389 issue.
The workstations could surf the internet without problems.

Using the above tcpdump commandline on another interface on the linux host shows complete traffic so it looks like there is not every packet copied to mirror-port, am I right?

Any hints?

Our version:
Image stamp: /sw/code/build/bass(bh2)
Oct 21 2008 16:33:39
N.11.15
25


Thanks in advance!
Marcus
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.