Re: tcpdump giving only ARP packets

sajuars · ‎09-04-2008

I am trying to get network traces using tcpdump command. But all i am getting are ARP packets , although there is so much other traffic on the interface. There is no filtering given in the command.
Any idea why i am not receving other packets??

Rob Leadbeater · ‎09-04-2008

Hi,

You are probably on a switched network port.

That will prevent you from seeing any traffic other than that destined for the host that you're running tcpdump on.

Cheers,

Rob

sajuars · ‎09-04-2008

Yes , it is a switched port. But still i am not getting any other packets destined for this host other than ARP.

Also the tcpdump was OK until last week.I was getting all types of traffic on the port.But i dont understand what happened now .

Here's the command which i give :
/usr/sbin/tcpdump -i ee3 -s 1500 -w /tmp/04092008

Mark Poeschl_2 · ‎09-05-2008

Can you post the output of 'ifconfig -a'?

sajuars · ‎09-07-2008

Here's the ifconfig output ..
nr0: flags=c63
NetRAIN Attached Interfaces: ( ee3 ee1 ) Active Interface: ( ee3 )
inet x.x.x.x netmask ffffff00 broadcast x.x.x.255 ipmtu 1500
inet x.x.x.x netmask ffffff00 broadcast x.x.x.255 ipmtu 1500
ee3: flags=4000c63
NetRAIN Virtual Interface: nr0
NetRAIN Attached Interfaces: ( ee3 ee1 ) Active Interface: ( ee3 )
ee1: flags=4000c63
NetRAIN Virtual Interface: nr0
NetRAIN Attached Interfaces: ( ee3 ee1 ) Active Interface: ( ee3 )

I tried using both nr0 and ee3 , but result was same - only ARP packets.

Rob Leadbeater · ‎09-07-2008

Hi,

I don't know how tcpdump would handle NetRAIN interfaces...

I take it this setup used to work... Have there been any other network changes ?

Cheers,

Rob

sajuars · ‎09-07-2008

We were getting all protocol messages using tcpdump during the last week. But now only ARP packets.
There has been no network changes.
The remote side is saying that they are sending all protocol messages.
Is it something to do with the compilation of tcpdump ??

Rob Leadbeater · ‎09-07-2008

Well if tcpdump has been recompiled, and it used to work and now doesn't, that would seem to be the rather obvious place to start looking !

Cheers,
Rob

Mark Poeschl_2 · ‎09-09-2008

Could promiscuous mode have gotten turned off on your interface? What does the output of 'pfstat' show for interface ee3?

sajuars · ‎09-09-2008

pf3:

Xcnt: 0 Rcnt: 22606
Xdrops: 0 Rdrops: 0
Rmissed: 0 Runwanted: 169322
AllowPromisc: no AllowCopyAll: no
UserMaxWaiting: 32

Device type: 10Mb Interface: ee3
Address Length: 6 Header Length: 14 MTU: 1514
Interface Address: xxxxxxx
Broadcast Address: xxxxxxxxx

Desq(71c3d9b0): 0/256 open files [71c3d9b0,71c3d9b0]:
AllDescriptors:
# LOC LINK-QUEUE STATE WAIT-QUEUE NQ'D TOUT MODE SIG PROC(PID)

Filters:
# COUNT DROPS PRI LEN FILTER

sajuars · ‎09-15-2008

Can somebody help ...

Mark Poeschl_2 · ‎09-15-2008

# pfconfig +c +p ee3

Above command should get things working again for you. Note: This command must be re-entered after a reboot.

sajuars · ‎09-15-2008

Yes ..it worked after that
we also did a MAKEDEV pfilt
thanks ..

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: tcpdump giving only ARP packets

tcpdump giving only ARP packets