tcpdump does not capture the ping and traceroute packets

hamedhsn · 07-16-2013, 01:44 PM

Hi

I ran tcpdump on both side and the sent ping and traceroute probes but none of the side capture any thing i used this command

Code:

bash-4.0# /usr/sbin/tcpdump -i eth0 -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

any idea?

Thanks

nini09 · 07-16-2013, 02:12 PM

Try "tcpdump -i any" command. The package may go to other interface.

hamedhsn · 07-17-2013, 04:15 AM

Quote:

Originally Posted by nini09

Try "tcpdump -i any" command. The package may go to other interface.

i tried but not luck. the thing is when i send some requests from an application it captures the traffic but for these probes it doesnot.

nini09 · 07-17-2013, 02:22 PM

How do you do the ping, ping IP address or domain name?

szboardstretcher · 07-17-2013, 02:47 PM

Are you positive that eth0 is the interface being used?

Try looking at the output of 'ifconfig' to see your packet counts.

zhjim · 07-17-2013, 03:11 PM

tcpdump also has an option to show the dumps right away. Dunno the exact option but might be that it just comes in late(er).
Also maybe use the proto option and set it to icmp...

szboardstretcher · 07-17-2013, 03:17 PM

Quote:

Originally Posted by zhjim

tcpdump also has an option to show the dumps right away. Dunno the exact option but might be that it just comes in late(er).
Also maybe use the proto option and set it to icmp...

His command is listening for all traffic on eth0, and 'nothing' is showing up. He needs to verify that he is listening to the right interface first.

zhjim · 07-17-2013, 04:08 PM

Quote:

Originally Posted by nini09

Try "tcpdump -i any" command. The package may go to other interface.

He tried but no luck... so maybe hes just impatient and did not wait long enough for the frame buffer to fill?

szboardstretcher · 07-17-2013, 04:10 PM

need more info from OP, before any more educated guesses can be made:

'ifconfig' output
'ip a' output

hamedhsn · 07-18-2013, 04:16 AM

Quote:

Originally Posted by nini09

How do you do the ping, ping IP address or domain name?

i tried both nothing from any of them..

hamedhsn · 07-18-2013, 04:19 AM

Quote:

Originally Posted by szboardstretcher

Are you positive that eth0 is the interface being used?

Try looking at the output of 'ifconfig' to see your packet counts.

yes..this is the output of ifconfig

Code:

bash-3.2# /sbin/ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:13:72:60:EC:CF  
          inet addr:128.84.154.40  Bcast:128.84.154.127  Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2614792902 errors:345 dropped:105220 overruns:0 frame:183
          TX packets:2044956693 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3190521614 (2.9 GiB)  TX bytes:2992958856 (2.7 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:128559872 errors:0 dropped:0 overruns:0 frame:0
          TX packets:128559872 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:996620717 (950.4 MiB)  TX bytes:996620717 (950.4 MiB)

hamedhsn · 07-18-2013, 04:25 AM

Quote:

Originally Posted by zhjim

Also maybe use the proto option and set it to icmp...

i checked it with

Code:

/usr/sbin/tcpdump -i eth0 icmp -vvv

but again northing is been captured.

hamedhsn · 07-18-2013, 04:30 AM

Quote:

Originally Posted by szboardstretcher

'ip a' output

Code:

bash-3.2# /sbin/ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP qlen 1000
    link/ether 00:13:72:60:ec:cf brd ff:ff:ff:ff:ff:ff
    inet 128.84.154.40/25 brd 128.84.154.127 scope global eth0

hamedhsn · 07-18-2013, 04:36 AM

Quote:

Originally Posted by nini09

Try "tcpdump -i any" command. The package may go to other interface.

this is warning that i get

Code:

bash-3.2# /usr/sbin/tcpdump -i any -vvv
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

i tried to enable the Promiscuous mode but i get this error though i am root.

Code:

bash-3.2# /sbin/ifconfig eth0 promisc
SIOCSIFFLAGS: Permission denied

nini09 · 07-18-2013, 02:21 PM

Can a iptable policy drop the packet? Can you disable iptable and try it?