Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Filters are not working when using tcpdump on eth1. Running CentOS 5.2 I can apply filters to eth0 captures but not eth1. For example this works, ssh traffic is not printed to the screen:
tcpdump not tcp port 22
This does not, it is as if the filter was not there, ie. I see everything:
tcpdump -i eth1 not tcp port 22
What is weirder is that the following command produces no output at all:
tcpdump -i eth1 tcp
Eth1 is connected to an HP switch port is set up as the monitor port.I have tried swapping an 3C905 for an Intel Pro 1000 with the same results. Any ideas what could be throwing a monkey wrench into tcpdump filter for eth1?
please show us the eth1 output with port 22 traffic shown. I don't think your filters are valid. "tcp port 22" isn't logical as I understand it, you'd say "tcp and port 22" which is functionally equivalent to "(ip proto tcp) and (port 22)"
Last edited by acid_kewpie; 03-11-2010 at 12:39 PM.
The man page has an example that uses the exact syntax except it uses port 80. Also, I use this command on other interfaces and it works fine and I have been using it for years.
I am trying to figure out why it would work on one interface and not another in the same machine. Another symptom of the problem is that iptraf and tcptrack no longer see any tcp traffic. iptraf does see udp traffic. Rebooting swapping the NIC card from 3Com to Intel, nothign has fixed it. Very weird.
Looks like packets sent through that interface are being encapsulated into something else, such as PPPoE.
Tcpdump simply checks the regular offset of what it thinks is a regular IP header. In this case you need to make it look in a different place, a little bit further down the packet - due to the extra few bytes of the PPPoE (or different, just an example) header. So in case of a PPPoE encap:
Code:
tcpdump -i en0 ether[31]=6 // IP header protocol field set to tcp
tcpdump -i en0 ether[31]=17 // set to udp
.. and so on
Thanks for the information. I will take a look at this. I have been called away on other duties. So I have not had time to return to the problem. Hopefully next week I can digest what you have written.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Solved
