LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-13-2013, 03:49 AM   #1
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Why do Syslog per udp show in tcpdump


Hi folks,

while trying to find out if a bridge would pass all traffic to all vhost behind it I observed some to me strangeness while sniffing the traffic. Using tcpdump with promiscmode enable I see some udp packages on the syslog port. What I wonder is that it is direct traffic and should not leave the switch or beeing passed on. I would assume I either see all or none. So maybe anyone of you has an idea why I only see this special ones.

Code:
09:42:07.583441 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
09:42:07.621802 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local4.info, length: 111
09:42:07.622613 ARP, Request who-has 10.10.10.10 tell 10.10.10.1, length 46
09:42:07.622640 ARP, Request who-has 10.10.10.11 tell 10.10.10.1, length 46
09:42:07.623071 ARP, Request who-has 10.10.10.20 tell 10.10.10.1, length 46
09:42:07.626555 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local4.info, length: 114
09:42:09.019022 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local0.info, length: 111
09:42:09.293367 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
09:42:09.295084 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
 
Old 09-14-2013, 08:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Determine which host(s) are configured for remote syslogging and what host they log to.
 
Old 09-16-2013, 05:39 AM   #3
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748

Original Poster
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
They origin from 10.10.10.1 the gateway for this network and going to 10.10.10.22. I have no access to 10.10.10.22 so can't tell if all is well there. I rechecked the configuration of the gateway which has unicast the syslog messages to 10.10.10.22...

I'm just astouned that normal udp traffic are visible while normal http to a virtual webserver is not shown within the tcpdump session of another virtual guest on the same KVM Host.

As far as I know all the switches in use are dump ones so no configuration possible. Also I'm not aware of any switch option that would broadcast | forward specific protocols. Speaking emulate promisc mode.
 
Old 09-17-2013, 11:03 AM   #4
cospengle
Member
 
Registered: Feb 2008
Location: Armidale, NSW, Australia
Distribution: Fedora 8
Posts: 32

Rep: Reputation: 6
If the switch has never seen packets from 10.10.10.22 (quite likely if it is not connected) then it would not know which interface to send the packet out on. So it would flood the packets out of all interfaces on that vlan.


That's one explaination anyway. Could be another reason...
 
1 members found this post helpful.
Old 09-18-2013, 02:47 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748

Original Poster
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by cospengle View Post
If the switch has never seen packets from 10.10.10.22 (quite likely if it is not connected) then it would not know which interface to send the packet out on. So it would flood the packets out of all interfaces on that vlan.
That sounds reasonable. I see that I can get someone to check on .22 and see if all is good there. Thanks for the hint.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Send a UDP Syslog packet with Source Port set to 514 fjkum Programming 1 01-26-2010 04:53 PM
tcpdump - issue faced with dumping UDP packets tanmay.anjaria Linux - Newbie 2 02-09-2008 11:38 PM
UDP viewer, like tcpdump? ivanatora Linux - Networking 2 04-24-2007 04:45 PM
tcpdump and UDP Denes Linux - Networking 0 06-22-2004 01:15 PM
how to make tcpdump to show me only the connection made on 25? sqn Linux - Networking 1 01-29-2004 01:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration