Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-13-2013, 03:49 AM
|
#1
|
Senior Member
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
|
Why do Syslog per udp show in tcpdump
Hi folks,
while trying to find out if a bridge would pass all traffic to all vhost behind it I observed some to me strangeness while sniffing the traffic. Using tcpdump with promiscmode enable I see some udp packages on the syslog port. What I wonder is that it is direct traffic and should not leave the switch or beeing passed on. I would assume I either see all or none. So maybe anyone of you has an idea why I only see this special ones.
Code:
09:42:07.583441 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
09:42:07.621802 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local4.info, length: 111
09:42:07.622613 ARP, Request who-has 10.10.10.10 tell 10.10.10.1, length 46
09:42:07.622640 ARP, Request who-has 10.10.10.11 tell 10.10.10.1, length 46
09:42:07.623071 ARP, Request who-has 10.10.10.20 tell 10.10.10.1, length 46
09:42:07.626555 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local4.info, length: 114
09:42:09.019022 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local0.info, length: 111
09:42:09.293367 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
09:42:09.295084 IP 10.10.10.1.514 > 10.10.10.22.514: SYSLOG local2.info, length: 122
|
|
|
09-14-2013, 08:19 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Determine which host(s) are configured for remote syslogging and what host they log to.
|
|
|
09-16-2013, 05:39 AM
|
#3
|
Senior Member
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Original Poster
|
They origin from 10.10.10.1 the gateway for this network and going to 10.10.10.22. I have no access to 10.10.10.22 so can't tell if all is well there. I rechecked the configuration of the gateway which has unicast the syslog messages to 10.10.10.22...
I'm just astouned that normal udp traffic are visible while normal http to a virtual webserver is not shown within the tcpdump session of another virtual guest on the same KVM Host.
As far as I know all the switches in use are dump ones so no configuration possible. Also I'm not aware of any switch option that would broadcast | forward specific protocols. Speaking emulate promisc mode.
|
|
|
09-17-2013, 11:03 AM
|
#4
|
Member
Registered: Feb 2008
Location: Armidale, NSW, Australia
Distribution: Fedora 8
Posts: 32
Rep:
|
If the switch has never seen packets from 10.10.10.22 (quite likely if it is not connected) then it would not know which interface to send the packet out on. So it would flood the packets out of all interfaces on that vlan.
That's one explaination anyway. Could be another reason...
|
|
1 members found this post helpful.
|
09-18-2013, 02:47 AM
|
#5
|
Senior Member
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Original Poster
|
Quote:
Originally Posted by cospengle
If the switch has never seen packets from 10.10.10.22 (quite likely if it is not connected) then it would not know which interface to send the packet out on. So it would flood the packets out of all interfaces on that vlan.
|
That sounds reasonable. I see that I can get someone to check on .22 and see if all is good there. Thanks for the hint.
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 08:19 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|