tcpdump mailing list archives
Failing to capture packets....
From: Paul Armor <parmor () gravity phys uwm edu>
Date: Fri, 19 Jan 2007 12:05:38 -0600 (CST)
Hi,I've got a problem that's strange on various levels and using tcpdump isn't as helpful as I'd have hoped. Can anyone offer suggestions on how to capture/interpret my bad data on the wire? I'm trying to capture from any of a few other machines with Broadcomm chips, and am wondering if there's a limitation to hardware/driver that prevents tcpdump/libpcap from "seeing" that data?
Generally speaking, I'm trying to capture data on the wire that's coming from a computer that's crashed. That sounds simple enough...
BUT, here's the rub... the driver and thus tcpdump/ethereal don't recognize any "packets", but there's data spraying on the wire, so I don't think they're at all properly formed ethernet packets. Here's some interesting ifconfig (linux 2.6) output:
eth0 Link encap:Ethernet HWaddr 00:14:22:D1:16:B1 RX packets:2491 errors:0 dropped:0 overruns:0 frame:21 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2910464 (2.7 MiB) TX bytes:492 (492.0 b) eth0 Link encap:Ethernet HWaddr 00:14:22:D1:16:B1 RX packets:2491 errors:0 dropped:0 overruns:0 frame:21 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2940992 (2.8 MiB) TX bytes:492 (492.0 b)Note how RX packets does NOT increase, while RX bytes does. These two ifconfig's were run about 1 sec apart from another machine attached via Xover. I didn't pay attention to the occurance of the "frame" pkts...
How this happens is that I've got a large number of machines running a Fedora install, and certain users jobs are able to tickle a problem with memory/memory-controller/CPU (everybody's blaming everybody else), which sometimes (~60% of the time) causes a crashed machine (a Machine Check Exception) to start spraying the network with crap. This crap causes a broadcast/multicast cache/buffer to overflow on a big Force 10 switch, which causes other machines to "drop off the network" (as ARP fails, etc).
I suspect a problem with BIOS on motherboard or firmware on embedded ethernet controller (Broadcomm (BCM95704A6) rev 2100 PHY(5704))... and am looking for evidence.
ANY help/suggestions would be greatly appreciated! Thanks! Paul - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Failing to capture packets.... Paul Armor (Jan 19)
- Re: Failing to capture packets.... Paul Armor (Jan 23)
- Re: Failing to capture packets.... Stephen Donnelly (Jan 23)
- [Q] random loss on capture rh (Jan 26)
- Re: Failing to capture packets.... Paul Armor (Jan 23)