tcpdump mailing list archives
Re: Rx packets are not captured on physical
From: Lakshmana Reddy <rvlreddy.tech () gmail com>
Date: Mon, 22 Jun 2009 23:06:46 -0700
Aaron, Thanks for the pointer.. I did further investigation and figured that the PF_PACKET socket does not capture the Rx packets , it always captures the Rx packets.. I did a try a small socket program to sniff the packets below is the code snippet.. ----------------- ... .... if ( (sock=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) { perror("socket"); exit(1); } /* Get Interface index */ strncpy((char *)ifr.ifr_name, device, IFNAMSIZ); if((ioctl(sock, SIOCGIFFLAGS, &ifr)) == -1) { perror("ioctl"); printf("Error getting Interface index !\n"); close(sock); exit(1); } if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0){ perror("ioctl"); close(sock); exit(1); } /* Set flags */ sll.sll_family = AF_PACKET; sll.sll_ifindex = ifr.ifr_ifindex; sll.sll_protocol =htons(ETH_P_ALL); /* bind to interface */ if((bind(sock, (struct sockaddr *)&sll, sizeof(sll)))== -1) { perror("Error binding raw socket to interface\n"); exit(1); } while (1) { printf("----------\n"); n = recvfrom(sock,buffer,2048,0,NULL,NULL); printf("%d bytes read\n",n); ... ... } ---------------- below is the output i get...its is clear from the output that on eth2 only TX packets are captured where as from veth0 all the packets are captured.. I am wondering if there is any .config parameter need to be configured for PF_PACKET family to capture all the packets on physical interface when bonded. Any comment or pointers are much appreciated.. ----------- -bash-3.00# ifconfig veth0 veth0 Link encap:Ethernet HWaddr 00:15:17:29:F7:80 inet addr:192.168.11.144 Bcast:192.168.11.255 Mask:255.255.252.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:41489453 errors:0 dropped:0 overruns:0 frame:0 TX packets:15600 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4232122294 (3.9 GiB) TX bytes:5797281 (5.5 MiB) -bash-3.00# ./pf_socket eth2 sniffing device: eth2 interface index :6211 ---------- 98 bytes read Source MAC address: 00:21:a1:4a:74:00 Destination MAC address: 00:15:17:29:f7:80 Source host 192.168.11.144 Dest host 10.24.29.16 Source,Dest ports 0,30147 Layer-4 protocol 1 ---------- 98 bytes read Source MAC address: 00:21:a1:4a:74:00 Destination MAC address: 00:15:17:29:f7:80 Source host 192.168.11.144 Dest host 10.24.29.16 Source,Dest ports 0,32194 Layer-4 protocol 1 ---------- 98 bytes read Source MAC address: 00:21:a1:4a:74:00 Destination MAC address: 00:15:17:29:f7:80 Source host 192.168.11.144 Dest host 10.24.29.16 Source,Dest ports 0,33985 Layer-4 protocol 1 ---------- -bash-3.00# ./pf_socket veth0 | grep -C 4 10.24 ---------- 98 bytes read Source MAC address: 00:15:17:29:f7:80 Destination MAC address: 00:21:a1:4a:74:00 Source host 10.24.29.16 Dest host 192.168.11.144 Source,Dest ports 2048,24995 Layer-4 protocol 1 ---------- 98 bytes read Source MAC address: 00:21:a1:4a:74:00 Destination MAC address: 00:15:17:29:f7:80 Source host 192.168.11.144 Dest host 10.24.29.16 Source,Dest ports 0,27043 Layer-4 protocol 1 ---------- 60 bytes read -- ---------- 98 bytes read Source MAC address: 00:15:17:29:f7:80 Destination MAC address: 00:21:a1:4a:74:00 Source host 10.24.29.16 Dest host 192.168.11.144 Source,Dest ports 2048,26786 Layer-4 protocol 1 ---------- 98 bytes read Source MAC address: 00:21:a1:4a:74:00 Destination MAC address: 00:15:17:29:f7:80 Source host 192.168.11.144 Dest host 10.24.29.16 Source,Dest ports 0,28834 Layer-4 protocol 1 ---------- Thanks in advance, Lakshmana On Fri, Jun 19, 2009 at 9:58 AM, Aaron Turner <synfinatic () gmail com> wrote:
On Thu, Jun 18, 2009 at 11:30 PM, Lakshmana Reddy<rvlreddy.tech () gmail com> wrote: [snip]I walked through the tcpdump/pcap code to see what going on.. so far my understanding is that the pcap_loop(), to capture the packets on thegivendevice invokes the recvfrom() sys call to get the raw packets from the kernel and parses them before passing to a call back. I am wonderingwherewould the Rx packets lost in this code path. Can somebody shed some light on this..You'd need to look at the Linux kernel's PF_PACKET implementation to understand why this is happening. tcpdump uses libpcap which uses the PF_PACKET socket API to read frames. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Rx packets are not captured on physical interface when bonded. Lakshmana Reddy (Jun 19)
- Re: Rx packets are not captured on physical Aaron Turner (Jun 19)
- Re: Rx packets are not captured on physical Lakshmana Reddy (Jun 22)
- Re: Rx packets are not captured on physical Aaron Turner (Jun 23)
- Re: Rx packets are not captured on physical Lakshmana Reddy (Jun 22)
- Re: Rx packets are not captured on physical interface when bonded. Guy Harris (Jun 19)
- Re: Rx packets are not captured on physical Aaron Turner (Jun 19)