Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Apr 2007 16:14:21 +0200
From:      =?ISO-8859-1?Q?Philipp_Gasch=FCtz?= <philipp@corpex.de>
To:        freebsd-questions@freebsd.org
Subject:   problems with tcpdump filter on a switch mirroring port, 6.2 RELEASE-p4
Message-ID:  <4634A83D.8040908@corpex.de>
next in thread | raw e-mail | index | archive | help 
Hi,

we have a strange problem with tcpdump on a vanilla FreeBSD 
6.2-RELEASE-p4 box, which we are trying to use as a traffic 
sniffing/IDS/whatever device.

The box has 2 NICs, em0 and em1

em0 is normally configured with an inet address.

em1 is connected to a port on the same switch (HP Procurve 2824), which 
is configured to be a mirror port of all other ports and configured like 
this:
   ifconfig em1 polling monitor promisc

ie only a network sniffing device.

while issuing a "ping 81.91.161.70",
"tcpdump -nli *em0* host 81.91.161.70" works like expected (traffic is 
sent to the default gw via em0, switch copies the data to em1):

15:54:05.790877 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
35620, seq 0, length 64
15:54:05.801690 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id 
35620, seq 0, length 64

However, issuing the same ping, but tcpdump'ing on em1 only results in

# tcpdump -nli em1 host 81.91.161.70
15:56:00.512614 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
40484, seq 0, length 64
15:56:01.548077 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
40484, seq 1, length 64

ie. no replies are captured by tcpdump

Initially I thought this was somehow connected to the monitoring port on 
the switch not working as expected. However:

# tcpdump -nli em1  | grep 81.91.161.70
15:57:48.447530 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 
41508, seq 0, length 64
15:57:48.458767 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id 
41508, seq 0, length 64


ie. tcpdump without a filter captures the packets just fine.


I have tried to disable monitor and polling and also gave em1 an inet 
address, without success.
The box itself idles at 99% when running tcpdump.
I have ammended the following sysctls (also without success):
   net.bpf.bufsize: 4194304
   net.bpf.maxbufsize: 8388608

Has anyone seen something like this before?

Thanks

Philipp

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4634A83D.8040908>