From owner-freebsd-questions@FreeBSD.ORG Sun Apr 29 14:24:54 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6983A16A400 for ; Sun, 29 Apr 2007 14:24:54 +0000 (UTC) (envelope-from philipp@corpex.de) Received: from canismajor.corpex-net.de (canismajor.corpex-net.de [62.67.202.31]) by mx1.freebsd.org (Postfix) with ESMTP id 30B8013C45B for ; Sun, 29 Apr 2007 14:24:54 +0000 (UTC) (envelope-from philipp@corpex.de) Received: from p5b222add.dip0.t-ipconnect.de ([91.34.42.221] helo=[192.168.0.101]) by canismajor.corpex-net.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.66 (FreeBSD)) (envelope-from ) id 1HiAAS-000OOx-Gf; Sun, 29 Apr 2007 16:14:24 +0200 Message-ID: <4634A83D.8040908@corpex.de> Date: Sun, 29 Apr 2007 16:14:21 +0200 From: =?ISO-8859-1?Q?Philipp_Gasch=FCtz?= User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: problems with tcpdump filter on a switch mirroring port, 6.2 RELEASE-p4 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2007 14:24:54 -0000 Hi, we have a strange problem with tcpdump on a vanilla FreeBSD 6.2-RELEASE-p4 box, which we are trying to use as a traffic sniffing/IDS/whatever device. The box has 2 NICs, em0 and em1 em0 is normally configured with an inet address. em1 is connected to a port on the same switch (HP Procurve 2824), which is configured to be a mirror port of all other ports and configured like this: ifconfig em1 polling monitor promisc ie only a network sniffing device. while issuing a "ping 81.91.161.70", "tcpdump -nli *em0* host 81.91.161.70" works like expected (traffic is sent to the default gw via em0, switch copies the data to em1): 15:54:05.790877 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 35620, seq 0, length 64 15:54:05.801690 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id 35620, seq 0, length 64 However, issuing the same ping, but tcpdump'ing on em1 only results in # tcpdump -nli em1 host 81.91.161.70 15:56:00.512614 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 40484, seq 0, length 64 15:56:01.548077 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 40484, seq 1, length 64 ie. no replies are captured by tcpdump Initially I thought this was somehow connected to the monitoring port on the switch not working as expected. However: # tcpdump -nli em1 | grep 81.91.161.70 15:57:48.447530 IP XXX.XXX.XXX.XXX > 81.91.161.70: ICMP echo request, id 41508, seq 0, length 64 15:57:48.458767 IP 81.91.161.70 > XXX.XXX.XXX.XXX: ICMP echo reply, id 41508, seq 0, length 64 ie. tcpdump without a filter captures the packets just fine. I have tried to disable monitor and polling and also gave em1 an inet address, without success. The box itself idles at 99% when running tcpdump. I have ammended the following sysctls (also without success): net.bpf.bufsize: 4194304 net.bpf.maxbufsize: 8388608 Has anyone seen something like this before? Thanks Philipp