From owner-freebsd-questions@FreeBSD.ORG Tue Mar 25 23:28:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C7A91065673 for ; Tue, 25 Mar 2008 23:28:58 +0000 (UTC) (envelope-from universe@truemetal.org) Received: from mail2.lightupnet.de (mail2.lightupnet.de [217.172.32.6]) by mx1.freebsd.org (Postfix) with ESMTP id CAECF8FC33 for ; Tue, 25 Mar 2008 23:28:57 +0000 (UTC) (envelope-from universe@truemetal.org) Received: (qmail 24405 invoked from network); 25 Mar 2008 23:02:15 -0000 Received: by simscan 1.1.0 ppid: 24352, pid: 24391, t: 7.1125s scanners: clamav: 0.92.1 /m: 45 spam: 3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ffm04.sv.lightup.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL autolearn=no version=3.2.3 Received: from e183145076.adsl.alicedsl.de (HELO pc2.mystic.org) (postmaster%truemetal.org@85.183.145.76) by mail2.lightupnet.de with AES256-SHA encrypted SMTP; 25 Mar 2008 23:02:07 -0000 Date: Wed, 26 Mar 2008 00:01:41 +0100 From: Markus To: freebsd-questions@freebsd.org Message-Id: <20080326000141.7b450699.universe@truemetal.org> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-portbld-freebsd4.11) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: tcpdump stopped working / changes to pcap since 5.2.1-RELEASE? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 23:28:58 -0000 Hello, we've had a FreeBSD 5.2.1-RELEASE machine with four Intel 100/1000 NICs (em(4)). The monitoring port of our HP 4140gl switch was hooked up to one of the four NICs. This has allowed us to do traffic accounting and detecting network problems by utilizing tcpdump. We've recently upgraded the machine to at first FreeBSD 6.3, afterwards to FreeBSD 7.0. In both versions commands like tcpdump -n -i em3 host 217.172.x.y (em3 is the NIC that goes to the 4140gl monitoring port) don't produce any output anymore. In general, tcpdump does work, as through a normal non-monitoring port at e.g. em0, all tcpdump commands (host xyz, net xyz, arp etc.) work like expected and produce the appropriate results. If tcpdump is being invoked without any arguments (tcpdump -n -i em3) it shows all packets coming in through the monitoring port, however, as soon as we try to filter by specific tcpdump expressions, it doesn't show any results. Were there any changes to tcpdump, the em driver, pcap or another part of the OS in recent history which could lead to such a behavior? Again, regular packets on any em-interface we can collect just fine, just the packets coming in through the monitoring port are being "ignored"... Any advise? Thanks Markus $ ifconfig em0 em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:e0:81:62:1c:7a inet 217.172.a.b netmask 0xffffff00 broadcast 217.172.a.c media: Ethernet autoselect (1000baseTX ) status: active $ ifconfig em3 em3: flags=8843 metric 0 mtu 1500 options=9b ether 00:e0:81:62:1c:7b inet 192.168.200.2 netmask 0xffffff00 broadcast 192.168.200.255 media: Ethernet autoselect (1000baseTX ) status: active