Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade
From: Harry Hoffman (hhoffman_at_ip-solutions.net)
Date: 12/28/03
- Previous message: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- In reply to: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Next in thread: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Reply: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: redhat-list@redhat.com Date: Sat, 27 Dec 2003 21:45:05 -0500
Robert,
Hmm, can you provide your tcp filter? Also, are you sure you're listening on the
right interface (sorry, I know it's a stupid question). Perhaps something in the
upgrade of the kernel caused the interfaces to be changed...? (really streching
on that one).
One thing to do to check if it's a filter problem would be to sniff for ARP, as
these packets should be broadcast to every port on a switch or hub
tcpdump -i <ethX> -ln arp
Although, you do state that you are seeing broadcast packets.
Do you have another *nix box that you can throw in place to ensure it's not
network related?
HTH,
Harry
Quoting Robert Brown <eli@typhoon.xnet.com>:
*> OK, then back to my original question: any ideas why tcpdump is not
*> working when an interface is in promiscuous mode? It seems to capture
*> packets with the interface's own ip address as either src or dst, and
*> also broadcast packets, but it misses other packets. The network
*> hardware setup is unchanged from before the 2.4.20-27.9 kernel was
*> installed, when tcpdump was working fine. I am using 2 nics, one on
*> my lan with a 192.168.1.* ip address, one on my dmz with no assigned
*> ip address, and one on my wild zone where the bridge to the internet
*> is. The lan and dmz are 10/100baseT hubs, and the wild is a 10baseT
*> half-duplex hub. The nics are nailed up appropriately in my
*> /etc/modules.conf file thusly:
*>
*> alias eth0 8139too
*> alias eth1 8139too
*> alias eth2 8139too
*> options 8139too 0x100,0x100,0x10
*>
*> The use of hubs and half-duplex rather than switches and full-duplex
*> is required for the NIDS to see all the packets.
*>
*> --
*> -------- "And there came a writing to him from Elijah" [2Ch 21:12]
*> --------
*> R. J. Brown III rj@elilabs.com http://www.elilabs.com/~rj voice 859
*> 567-7311
*> Elijah Laboratories Inc. P. O. Box 166, Warsaw KY 41095 fax 859
*> 567-7311
*> ----- M o d e l i n g t h e M e t h o d s o f t h e M i n d
*> ------
*>
*>
*> --
*> redhat-list mailing list
*> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
*> https://www.redhat.com/mailman/listinfo/redhat-list
*>
-- Harry Hoffman hhoffman@ip-solutions.net #----------------------------------------------------------------# # Harry: version 4.0a # # Known bugs: # # 1) Verbal output may occur before data processing is complete. # # 2) Loudspeaker option may activate without being invoked. # # 3) Other bugs as reported # #----------------------------------------------------------------# ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- In reply to: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Next in thread: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Reply: Robert Brown: "Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
