Hi
On Wed, May 16, 2007 at 05:07:55PM +0200, Bastian Venthur wrote:
> Am 16.05.2007 15:47 schrieb Ola Lundqvist:
>
> > There are a couple of things to do:
> > * Do not run in graphic mode. Instead run in text mode, because the kernel
> > may print information there.
> > * In order to sniff the traffic you need the following:
> > - An extra Linux PC with tcpdump installed (or the firewall if you can
> > install
> > tcpdump there).
> > - Access to the traffic. This means that you should use a hub (not a
> > switch)
> > or a switch where you can redirect all traffic to a certain port. If you
> > have the possibility to install tcpdump on the remote side of the
> > laptop then that will of course have access to the traffic as well.
> > - On the server run
> > tcpdump -n -i ethX
> > I think that is enough. You will see all traffic sent back and forth.
> > See man tcpdump for more information about options, disc logging etc.
>
> Since I'll capture the traffic on my router which is connected to the
> internet via DSL, should I sniff the traffic on ppp0 or the eth0 (the
> nic connected to the DSL modem)? Both will give you different output.
>
The best thing would be to sniff both as we do not know if the problem
is on ethernet level or on ppp level. I think you can sniff both
at the same time. I think you need some more options to tcpdump however:
tcpdump -envv -i eth0
You also need to reproduce this a couple of times to see if we can
see a pattern in the packages that have gone back and forth. Yes I know
that this is a tedious task!
> Sniffing on ppp0 will give you lines like
>
> 17:03:39.348240 IP 85.178.96.22 > 130.149.145.10: GREv1, call 50048, seq
> 497690, ack 957204, length 73: compressed PPP data
> 17:03:39.349089 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.349097 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.351072 IP 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq
> 957206, ack 497626, length 744: compressed PPP data
> 17:03:39.353123 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.353131 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.354238 IP 85.178.96.22 > 130.149.145.10: GREv1, call 50048, seq
> 497691, ack 957206, length 73: compressed PPP data
> 17:03:39.355073 IP 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq
> 957207, length 744: compressed PPP data
> 17:03:39.357123 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.357132 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.357137 IP 130.149.145.10 > 192.168.1.32: gre
> 17:03:39.357142 IP 130.149.145.10 > 192.168.1.32: gre
>
>
> while sniffing on ppp0 will give you
>
>
> 17:06:17.664578 PPPoE [ses 0x648] IP 85.178.96.22 > 130.149.145.10:
> GREv1, call 50048, seq 521743, ack 1003988, length 73: compressed PPP data
> 17:06:17.665804 PPPoE [ses 0x648] IP truncated-ip - 512 bytes missing!
> 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq 1003989, length 744:
> compressed PPP data
> 17:06:17.667792 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
> (0x22f4), length 778:
> 0x0000: 00a0 cc75 0255 0800 4500 02f4 927f 205d ...u.U..E......]
> 0x0010: 362f f996 8295 910a c0a8 0120 7d68 3aca 6/..........}h:.
> 0x0020: d8c4 03f7 5f9d 5e4c 3b2d 606e 1d24 0cb1 ...._.^L;-`n.$..
> 0x0030: 92f8 7bab 8bef e611 53f2 632d 2e52 de6a ..{.....S.c-.R.j
> 0x0040: b5a8 9fae 8e5c 94d7 64ba 15bf 947e 85cb .....\..d....~..
> 0x0050: 61d3 a.
> 17:06:17.667799 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
> (0x22f4), length 75:
> 0x0000: 00a0 cc75 0255 0800 4500 0035 927f 00b9 ...u.U..E..5....
> 0x0010: 362f 1bfa 8295 910a c0a8 0120 1e09 b727 6/.............'
> 0x0020: 54eb 0d89 73f0 3767 1462 2dd5 1c1c 68ac T...s.7g.b-...h.
> 0x0030: 41e5 76a3 1e7a 0218 3046 1ba9 5d A.v..z..0F..]
> 17:06:17.671972 PPPoE [ses 0x648] IP truncated-ip - 512 bytes missing!
> 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq 1003990, ack 521683,
> length 744: compressed PPP data
> 17:06:17.672049 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
> (0x22f4), length 778:
> 0x0000: 00a0 cc75 0255 0800 4500 02f4 9280 205d ...u.U..E......]
> 0x0010: 362f f995 8295 910a c0a8 0120 ed9e 33a3 6/............3.
> 0x0020: 9114 d298 bd67 4ef6 cd8b 4ea1 4e89 187c .....gN...N.N..|
> 0x0030: c002 75b6 386e 09e6 22f1 b95a fbf5 7c14 ..u.8n.."..Z..|.
> 0x0040: fb22 5c88 5a7c e425 a33c fd45 6744 0196 ."\.Z|.%.<.EgD..
> 0x0050: caf3 ..
> 17:06:17.672056 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
> (0x22f4), length 79:
> 0x0000: 00a0 cc75 0255 0800 4500 0039 9280 00b9 ...u.U..E..9....
> 0x0010: 362f 1bf5 8295 910a c0a8 0120 2669 32c4 6/..........&i2.
> 0x0020: dd09 1cc0 6d4f 0797 0eac 64da 723f 4f08 ....mO....d.r?O.
> 0x0030: c9f5 6995 7fd9 2420 607c 3508 fa6a e044 ..i...$.`|5..j.D
> 0x0040: bf
>
Regards,
// Ola
>
> Cheers,
>
> Bastian
>
>
> --
> Bastian Venthur http://venthur.de
> Debian Developer venthur at debian org
>
>
--
--- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/ [EMAIL PROTECTED] Annebergsslingan 37 \
| [EMAIL PROTECTED] 654 65 KARLSTAD |
| http://opalsys.net/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
