[tcpdump-workers] Problem about host addresses to names

2017-06-26 Thread Zheng, Ruoqin
Hi everyone
   I have a question during using tcpdump

   The case is like this, I config my NIC to vlan subnet as:
   #ifconfig
   eth0.100  Link encap:Ethernet  HWaddr 00:04:9f:04:b0:04
  inet addr:192.168.255.1  Bcast:192.168.255.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

   And I test it with ping: ping -q -c 50 -I eth0.100 192.168.255.2&
tcpdump -c 10 -ex -i eth0 ether broadcast

   The problem is that I tcpdump can’t capture the package with VLAN tag
   But when I add the option �Cn:
tcpdump �Cn -c 10 -ex -i eth0 ether broadcast
   tcpdump can capture the package with VLAN tag
 00:59:40.485131 00:04:9f:04:b0:04 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q 
(0x8100), length 46: vlan 100, p 0, ethertype ARP, Request who-has 192.168.255.2
0x:  0064 0806 0001 0800 0604 0001 0004 9f04
0x0010:  b004 c0a8 ff01    c0a8 ff02

   I don’t know how can this happen, does anyone know the reason?
   Here is the version
root # tcpdump -h
tcpdump version 4.7.4
libpcap version 1.6.2
OpenSSL 1.0.2h  3 May 2016

By the way, in the manual of tcpdump, it says
   -n Don't convert host addresses to names.  This can be used to avoid DNS 
lookups.
   How should I understand it?

Zheng Ruoqin



___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] Problem about host addresses to names

2017-06-26 Thread Guy Harris
On Jun 26, 2017, at 12:45 AM, Zheng, Ruoqin  wrote:

>   The case is like this, I config my NIC to vlan subnet as:
>   #ifconfig
>   eth0.100  Link encap:Ethernet  HWaddr 00:04:9f:04:b0:04
>  inet addr:192.168.255.1  Bcast:192.168.255.255  Mask:255.255.255.0
>  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> 
>   And I test it with ping: ping -q -c 50 -I eth0.100 192.168.255.2&
> tcpdump -c 10 -ex -i eth0 ether broadcast
> 
>   The problem is that I tcpdump can’t capture the package with VLAN tag

What does

tcpdump -d -i eth0 ether broadcast

print?

>   But when I add the option –n:
> tcpdump –n -c 10 -ex -i eth0 ether broadcast
>   tcpdump can capture the package with VLAN tag
> 00:59:40.485131 00:04:9f:04:b0:04 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q 
> (0x8100), length 46: vlan 100, p 0, ethertype ARP, Request who-has 
> 192.168.255.2
>0x:  0064 0806 0001 0800 0604 0001 0004 9f04
>0x0010:  b004 c0a8 ff01    c0a8 ff02
> 
>   I don’t know how can this happen, does anyone know the reason?

What does

tcpdump -n -d -i eth0 ether broadcast

print?

> By the way, in the manual of tcpdump, it says
>   -n Don't convert host addresses to names.  This can be used to avoid 
> DNS lookups.
>   How should I understand it?

It means that, when printing packet data, tcpdump won't convert host IPv4, 
IPv6, MAC, and some other addresses to names, so, for example, it'd print 
"192.168.17.2" rather than "example.com" as a source or destination IPv4 
address.

That shouldn't affect the generated filter code, which is what tcpdump prints 
when you run it with "-d".  That filter code should control what packets 
tcpdump sees or doesn't see.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] Problem about host addresses to names

2017-06-26 Thread Guy Harris
On Jun 26, 2017, at 5:57 PM, Zheng, Ruoqin  wrote:

> Hi Guy
>Thank you for your answer, and here is the output with -d:
> 
>root # ping -q -c 50 -I eth0.100 192.168.255.2&
>   [2] 1208
>   root # tcpdump -d -i eth0 ether broadcastPING 192.168.255.2 
> (192.168.255.2) from 192.168.255.1 eth0.1
> 
>   (000) ld   [2]
>   (001) jeq  #0x  jt 2jf 5
>   (002) ldh  [0]
>   (003) jeq  #0x  jt 4jf 5
>   (004) ret  #262144
>   (005) ret  #0
> 
>   root # tcpdump -n -d -i eth0 ether broadcast
>   (000) ld   [2]
>   (001) jeq  #0x  jt 2jf 5
>   (002) ldh  [0]
>   (003) jeq  #0x  jt 4jf 5
>   (004) ret  #262144
>   (005) ret  #0
>   root #
> 
>You can see they are same.

As I expected.

So what happens if you run tcpdump, without -n, do the ping, and wait a long 
time to see whether tcpdump eventually prints something?  It might be taking a 
long time to try to resolve a host name, for some reason or another, so that it 
can't print anything until that attempt either succeeds or times out.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] C-Bus encapsulation type

2017-06-26 Thread Daniel O'Connor

> On 7 Jun 2017, at 17:32, Guy Harris  wrote:
> 
> On Jun 6, 2017, at 8:51 PM, Daniel O'Connor 
>  wrote:
>> I work for Clipsal (part of Schneider Electric) and have been developing a 
>> capture program and dissector for the C-Bus protocol - 
>> https://en.wikipedia.org/wiki/C-Bus_(protocol)
>> 
>> Can we get a link layer header type assigned for this?
> 
> Yes, if we can get a specification for what the packets look like. :-)

There's the rub the format is internal :(

> Where is the format of the packets that would appear with this link-layer 
> header type documented?

It is mostly documented at 
http://training.clipsal.com/downloads/OpenCBus/Serial%20Interface%20User%20Guide.pdf

Although the format is slightly different (hence the internal stuff).

If that's not acceptable then I can keep using user DLTs easily enough - I 
wasn't sure what the rules were.

--
Daniel O'Connor   Senior Firmware Developer
Smart Devices Asia PacificM  0403070726
Building & IT BusinessE  Daniel.O'con...@schneider-electric.com
33-37 Port Wakefield Road Gepps Cross, SA, Australia

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers