[tcpdump-workers] Problem about host addresses to names
Hi everyone I have a question during using tcpdump The case is like this, I config my NIC to vlan subnet as: #ifconfig eth0.100 Link encap:Ethernet HWaddr 00:04:9f:04:b0:04 inet addr:192.168.255.1 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 And I test it with ping: ping -q -c 50 -I eth0.100 192.168.255.2& tcpdump -c 10 -ex -i eth0 ether broadcast The problem is that I tcpdump can’t capture the package with VLAN tag But when I add the option �Cn: tcpdump �Cn -c 10 -ex -i eth0 ether broadcast tcpdump can capture the package with VLAN tag 00:59:40.485131 00:04:9f:04:b0:04 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 100, p 0, ethertype ARP, Request who-has 192.168.255.2 0x: 0064 0806 0001 0800 0604 0001 0004 9f04 0x0010: b004 c0a8 ff01 c0a8 ff02 I don’t know how can this happen, does anyone know the reason? Here is the version root # tcpdump -h tcpdump version 4.7.4 libpcap version 1.6.2 OpenSSL 1.0.2h 3 May 2016 By the way, in the manual of tcpdump, it says -n Don't convert host addresses to names. This can be used to avoid DNS lookups. How should I understand it? Zheng Ruoqin ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Problem about host addresses to names
On Jun 26, 2017, at 12:45 AM, Zheng, Ruoqin wrote: > The case is like this, I config my NIC to vlan subnet as: > #ifconfig > eth0.100 Link encap:Ethernet HWaddr 00:04:9f:04:b0:04 > inet addr:192.168.255.1 Bcast:192.168.255.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > And I test it with ping: ping -q -c 50 -I eth0.100 192.168.255.2& > tcpdump -c 10 -ex -i eth0 ether broadcast > > The problem is that I tcpdump can’t capture the package with VLAN tag What does tcpdump -d -i eth0 ether broadcast print? > But when I add the option –n: > tcpdump –n -c 10 -ex -i eth0 ether broadcast > tcpdump can capture the package with VLAN tag > 00:59:40.485131 00:04:9f:04:b0:04 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 100, p 0, ethertype ARP, Request who-has > 192.168.255.2 >0x: 0064 0806 0001 0800 0604 0001 0004 9f04 >0x0010: b004 c0a8 ff01 c0a8 ff02 > > I don’t know how can this happen, does anyone know the reason? What does tcpdump -n -d -i eth0 ether broadcast print? > By the way, in the manual of tcpdump, it says > -n Don't convert host addresses to names. This can be used to avoid > DNS lookups. > How should I understand it? It means that, when printing packet data, tcpdump won't convert host IPv4, IPv6, MAC, and some other addresses to names, so, for example, it'd print "192.168.17.2" rather than "example.com" as a source or destination IPv4 address. That shouldn't affect the generated filter code, which is what tcpdump prints when you run it with "-d". That filter code should control what packets tcpdump sees or doesn't see. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Problem about host addresses to names
On Jun 26, 2017, at 5:57 PM, Zheng, Ruoqin wrote: > Hi Guy >Thank you for your answer, and here is the output with -d: > >root # ping -q -c 50 -I eth0.100 192.168.255.2& > [2] 1208 > root # tcpdump -d -i eth0 ether broadcastPING 192.168.255.2 > (192.168.255.2) from 192.168.255.1 eth0.1 > > (000) ld [2] > (001) jeq #0x jt 2jf 5 > (002) ldh [0] > (003) jeq #0x jt 4jf 5 > (004) ret #262144 > (005) ret #0 > > root # tcpdump -n -d -i eth0 ether broadcast > (000) ld [2] > (001) jeq #0x jt 2jf 5 > (002) ldh [0] > (003) jeq #0x jt 4jf 5 > (004) ret #262144 > (005) ret #0 > root # > >You can see they are same. As I expected. So what happens if you run tcpdump, without -n, do the ping, and wait a long time to see whether tcpdump eventually prints something? It might be taking a long time to try to resolve a host name, for some reason or another, so that it can't print anything until that attempt either succeeds or times out. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] C-Bus encapsulation type
> On 7 Jun 2017, at 17:32, Guy Harris wrote: > > On Jun 6, 2017, at 8:51 PM, Daniel O'Connor > wrote: >> I work for Clipsal (part of Schneider Electric) and have been developing a >> capture program and dissector for the C-Bus protocol - >> https://en.wikipedia.org/wiki/C-Bus_(protocol) >> >> Can we get a link layer header type assigned for this? > > Yes, if we can get a specification for what the packets look like. :-) There's the rub the format is internal :( > Where is the format of the packets that would appear with this link-layer > header type documented? It is mostly documented at http://training.clipsal.com/downloads/OpenCBus/Serial%20Interface%20User%20Guide.pdf Although the format is slightly different (hence the internal stuff). If that's not acceptable then I can keep using user DLTs easily enough - I wasn't sure what the rules were. -- Daniel O'Connor Senior Firmware Developer Smart Devices Asia PacificM 0403070726 Building & IT BusinessE Daniel.O'con...@schneider-electric.com 33-37 Port Wakefield Road Gepps Cross, SA, Australia ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers