Re: [tcpdump-workers] Loosing half the conversion when any BFP is

2007-12-21 Thread Bill Richardson
hanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Harris Sent: Thursday, December 20, 2007 2:02 PM To: tcpdump-workers@lists.tcpdump.org Subject: Re: [tcpdump-workers] Loosing half the conversion when any BFP is Bill Richardson wrote: > From BigIP > &

Re: [tcpdump-workers] Loosing half the conversion when any BFP is

2007-12-20 Thread Guy Harris
Bill Richardson wrote: From BigIP tcpdump -r test.pcap -nn host 172.21.89.75 -d ... As I suspected, they appear to interpret "host XXX" as "host XXX or (vlan and host XXX)". That has the advantage that it works with both untagged and VLAN-tagged packets. It has the disadvantag

Re: [tcpdump-workers] Loosing half the conversion when any BFP is

2007-12-20 Thread Bill Richardson
] Loosing half the conversion when any BFP is Bill Richardson wrote: > With that I mind I wonder what F5 did to libpcap to get tcpdump to > work? They must have made some changes? What happens if you do tcpdump -r test.pcap -nn host 172.21.89.75 -d on the BigIP? - This is the t

Re: [tcpdump-workers] Loosing half the conversion when any BFP is

2007-12-20 Thread Guy Harris
Bill Richardson wrote: With that I mind I wonder what F5 did to libpcap to get tcpdump to work? They must have made some changes? What happens if you do tcpdump -r test.pcap -nn host 172.21.89.75 -d on the BigIP? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to

Re: [tcpdump-workers] Loosing half the conversion when any BFP is used

2007-12-20 Thread Bill Richardson
org Subject: Re: [tcpdump-workers] Loosing half the conversion when any BFP is used On Dec 19, 2007, at 11:09 AM, Bill Richardson wrote: > Looking at the one system that works I see it is related to Vlan > tagging: Is the "test.pcap" file the same file in all three examples? If

Re: [tcpdump-workers] Loosing half the conversion when any BFP is used

2007-12-19 Thread Guy Harris
On Dec 19, 2007, at 11:09 AM, Bill Richardson wrote: Looking at the one system that works I see it is related to Vlan tagging: Is the "test.pcap" file the same file in all three examples? If so, does the "From ..." at the end of the command indicate the machine on which you're running tcpd

Re: [tcpdump-workers] Loosing half the conversion when any BFP is used

2007-12-19 Thread Bill Richardson
t tcpdump to show me the full capture while using BPFs like in the very first example? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Richardson Sent: Wednesday, December 19, 2007 11:07 AM To: tcpdump-workers@lists.tcpdump.org Subject: [tcpdump-workers]

[tcpdump-workers] Loosing half the conversion when any BFP is used

2007-12-19 Thread Bill Richardson
This may not be the right list to ask but thought I would give this a try. I have looked and looked and have not seen anyone with this problem. In the past I have been able to take large inclusive tcpdump files and read them back in with the -r option using tcpdump and BFP them to a host or port