Why does tcpdump show few packet?

Hello.
I try to use tcpdump, and don't filter any packets.
debian:/home/zhengda# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:46:36.611022 IP 222.205.2.248.netbios-dgm >
222.205.2.255.netbios-dgm: NBT UDP PACKET(138)

1 packets captured
250 packets received by filter
0 packets dropped by kernel

There are 250 packets received by filter, why only 1 packets is
captured. But there is no filter rule at all.
Why?

On comp.os.linux.networking, in
<(E-Mail Removed). com>, "Zheng
Da" wrote:

> Hello. I try to use tcpdump, and don't filter any packets.
> debian:/home/zhengda# tcpdump -i eth0 tcpdump: verbose
> output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size
> 96 bytes 23:46:36.611022 IP 222.205.2.248.netbios-dgm >
> 222.205.2.255.netbios-dgm: NBT UDP PACKET(138)
>
> 1 packets captured 250 packets received by filter 0 packets
> dropped by kernel
>
> There are 250 packets received by filter, why only 1 packets is
> captured. But there is no filter rule at all. Why?

That's easy. Learn to use a real newsreader and I'll tell
you.

news.software.readers

But you probably _do_ know how to use a real newsreader but
want extra anonymity for some reason.

Spammer?Cracker?Troll?Cyberstalker?

postnews.google.com should be shut down. The only people that use
it are trolls and people who just take from the Usenet and never
give back, using different aliases every time they post so that
no one notices. Which makes them trolls, actually.



Alan

--
http://home.earthlink.net/~alanconnor/contact.html
http://home.earthlink.net/~alanconnor/cr.html
http://home.earthlink.net/~alanconnor/publickey.html

Alan Connor 写�：

> On comp.os.linux.networking, in
> <(E-Mail Removed). com>, "Zheng
> Da" wrote:
>
> > Hello. I try to use tcpdump, and don't filter any packets.
> > debian:/home/zhengda# tcpdump -i eth0 tcpdump: verbose
> > output suppressed, use -v or -vv for full protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size
> > 96 bytes 23:46:36.611022 IP 222.205.2.248.netbios-dgm >
> > 222.205.2.255.netbios-dgm: NBT UDP PACKET(138)
> >
> > 1 packets captured 250 packets received by filter 0 packets
> > dropped by kernel
> >
> > There are 250 packets received by filter, why only 1 packets is
> > captured. But there is no filter rule at all. Why?
>
> That's easy. Learn to use a real newsreader and I'll tell
> you.
>
> news.software.readers
>
> But you probably _do_ know how to use a real newsreader but
> want extra anonymity for some reason.
>
> Spammer?Cracker?Troll?Cyberstalker?
>
I use postnews.google.com because I couldn't connect to Internet
directly when I was at the school. I had to search for proxies, but
most of proxies only supported http.
So I started to use postnews.google.com, and now I am used to.
If it offends you, I beg your forgiveness, and I promise I won't use it
any more.

> postnews.google.com should be shut down. The only people that use
> it are trolls and people who just take from the Usenet and never
> give back, using different aliases every time they post so that
I always use the same name "Zheng Da" to post messages

> no one notices. Which makes them trolls, actually.
>
>
>
> Alan
>
> --
> http://home.earthlink.net/~alanconnor/contact.html
> http://home.earthlink.net/~alanconnor/cr.html
> http://home.earthlink.net/~alanconnor/publickey.html

On comp.os.linux.networking, in <(E-Mail Removed) om>, "Zheng Da" wrote:

<snip>

> I use postnews.google.com because I couldn't connect to
> Internet directly when I was at the school. I had to search
> for proxies, but most of proxies only supported http.

That would be a problem.

> started to use postnews.google.com, and now I am used to. If
> it offends you, I beg your forgiveness, and I promise I won't
> use it any more.

You sound like an American who has watched too many
late-night movies trying to pretend he's from China.

Forgetting that TV isn't reality, as they so often do.

>> postnews.google.com should be shut down. The only people that
>> use it are trolls and people who just take from the Usenet and
>> never give back, using different aliases every time they post
>> so that
>
> I always use the same name "Zheng Da" to post messages

Perhaps. Perhaps not. Google makes it so easy morph.

Perhaps your name is "Mike" or "Patrick" and you post under
dozens of aliases through many different servers, http and nntp.

> NNTP-Posting-Host: 220.188.82.12

$ whois 220.188.82.12
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 220.188.64.0 - 220.188.95.255
netname: CHINANET-ZJ-JH
country: CN
descr: CHINANET-ZJ Jinhua node network
descr: Zhejiang Telecom
admin-c: CZ4-AP
tech-c: CJ54-AP
status: ALLOCATED NON-PORTABLE
changed: auto-(E-Mail Removed) 20050429
mnt-by: MAINT-CHINANET-ZJ
mnt-lower: MAINT-CN-CHINANET-ZJ-JH
source: APNIC

role: CHINANET ZHEJIANG
address: No.378 Yan'an Road,Hangzhou,Zhejiang.310006
country: CN
phone: +86-571-87080702
fax-no: +86-571-87027816
e-mail: (E-Mail Removed)
trouble: send spam reports to (E-Mail Removed)
trouble: and abuse reports to (E-Mail Removed)
trouble: Please include detailed information and times in UTC
admin-c: CZ61-AP
tech-c: CZ61-AP
nic-hdl: CZ4-AP
remarks: http://www.zjtelecom.com.cn
mnt-by: MAINT-CHINANET-ZJ
changed: (E-Mail Removed) 20050914
source: APNIC

role: CHINANET-ZJ Jinhua
address: No.155 Xishi street,Jinhua,Zhejiang.321000
country: CN
phone: +86-579-2300779
fax-no: +86-579-2330035
e-mail: (E-Mail Removed)
trouble: send spam reports to (E-Mail Removed)
trouble: and abuse reports to (E-Mail Removed)
trouble: Please include detailed information and times in UTC
admin-c: CH55-AP
tech-c: CH55-AP
nic-hdl: CJ54-AP
mnt-by: MAINT-CHINANET-ZJ
changed: (E-Mail Removed) 20031204
source: APNIC

/quote

Sure looks like that domain puts out a lot of spam, judging by
that email address: (E-Mail Removed). Repeated 6 times.

Wouldn't be a spammer, would you "Zheng"?

http://groups.google.com/advanced_group_search
Zheng Da
Results 1 - 25 of 25 posts in the last year
1 alt.os.development
6 comp.editors
3 comp.lang.asm.x86
1 comp.lang.c
5 comp.lang.java.programmer
3 comp.os.linux.misc
1 comp.os.linux.networking
2 comp.protocols.tcp-ip
2 comp.unix.programmer
1 it.comp.java

Usually, when you see a brief and highly-specialized posting
history like that, it indicates that the poster is a sockpuppet.

Maybe you are what you say you are.

Maybe someone will help you.

I don't help people who use google groups unless they are
asking about learning to use a real newsreader, for reasons
already explained.

There are free newsservers. See alt.free.newsservers.

<snip>

Alan

--
http://home.earthlink.net/~alanconnor/contact.html
http://home.earthlink.net/~alanconnor/cr.html
http://home.earthlink.net/~alanconnor/publickey.html

>
> You sound like an American who has watched too many
> late-night movies trying to pretend he's from China.
>
> Forgetting that TV isn't reality, as they so often do.
The above words I said may be really trite. But I do mean it.
>
>
>
>>NNTP-Posting-Host: 220.188.82.12
>
>
> $ whois 220.188.82.12
> % [whois.apnic.net node-2]
> % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
>
> inetnum: 220.188.64.0 - 220.188.95.255
> netname: CHINANET-ZJ-JH
> country: CN
> descr: CHINANET-ZJ Jinhua node network
> descr: Zhejiang Telecom
> admin-c: CZ4-AP
> tech-c: CJ54-AP
> status: ALLOCATED NON-PORTABLE
> changed: auto-(E-Mail Removed) 20050429
> mnt-by: MAINT-CHINANET-ZJ
> mnt-lower: MAINT-CN-CHINANET-ZJ-JH
> source: APNIC
>
> role: CHINANET ZHEJIANG
> address: No.378 Yan'an Road,Hangzhou,Zhejiang.310006
> country: CN
> phone: +86-571-87080702
> fax-no: +86-571-87027816
> e-mail: (E-Mail Removed)
> trouble: send spam reports to (E-Mail Removed)
> trouble: and abuse reports to (E-Mail Removed)
> trouble: Please include detailed information and times in UTC
> admin-c: CZ61-AP
> tech-c: CZ61-AP
> nic-hdl: CZ4-AP
> remarks: http://www.zjtelecom.com.cn
> mnt-by: MAINT-CHINANET-ZJ
> changed: (E-Mail Removed) 20050914
> source: APNIC
>
> role: CHINANET-ZJ Jinhua
> address: No.155 Xishi street,Jinhua,Zhejiang.321000
> country: CN
> phone: +86-579-2300779
> fax-no: +86-579-2330035
> e-mail: (E-Mail Removed)
> trouble: send spam reports to (E-Mail Removed)
> trouble: and abuse reports to (E-Mail Removed)
> trouble: Please include detailed information and times in UTC
> admin-c: CH55-AP
> tech-c: CH55-AP
> nic-hdl: CJ54-AP
> mnt-by: MAINT-CHINANET-ZJ
> changed: (E-Mail Removed) 20031204
> source: APNIC
>
> /quote
>
> Sure looks like that domain puts out a lot of spam, judging by
> that email address: (E-Mail Removed). Repeated 6 times.
Sorry, I don't know what does this mean.
>
> Wouldn't be a spammer, would you "Zheng"?
>
> http://groups.google.com/advanced_group_search
> Zheng Da
> Results 1 - 25 of 25 posts in the last year
> 1 alt.os.development
> 6 comp.editors
> 3 comp.lang.asm.x86
> 1 comp.lang.c
> 5 comp.lang.java.programmer
> 3 comp.os.linux.misc
> 1 comp.os.linux.networking
> 2 comp.protocols.tcp-ip
> 2 comp.unix.programmer
> 1 it.comp.java
>
> Usually, when you see a brief and highly-specialized posting
> history like that, it indicates that the poster is a sockpuppet.
You mean I sent too few messages to one group?
I own to you that I always ask for help from newsgroup, and seldom give
help to others.
It's my fault, I won't search for excuses for it.
>
> Maybe you are what you say you are.
>
> Maybe someone will help you.
>
> I don't help people who use google groups unless they are
> asking about learning to use a real newsreader, for reasons
> already explained.
You don't want to help others becuase he use google groups? OK, I don't
use it now.
>
> There are free newsservers. See alt.free.newsservers.
>
> <snip>
>
> Alan
>

On 26 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed). com>, Zheng Da wrote:

>I try to use tcpdump, and don't filter any packets.
>debian:/home/zhengda# tcpdump -i eth0
>tcpdump: verbose output suppressed, use -v or -vv for full protocol
>decode

Which version of tcpdump? What network card? What is the network
configuration (what is on the wires)? Could it be that your network card
is not in or does not support promiscuous mode? Look at the output of
'/sbin/ifconfig eth0' and look at the third line:

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

(not running tcpdump) verses

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

(running tcpdump on a card that supports promiscuous mode). This could
also be an IPv4 verses IPv6 issue depending on what is on those wires.

Old guy

Moe Trin wrote:
> On 26 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <(E-Mail Removed). com>, Zheng Da wrote:
>
>
>>I try to use tcpdump, and don't filter any packets.
>>debian:/home/zhengda# tcpdump -i eth0
>>tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>decode
>
>
> Which version of tcpdump? What network card? What is the network
The version of tcpdump is 3.9.4
> configuration (what is on the wires)? Could it be that your network card
> is not in or does not support promiscuous mode? Look at the output of
> '/sbin/ifconfig eth0' and look at the third line:
>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> (not running tcpdump) verses
>
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
It seems that my card can't support promiscuous mode because the third
line always "UP BROADCAST RUNNING MULTICAST" even I have run tcpdump
with root.
Before, I always use ethereal and seldom tcpdump. But I'm sure that
ethereal could capture the packets which wasn't from my system and
wasn't sent to me.
So if my network card can't support promiscuous mode, why ethereal can
capture these packets
>
> (running tcpdump on a card that supports promiscuous mode). This could
> also be an IPv4 verses IPv6 issue depending on what is on those wires.
>
> Old guy

Hello,

zhengda a écrit :
>>
>>> I try to use tcpdump, and don't filter any packets.
>>> debian:/home/zhengda# tcpdump -i eth0
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>> decode
[...]
>>> 1 packets captured
>>> 250 packets received by filter
>>> 0 packets dropped by kernel
>
>> Could it be that your network card
>> is not in or does not support promiscuous mode? Look at the output of
>> '/sbin/ifconfig eth0' and look at the third line:
>>
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>
>> (not running tcpdump) verses
>>
>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>
> It seems that my card can't support promiscuous mode because the third
> line always "UP BROADCAST RUNNING MULTICAST" even I have run tcpdump
> with root.

Don't be fooled by ifconfig. My ifconfig doesn't show the promiscuous
flag when I run tcpdump, even thought the interface supports it. I can
check the interface is in promiscuous mode with "ip link" and by
watching the kernel log messages "device eth0 entered promiscuous mode"
when I start tcpdump.

> Before, I always use ethereal and seldom tcpdump. But I'm sure that
> ethereal could capture the packets which wasn't from my system and
> wasn't sent to me.
> So if my network card can't support promiscuous mode, why ethereal can
> capture these packets

I wonder why your tcpdump says "1 packets captured, *250* packets
received by filter". Where are those 250 packets ?

Pascal Hambourg wrote:
> Hello,
>
> zhengda a écrit :
>
>>>
>>>> I try to use tcpdump, and don't filter any packets.
>>>> debian:/home/zhengda# tcpdump -i eth0
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>> decode
>
> [...]
>
>>>> 1 packets captured
>>>> 250 packets received by filter
>>>> 0 packets dropped by kernel
>>
>>
>>> Could it be that your network card
>>> is not in or does not support promiscuous mode? Look at the output of
>>> '/sbin/ifconfig eth0' and look at the third line:
>>>
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>
>>> (not running tcpdump) verses
>>>
>>> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>>
>>
>> It seems that my card can't support promiscuous mode because the third
>> line always "UP BROADCAST RUNNING MULTICAST" even I have run tcpdump
>> with root.
>
>
> Don't be fooled by ifconfig. My ifconfig doesn't show the promiscuous
> flag when I run tcpdump, even thought the interface supports it. I can
> check the interface is in promiscuous mode with "ip link" and by
> watching the kernel log messages "device eth0 entered promiscuous mode"
> when I start tcpdump.
Yes,kernel log shows me that eth0 entered promiscuous mode.
Thank you
>
>> Before, I always use ethereal and seldom tcpdump. But I'm sure that
>> ethereal could capture the packets which wasn't from my system and
>> wasn't sent to me.
>> So if my network card can't support promiscuous mode, why ethereal can
>> capture these packets
>
>
> I wonder why your tcpdump says "1 packets captured, *250* packets
> received by filter". Where are those 250 packets ?

Zheng Da <(E-Mail Removed)> wrote:
> I try to use tcpdump, and don't filter any packets.
> debian:/home/zhengda# tcpdump -i eth0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 23:46:36.611022 IP 222.205.2.248.netbios-dgm >
> 222.205.2.255.netbios-dgm: NBT UDP PACKET(138)

> 1 packets captured
> 250 packets received by filter
> 0 packets dropped by kernel

> There are 250 packets received by filter, why only 1 packets is
> captured. But there is no filter rule at all.
> Why?

Is there perhaps some "default" filter in the tcpdump you are using?

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Jobert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...