Why does tcpdump show few packet?

Discussion in 'Linux Networking' started by Zheng Da, Sep 27, 2006.

  1. Zheng Da

    Zheng Da Guest

    Hello.
    I try to use tcpdump, and don't filter any packets.
    debian:/home/zhengda# tcpdump -i eth0
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
    decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    23:46:36.611022 IP 222.205.2.248.netbios-dgm >
    222.205.2.255.netbios-dgm: NBT UDP PACKET(138)

    1 packets captured
    250 packets received by filter
    0 packets dropped by kernel

    There are 250 packets received by filter, why only 1 packets is
    captured. But there is no filter rule at all.
    Why?
     
    Zheng Da, Sep 27, 2006
    #1
    1. Advertisements

  2. Zheng Da

    Alan Connor Guest

    That's easy. Learn to use a real newsreader and I'll tell
    you.

    news.software.readers

    But you probably _do_ know how to use a real newsreader but
    want extra anonymity for some reason.

    Spammer?Cracker?Troll?Cyberstalker?

    postnews.google.com should be shut down. The only people that use
    it are trolls and people who just take from the Usenet and never
    give back, using different aliases every time they post so that
    no one notices. Which makes them trolls, actually.



    Alan
     
    Alan Connor, Sep 27, 2006
    #2
    1. Advertisements

  3. Zheng Da

    Zheng Da Guest

    Alan Connor 写�:
    I use postnews.google.com because I couldn't connect to Internet
    directly when I was at the school. I had to search for proxies, but
    most of proxies only supported http.
    So I started to use postnews.google.com, and now I am used to.
    If it offends you, I beg your forgiveness, and I promise I won't use it
    any more.
    I always use the same name "Zheng Da" to post messages
     
    Zheng Da, Sep 27, 2006
    #3
  4. Zheng Da

    Alan Connor Guest

    That would be a problem.
    You sound like an American who has watched too many
    late-night movies trying to pretend he's from China.

    Forgetting that TV isn't reality, as they so often do.
    Perhaps. Perhaps not. Google makes it so easy morph.

    Perhaps your name is "Mike" or "Patrick" and you post under
    dozens of aliases through many different servers, http and nntp.
    $ whois 220.188.82.12
    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 220.188.64.0 - 220.188.95.255
    netname: CHINANET-ZJ-JH
    country: CN
    descr: CHINANET-ZJ Jinhua node network
    descr: Zhejiang Telecom
    admin-c: CZ4-AP
    tech-c: CJ54-AP
    status: ALLOCATED NON-PORTABLE
    changed: 20050429
    mnt-by: MAINT-CHINANET-ZJ
    mnt-lower: MAINT-CN-CHINANET-ZJ-JH
    source: APNIC

    role: CHINANET ZHEJIANG
    address: No.378 Yan'an Road,Hangzhou,Zhejiang.310006
    country: CN
    phone: +86-571-87080702
    fax-no: +86-571-87027816
    e-mail:
    trouble: send spam reports to
    trouble: and abuse reports to
    trouble: Please include detailed information and times in UTC
    admin-c: CZ61-AP
    tech-c: CZ61-AP
    nic-hdl: CZ4-AP
    remarks: http://www.zjtelecom.com.cn
    mnt-by: MAINT-CHINANET-ZJ
    changed: 20050914
    source: APNIC

    role: CHINANET-ZJ Jinhua
    address: No.155 Xishi street,Jinhua,Zhejiang.321000
    country: CN
    phone: +86-579-2300779
    fax-no: +86-579-2330035
    e-mail:
    trouble: send spam reports to
    trouble: and abuse reports to
    trouble: Please include detailed information and times in UTC
    admin-c: CH55-AP
    tech-c: CH55-AP
    nic-hdl: CJ54-AP
    mnt-by: MAINT-CHINANET-ZJ
    changed: 20031204
    source: APNIC

    /quote

    Sure looks like that domain puts out a lot of spam, judging by
    that email address: . Repeated 6 times.

    Wouldn't be a spammer, would you "Zheng"?

    http://groups.google.com/advanced_group_search
    Zheng Da
    Results 1 - 25 of 25 posts in the last year
    1 alt.os.development
    6 comp.editors
    3 comp.lang.asm.x86
    1 comp.lang.c
    5 comp.lang.java.programmer
    3 comp.os.linux.misc
    1 comp.os.linux.networking
    2 comp.protocols.tcp-ip
    2 comp.unix.programmer
    1 it.comp.java

    Usually, when you see a brief and highly-specialized posting
    history like that, it indicates that the poster is a sockpuppet.

    Maybe you are what you say you are.

    Maybe someone will help you.

    I don't help people who use google groups unless they are
    asking about learning to use a real newsreader, for reasons
    already explained.

    There are free newsservers. See alt.free.newsservers.

    <snip>

    Alan
     
    Alan Connor, Sep 27, 2006
    #4
  5. Zheng Da

    zhengda Guest

    The above words I said may be really trite. But I do mean it.
    Sorry, I don't know what does this mean.
    You mean I sent too few messages to one group?
    I own to you that I always ask for help from newsgroup, and seldom give
    help to others.
    It's my fault, I won't search for excuses for it.
    You don't want to help others becuase he use google groups? OK, I don't
    use it now.
     
    zhengda, Sep 27, 2006
    #5
  6. Zheng Da

    Moe Trin Guest

    On 26 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in article
    Which version of tcpdump? What network card? What is the network
    configuration (what is on the wires)? Could it be that your network card
    is not in or does not support promiscuous mode? Look at the output of
    '/sbin/ifconfig eth0' and look at the third line:

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    (not running tcpdump) verses

    UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

    (running tcpdump on a card that supports promiscuous mode). This could
    also be an IPv4 verses IPv6 issue depending on what is on those wires.

    Old guy
     
    Moe Trin, Sep 27, 2006
    #6
  7. Zheng Da

    zhengda Guest

    The version of tcpdump is 3.9.4
    It seems that my card can't support promiscuous mode because the third
    line always "UP BROADCAST RUNNING MULTICAST" even I have run tcpdump
    with root.
    Before, I always use ethereal and seldom tcpdump. But I'm sure that
    ethereal could capture the packets which wasn't from my system and
    wasn't sent to me.
    So if my network card can't support promiscuous mode, why ethereal can
    capture these packets
     
    zhengda, Sep 28, 2006
    #7
  8. Hello,

    zhengda a écrit :
    Don't be fooled by ifconfig. My ifconfig doesn't show the promiscuous
    flag when I run tcpdump, even thought the interface supports it. I can
    check the interface is in promiscuous mode with "ip link" and by
    watching the kernel log messages "device eth0 entered promiscuous mode"
    when I start tcpdump.
    I wonder why your tcpdump says "1 packets captured, *250* packets
    received by filter". Where are those 250 packets ?
     
    Pascal Hambourg, Sep 28, 2006
    #8
  9. Zheng Da

    zhengda Guest

    Yes,kernel log shows me that eth0 entered promiscuous mode.
    Thank you
     
    zhengda, Sep 28, 2006
    #9
  10. Zheng Da

    Rick Jones Guest

    Is there perhaps some "default" filter in the tcpdump you are using?

    rick jones
     
    Rick Jones, Sep 28, 2006
    #10
  11. Zheng Da

    Moe Trin Guest

    [/QUOTE]

    Missed the part where I asked:

    ] Which version of tcpdump? What network card? What is the network
    ] configuration (what is on the wires)?

    What can I say - all of the cards I have access to do report this, which
    is why I showed the actual /sbin/ifconfig output.
    OK - so what might the packets be? Try running your tcpdump with the
    -xx option

    -xx Print each packet, including its link level header, in hex.

    (assuming your version has that option - otherwise, use -w to write the
    packets to a file and use 'less' to read that), and look at the Ethernet
    and IP headers. A normal IPv4 packet (IPv6 differs starting at the 'version
    number' field - see RFC2460) on RFC0894 Ethernet would have

    6 bytes Destination MAC
    6 bytes Source MAC
    2 bytes "type" (0800 is an IPv4 Datagram, 86DD is IPv6)

    4 BITS version number (0100 for version 4)
    4 BITS header length measured in 32 bit words (minimum with no options = 5)
    1 byte type of service
    2 bytes total length
    2 bytes ID
    2 bytes fragmentation stuff
    1 byte TTL
    1 byte protocol (see /etc/protocols)
    2 bytes header checksum
    4 bytes Source IP address
    4 bytes Destination IP address
    0 to 40 bytes (in increments of 4) options

    If TCP or UDP, the next four bytes are source and destination port numbers.
    If ICMP, the next byte is the "type" number of the message, and the byte
    after that is the "code" number within that type.

    That's why I asked about the version of tcpdump. Not all behave in the same
    way. Likewise the question of what is on the wires. Some versions of tcpdump
    don't understand IPv6, or other protocols that can be carried on Ethernet
    besides IP. See http://www.iana.org/assignments/ethernet-numbers

    Old guy
     
    Moe Trin, Sep 29, 2006
    #11
  12. Zheng Da

    zhengda Guest

    The version of tcpdump I use is 3.9.4 (I think I have said it)
    lspci shows me it's Ethernet controller: Realtek Semiconductor Co., Ltd.
    RTL-8139/8139C/8139C+
    Now my network configuration is as follow:
    eth0 Link encap:Ethernet HWaddr 00:11:2F:68:EE:9A
    inet addr:192.168.0.82 Bcast:192.168.0.255 Mask:255.255.255.0
    inet6 addr: fe80::211:2fff:fe68:ee9a/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:2123 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1485 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:668419 (652.7 KiB) TX bytes:179511 (175.3 KiB)
    Interrupt:18 Base address:0xc800

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:2 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:100 (100.0 b) TX bytes:100 (100.0 b)

    ppp0 Link encap:point-to-Point Protocol
    inet addr:220.188.74.86 P-t-P:61.174.81.34 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
    RX packets:1075 errors:0 dropped:0 overruns:0 frame:0
    TX packets:965 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:559502 (546.3 KiB) TX bytes:125077 (122.1 KiB)

    vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
    inet addr:192.168.107.1 Bcast:192.168.107.255
    Mask:255.255.255.0
    inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    vmnet8 Link encap:Ethernet HWaddr 00:50:56:C0:00:08
    inet addr:192.168.84.1 Bcast:192.168.84.255 Mask:255.255.255.0
    inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    But when I used tcpdump to capture packets, there wasn't ppp0 interface,
    because my computer was connected to my school LAN.
    So now if I use tcpdump again, I will get
    12 packets captured
    24 packets received by filter
    0 packets dropped by kernel

    Is it normal?
    I have tried to capture some packets. But most of them are broadcast or
    sent from me or sent to me.
     
    zhengda, Sep 29, 2006
    #12
  13. Zheng Da

    zhengda Guest

    So how to set the default filter?
     
    zhengda, Sep 29, 2006
    #13
  14. Zheng Da

    Rick Jones Guest

    Since I'm not sure there _is_ a default filter, I've no idea how one
    would set it.

    To be sure you are working with a "known quantity" perhaps you should
    download libpcap and tcpdump sources from www.tcpdump.org and roll
    your own tcpdump. That way you will have the source at your
    fingertips.

    rick jones
     
    Rick Jones, Sep 29, 2006
    #14
  15. Are you listening on the right interface? If your interface is being
    used by say, PPPoE, then the PPP interface may be what you want.
     
    Clifford Kite, Sep 29, 2006
    #15
  16. Zheng Da

    Moe Trin Guest

    On Fri, 29 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
    Posting via google makes the posts hard to read - yes, I see it now.
    That should be no problem.
    That's a Link-Local IPv6 address - are you actually using IPv6? If not,
    what happens when you disable IPv6?
    [compton ~]$ etherwhois 00:50:56
    00-50-56 (hex) VMWare, Inc.
    005056 (base 16) VMWare, Inc.
    44 ENCINA AVENUE
    PALO ALTO CA 94301
    UNITED STATES
    [compton ~]$

    That _could_ be a problem - though I don't use VMWare, and have no
    experience with it. Is the Linux system running on a virtual machine?
    Notice that packets have gone out, but nothing came back.
    That's fine - and should have no effect.
    The man page suggests (third paragraph of the "DESCRIPTION" section) that
    this indicates there is a filter involved - but your command line doesn't
    show one (the '[expression]' term). But I wonder if VMWare is preventing
    the packet capture. I'd suggest comparing the 'RX packets' count verses
    the number of packets reported by tcpdump.

    Old guy
     
    Moe Trin, Sep 30, 2006
    #16
  17. Zheng Da

    zhengda Guest

    I use Debian, so tcpdump and libpcap I use are from the Debian etch.
     
    zhengda, Sep 30, 2006
    #17
  18. Zheng Da

    zhengda Guest

    No. The above listening was at my school. There was only ethernet.
     
    zhengda, Sep 30, 2006
    #18
  19. Zheng Da

    zhengda Guest

    I have disabled IPv6, but got the same result.
    No. I have installed a virtual machine on my Linux, so there are some
    interface for vmware.
    But I have disable these interface too. No use.
    I close the ppp0 interface, and find tcpdump gets fewer packets, about
    several percent of packets received by filter.
    I tried wireshark. It got more packets, nearly same quantity of packets
    as "RX packets" of eth0 shows.
    What confuses me is that I tried to ping the gateway of my LAN, but
    tcpdump didn't show me these icmp echo packets.
     
    zhengda, Sep 30, 2006
    #19
  20. Zheng Da

    Moe Trin Guest

    On Sat, 30 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
    So Linux is "native", and some other O/S would be the guest.
    OK My concern was that VMWare is in between the hardware and "this" kernel.
    Should have no effect
    What numbers?
    Wireshark is the old 'ethereal'. If it's showing all the packets, then
    there is something strange with your tcpdump.
    Did it also show the 'ARP who-has' and 'ARP reply' packets? This
    really does sound as if there is _some kind_ of default filter running.
    If you look at the man page, the "SYNOPSIS" shows all kinds of options,
    and the last one is "[ expression ]", where (looking about 370 lines
    down the page)

    expression
    selects which packets will be dumped. If no expression is
    given, all packets on the net will be dumped. Otherwise,
    only packets for which expression is `true' will be dumped.

    and this may be one (or more) of 'host', 'net', 'port', 'portrange', 'src',
    'dst', 'inbound', 'inbound', 'ether', 'fddi', 'tr', 'wlan', 'ip', 'ip6',
    'arp', 'rarp', 'decnet', 'tcp' and 'udp' (actually, there are even more
    than that, but we'll stop here). The point is, you have not shown anything
    using an 'expression' option. You have also not shown that you are using a
    '-F filename' option (which allows you to put the 'expression' options into
    a file). Does 'alias tcpdump' show anything?

    I'd recommend trying the Debian mailing lists, though I honestly don't
    know which one would be appropriate. I know there is a
    'debian.user.chinese.big5' list, and perhaps 'debian.bugs.reports'.
    You might also look at the 'debsums' man page and see how to check the
    tcpdump packages.

    Old guy
     
    Moe Trin, Oct 1, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.