Radium correlation - BPF not working
Chris Wakelin
c.d.wakelin at reading.ac.uk
Mon Jun 20 19:32:48 EDT 2011
On 21/06/2011 00:19, John Gerth wrote:
> On 6/20/2011 4:06 PM, Chris Wakelin wrote:
> ....
>>
>> One odd thing is that tcpdump doesn't work as expected either; on this machine a BPF filter matches nothing, whereas on similar machines I have cases
>> where it matches only one side of the traffic and others where it works as expected. I get the same ARGUS errors with two interfaces on one of the
>> machines where BPF is working though.
>>
> BPF filtering whether tcpdump or argus will fail and match nothing if the mirror packets are
> coming tagged with vlan headers. The quick check is to prefix the failing filter, e.g.
> tcpdump -i .... vlan and ..
>
>
Ah! That makes sense. Certainly adding "vlan and" does make the BPF
filter work on both interfaces on the machine I said they didn't work on
before.
I'm a little suprised as I would have expected the ones from the core
switches to be tagged but not the ones from the border switches (the
ones where BPF was working have core switch feeds; this machine with two
interfaces has both a core switch and a border switch feed).
Time to talk to our Layer 2 guru :)
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list