tcpdump via foundry problem

From: Gerry Reilly (gerry@projects.telecity.co.uk)
Date: 04/26/01

Next message: Bogdan Ghita: "Using NLANR traces as input"

Previous message: Rob Austein: "Re: repeat (?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 26 Apr 2001 19:46:14 +0100 (BST)
From: Gerry Reilly <gerry@projects.telecity.co.uk>
Subject: tcpdump via foundry problem
Message-ID: <Pine.BSF.4.10.10104261930020.86668-100000@projects.telecity.co.uk>

Hi all

I'm currently struggling with trying to get tcptrace to correctly process
a tcpdump -w trace obtained via the mirroring port on a Foundry 8000
switch.

I have tried both tcptrace v5 and v6 with no success. Both binaries
happily decode tcpdump -w traces that have _not_ been made via the
foundry.

If I look at my trace file via "tcpdump -r ./trace1" I get the following
info:-

20:27:54.161247 0:1:30:d4:1a:0 > 0:e0:2b:0:0:0 sap aa ui/C len=313
                         3c6f 6278 4e00 0000 0130 d41a 0099 0200
                         2400 0000 2400 0000 0000 0000 0004 0113
                         02ff ff00 0000 0000 0000 00
20:28:04.292578 [vlan 1] 1.1.1.1.1591 > 1.1.1.2.5037: S
1513035485:1513035485(0) win 32120 <mss 14
60,sackOK,timestamp[|tcp]> (DF)
20:28:04.292830 [vlan 1] 1.1.1.2.5037 > 1.1.1.1.1591: S
1079593241:1079593241(0) ack 1513035486 wi
n 32120 <mss 1460,sackOK,timestamp[|tcp]> (DF)
20:28:04.292961 [vlan 1] 1.1.1.1.1591 > 1.1.1.2.5037: . ack 1 win 32120
<nop,nop,timestamp 1937519
5[|tcp]> (DF)
20:28:04.293270 [vlan 1] 1.1.1.1.1591 > 1.1.1.2.5037: P 1:82(81) ack 1 win
32120 <nop,nop,timestam
p 19375195[|tcp]> (DF)
20:28:04.293408 [vlan 1] 1.1.1.2.5037 > 1.1.1.1.1591: . ack 82 win 32039
<nop,nop,timestamp 529309
[|tcp]> (DF)

etc

Yet, if I try to look at the same file via tcptrace I get the following :-

bash$ ./tcptrace ../trace1
1 arg remaining, starting with '../trace1'
Ostermann's tcptrace -- version 6.0.0a5 -- Tue Apr 10, 2001

0 packets seen, 0 TCP packets traced
elapsed wallclock time: 0:00:00.016348, 0 pkts/sec analyzed
trace file elapsed time: 0:00:00.000000
no traced TCP packets

The only difference that I can see between the traces that work, and those
that don't is that the VLAN ID is included on the Foundry trace.

If anybody could shed any light on this I would really appreciate it :-)

Kind Regards

Gerry Reilly

----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.

Next message: Bogdan Ghita: "Using NLANR traces as input"
Previous message: Rob Austein: "Re: repeat (?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 04/27/01 EDT