I was trying debug a tcpdump problem which does not capture Tx packets on physical interface when the interface is bonded..
I.e if eth2,eth3 are bonded to veth0, then,
tcpdump -i veth0 --> captures packets on both directions, where as
tcpdump -i eth2 (eth2 is active) --> does not capture Tx packets, only captures receive packets..
I jumped in to the tcpdump and libcap code to figure out that libcap opens a socket with PF_PACKET family and uses recvfrom() to capture the packets from driver level.
So, I tried a simple sniffer using these low level packets and observed that the PF_PACKET soc API do not capture packets in both the directions..
Below is the code snippet..
-----------------
...
....
if ( (sock=socket(PF_PACKET, SOCK_RAW,
htons(ETH_P_ALL)))<0) {
perror("socket");
exit(1);
}
/* Get Interface index */
strncpy((char *)ifr.ifr_name, device, IFNAMSIZ);
if((ioctl(sock, SIOCGIFFLAGS, &ifr)) == -1) {
perror("ioctl");
printf("Error getting Interface index !\n");
close(sock);
exit(1);
}
if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0){
perror("ioctl");
close(sock);
exit(1);
}
/* Set flags */
sll.sll_family = AF_PACKET;
sll.sll_ifindex = ifr.ifr_ifindex;
sll.sll_protocol =htons(ETH_P_ALL);
/* bind to interface */
if((bind(sock, (struct sockaddr *)&sll, sizeof(sll)))== -1) {
perror("Error binding raw socket to interface\n");
exit(1);
}
while (1) {
printf("----------\n");
n = recvfrom(sock,buffer,2048,0,
NULL,NULL);
printf("%d bytes read\n",n);
...
...
}
----------------
below is the output i get...its is clear from the output that on eth2 only TX packets are captured where as from veth0 all the packets are captured..
Is there anything big am missing.. can somebody look at the above snippet and shed some light..
I am wondering if there is any .config parameter need to be configured for PF_PACKET family to capture all the packets on physical interface when bonded.
Any comment or pointers are much appreciated..
-----------
-bash-3.00# ifconfig veth0
veth0 Link encap:Ethernet HWaddr 00:15:17:29:F7:80
inet addr:192.168.11.144 Bcast:192.168.11.255 Mask:255.255.252.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:41489453 errors:0 dropped:0 overruns:0 frame:0
TX packets:15600 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4232122294 (3.9 GiB) TX bytes:5797281 (5.5 MiB)
-bash-3.00# ./pf_socket eth2
sniffing device: eth2
interface index :6211
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,30147
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,32194
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,33985
Layer-4 protocol 1
----------
-bash-3.00# ./pf_socket veth0 | grep -C 4 10.24
----------
98 bytes read
Source MAC address: 00:15:17:29:f7:80
Destination MAC address: 00:21:a1:4a:74:00
Source host 10.24.29.16
Dest host 192.168.11.144
Source,Dest ports 2048,24995
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,27043
Layer-4 protocol 1
----------
60 bytes read
--
----------
98 bytes read
Source MAC address: 00:15:17:29:f7:80
Destination MAC address: 00:21:a1:4a:74:00
Source host 10.24.29.16
Dest host 192.168.11.144
Source,Dest ports 2048,26786
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,28834
Layer-4 protocol 1
----------
Thanks in advance,
Lakshmana
printf("%d bytes read\n",n);
...
...
}
----------------
below is the output i get...its is clear from the output that on eth2 only TX packets are captured where as from veth0 all the packets are captured..
Is there anything big am missing.. can somebody look at the above snippet and shed some light..
I am wondering if there is any .config parameter need to be configured for PF_PACKET family to capture all the packets on physical interface when bonded.
Any comment or pointers are much appreciated..
-----------
-bash-3.00# ifconfig veth0
veth0 Link encap:Ethernet HWaddr 00:15:17:29:F7:80
inet addr:192.168.11.144 Bcast:192.168.11.255 Mask:255.255.252.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:41489453 errors:0 dropped:0 overruns:0 frame:0
TX packets:15600 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4232122294 (3.9 GiB) TX bytes:5797281 (5.5 MiB)
-bash-3.00# ./pf_socket eth2
sniffing device: eth2
interface index :6211
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,30147
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,32194
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,33985
Layer-4 protocol 1
----------
-bash-3.00# ./pf_socket veth0 | grep -C 4 10.24
----------
98 bytes read
Source MAC address: 00:15:17:29:f7:80
Destination MAC address: 00:21:a1:4a:74:00
Source host 10.24.29.16
Dest host 192.168.11.144
Source,Dest ports 2048,24995
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,27043
Layer-4 protocol 1
----------
60 bytes read
--
----------
98 bytes read
Source MAC address: 00:15:17:29:f7:80
Destination MAC address: 00:21:a1:4a:74:00
Source host 10.24.29.16
Dest host 192.168.11.144
Source,Dest ports 2048,26786
Layer-4 protocol 1
----------
98 bytes read
Source MAC address: 00:21:a1:4a:74:00
Destination MAC address: 00:15:17:29:f7:80
Source host 192.168.11.144
Dest host 10.24.29.16
Source,Dest ports 0,28834
Layer-4 protocol 1
----------
Thanks in advance,
Lakshmana
