Hi, I was pretty glad to see wireshark & friends make it into solaris. I guess
I'm just one of those guys who likes to inspect packets for no good reason. So
I started playing with wireshark, tshark and tcpdump.
I am on a simple network:
basically, my laptop (.101) and router (.1). network connectivity etc,
everything works.
When I run snoop, and look at the mac addresses, I see the following:
$ pfexec snoop -d iwk0 -c3 -x0,12
Using device iwk0 (promiscuous mode)
192.168.1.101 -> 72.5.123.5 HTTP C port=44255
0: 0023 69ae 0b1a 001d e019 e925 .#i.......�%
72.5.123.5 -> 192.168.1.101 HTTP R port=44255
0: 001d e019 e925 0023 69ae 0b1a .....%.#i...
192.168.1.101 -> 72.5.123.5 HTTP C port=44255
0: 0023 69ae 0b1a 001d e019 e925 .#i........%
3 packets captured
source and destinations mac-addresses match with what I expect. My laptop's mac
is there as well as my router's.
When I run tshark:
$ pfexec tshark -c3 -s 12
Capturing on iwk0
0.000000 e0:19:e9:25:00:23 -> 48:02:3a:01:00:1d Ethernet [Packet size limited
during capture]
0.658593 69:ae:0b:1c:00:1d -> 08:41:00:00:00:23 Ethernet [Packet size limited
during capture]
0.660002 e0:19:e9:25:00:23 -> 08:02:2c:00:00:1d Ethernet [Packet size limited
during capture]
3 packets captured
Same with tcpdump:
$ pfexec tcpdump -c3 -s 16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on iwk0, link-type EN10MB (Ethernet), capture size 16 bytes
14:44:10.610185 69:ae:0b:1c:00:1d (oui Unknown) > 08:41:00:00:00:23 (oui
Unknown), ethertype Unknown (0xe019), length 193:
0x0000: e925 .%
14:44:10.788448 e0:19:e9:25:00:23 (oui Unknown) > 08:02:2c:00:00:1d (oui
Unknown), ethertype Unknown (0x69ae), length 377:
0x0000: 0b1c ..
14:44:10.900056 69:ae:0b:1c:00:1d (oui Unknown) > 08:41:00:00:00:23 (oui
Unknown), ethertype Unknown (0xe019), length 92:
0x0000: e925 .%
3 packets captured
3 packets received by filter
0 packets dropped by kernel
You may notice the odd (and different) choices in truncating the packets: The
behaviour is not affected by this. Fully captured packets show a similar
defect.
The source and destination mac addresses are nowhere near what I expect them to
be, nor is tshark/wireshark able to decode it properly (it marks them all as
"Ethernet II" packets, and fails to acknowledge that it contain say an http
packet).
I observe similar garbled output when using wireshark on iwk0.
This leads me to believe that libpcap (afaik the common denominator between
tshark/wireshark and tcpdump) is not working correctly in this setup, whereas
snoop is. It looks like libpcap at least drops a few bytes of the mac address
and produces some more corrupted output further on.
At the moment I'm running the following:
$ uname -a
SunOS laptop 5.11 snv_131 i86pc i386 i86pc Solaris
with:
$ pkg list | egrep 'wireshark|tcpdump|pcap'
SUNWlibpcap 1.0.0-0.131 installed -----
SUNWtcpdump 4.0.0-0.131 installed -----
SUNWwireshark 1.2.5-0.131 installed -----
all from
$ pkg publisher
PUBLISHER TYPE STATUS URI
opensolaris.org (preferred) origin online
http://pkg.opensolaris.org/dev/
Anyone else see this?
--
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
