Public bug reported:
The issue always occurs on our Ubuntu 16.04 LTS Server, with following
installed versions:
@client1:~$ uname -a
Linux client1 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux
@client1:$ lsb_release -ci
Distributor ID: Ubuntu
Codename: xenial
@client1:$ cat /proc/version_signature
Ubuntu 4.4.0-146.172-generic 4.4.177
@client1:~$ tcpdump --version
tcpdump version 4.9.2
libpcap version 1.7.4
OpenSSL 1.0.2g 1 Mar 2016
Problem description:
The problem is that not all outbound packets (ARP requests) really sent
by the Ubuntu server into the line are captured by tcpdump. Four ARP
requests are sent by the Ubuntu server very quickly, in terms of
microseconds. Four ARP replies come back from the remote network
component, and these 4 replies are captured and seen in the tcpdump pcap
capture file (OK). However, 3 of 4 ARP requests sent from Ubuntu server
are not captured by tcpdump in the pcap file. It's a problem.
The problem is always reproducible: 4 ARP replies from the remote
network component (a router, non Ubuntu) on 4 ARP requests from our
Ubuntu server, but only one outbound ARP request of four sent ARP
requests can be seen in tcpdump trace, not other 3 ARP requests sent
from the eth2 interface by the Ubuntu server.
A tcpdump capture is done on the Ubuntu server as follows:
@client1:~$ sudo sudo /usr/sbin/tcpdump -s 1600 -i eth2 -w
/home/sectool/traces/run1.pcap -C 420
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1600 bytes
^C413 packets captured
413 packets received by filter
0 packets dropped by kernel
137 packets dropped by interface
@client1:~$ sudo /usr/sbin/tcpdump -s 1600 -i eth2 -w
/home/sectool/traces/run2.pcap -C 420
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1600 bytes
^C161 packets captured
162 packets received by filter
0 packets dropped by kernel
53 packets dropped by interface
We need an evidence in form of e.g. a tcpdump error message that the 3
of 4 outbound ARP requests from Ubuntu server, which are missing in
tcpdump pcap trace, were really sent into the line but simply could not
be captured on any reason by tcpdump.
** Affects: tcpdump (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "tcpdump pcap traces"
https://bugs.launchpad.net/bugs/1828392/+attachment/5262670/+files/09-May-2019_tcpdump-traces.zip
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1828392
Title:
Oubound packets sent into the line are not all captured by tcpdump
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1828392/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
