tcpdump问题记录
问题一: scapy发送vlan报文,tcpdump过滤抓包未抓到包的问题
发包
sendp([Ether(src="11:22:33:44:55:00")/Dot1Q(vlan=1001)/IP()/UDP()/"Hello, VLAN!"], iface="ens9")
vlan过滤抓包,不OK。
# tcpdump -i ens9 -nnvve -Q out vlan
关闭tx-vlan-offload也不OK。
# ethtool -K ens9 txvlan off
增加过滤条件ether proto 0x8100,能抓到包
# tcpdump -i ens9 -nnvve -Q out ether proto 0x8100
tcpdump: listening on ens9, link-type EN10MB (Ethernet), capture size 262144 bytes
20:52:28.445275 11:22:33:44:55:00 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 58: vlan 1001, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 40)127.0.0.1.65535 > 127.0.0.1.65535: [udp sum ok] UDP, length 12
问题二: 收vlan报文,tcpdump过滤抓包未抓到包的问题
vlan 过滤条件可以抓到包
# tcpdump -i ens9 -nnvve -Q in vlan
tcpdump: listening on ens9, link-type EN10MB (Ethernet), capture size 262144 bytes
20:53:23.525317 11:22:33:44:55:00 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 1001, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 40)127.0.0.1.65535 > 127.0.0.1.65535: [udp sum ok] UDP, length 12
但是,过滤条件ether proto 0x8100,抓不到包
# tcpdump -i ens9 -nnvve -Q in ether proto 0x8100
过滤条件ether proto 0x0800,却可以抓到包
# tcpdump -i ens9 -nnvve -Q in ether proto 0x0800
tcpdump: listening on ens9, link-type EN10MB (Ethernet), capture size 262144 bytes
21:02:31.332599 11:22:33:44:55:00 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 1001, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 40)127.0.0.1.65535 > 127.0.0.1.65535: [udp sum ok] UDP, length 12
说明入向的时候,以太协议被赋值为了 0x0800。
总结
| 抓包条件 | 0x8100 | vlan | 0x0800 |
|---|---|---|---|
| tx | Y | N | N |
| rx | N | Y | Y |
待分析,为什么会出现这样的一种情况呢?