Russell L. Carter wrote: > Ok, I need to do some experimenting here. I've broken out a long > patch cable to bypass the switch I would really be surprised if the switch has broken down. Not impossible of course. But what are the odds? I think it very unlikely. If I were to guess I would guess it more likely that packets are being routed to the wrong place. I think that is many times more likely. > and am steeling myself for the tcpdump learning experience. You will be surprised how easy it is! Just run it. Control-C out of it to stop it. Wireshark is good for interpreting the contents of the packets. But if all you care about is reporting the presence of packets then I prefer the ease of tcpdump. But I am definitely a command line person. For me firing off a command line, looking at the output, firing off another command line, is super easy. But for people whose brain only works with the mouse then they hate the command line in which case then the graphical interface of wireshark is for them. The biggest thing about tcpdump is that there will almost always be something on your net that is making noise. Sometimes lots of noise. It will cause the display to scroll very rapidly. This could be ARP requests (who has an address). This could be something streaming video or audio. This could be something doing a lot of DNS lookups. NTP queries. These all create noise. The most useful skill is to recognize what those noise sources are and ignore them at least temporarily so that you can focus on the task at hand. There are two tactics. 1) Ignore specific noise sources until what is left is interesting. 2) Listen only to what is interesting. That latter sounds good but sometimes when you don't know what is happening then the former is often needed. I usually start with #1 and reduce the noise so that I can discover unknown things happening. The #2 is nice when looking specifically at http requests and nothing else for example. In the expression there are the same types of filters as there are IP packets. "not arp" removes the who has address ICMP traffic. "not host foo" ignores that address. "not port foo" ignores that port. If I have logged into the machine with ssh then port 22 ssh will be very active showing me tcpdump of port 22 in a positive feedback situation. Ignoring all of those are useful. tcpdump -lni any not arp and not host example.com and not port domain Very quickly you can reduce the noise of things you don't care about and the window will be mostly quiet. Then you can trigger the network events you care about and see anything interesting that is going by. Because sometimes these other unknown and unexpected packets can be very interesting and will find something completely unexpected as a problem. But for dhcp I think you could jump quickly to just looking at only port bootps. Then you won't see anything else. tcpdump -lni any port bootps I usually start with "-i any" because it listens everywhere. But if you are looking at which packet is happening on which interface then select one particular interface. tcpdump -lni eth1 port bootps Aside: If you are looking at a routing problem then running two tcpdumps, one on each of the interfaces, can often show packets arriving but not departing in real time. Very useful to have multiple windows with multiple tcpdumps displaying when looking for routing problems. > However, that's probably a big net plus because I discovered that > the stock wireshark is hanging for me after a basic capture, even > with all lookups turned off. grrr. Hanging? What is it doing? A DNS lookup perhaps? Turn off lookups? Perhaps you could use tcpdump to debug wireshark? (chuckle) :-) > Well I need to diversify my tools evidently, even simplify. Wireshark is a very good tool. I am not discounting it. It is great for packet inspection. I just like the quicker to work with tcpdump when I only care about detection of the presence of them. YMMV. > Thanks Bob for the tips, the stuff below will keep me busy tomorrow > morning. I'll report back what I find. Good luck! Bob
Attachment:
signature.asc
Description: Digital signature