tcpdump on enc0

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

tcpdump on enc0

posting (Bugzilla)
Does tcpdump work on enc0?

-Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Marcus Glocker
On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:

> Does tcpdump work on enc0?
>
> -Stephen-

$ man enc

"The enc interface allows an administrator to see outgoing packets before
they have been processed by ipsec(4), or incoming packets after they have
been similarly processed, via tcpdump(8)."

--
Marcus Glocker, [hidden email], http://www.nazgul.ch -----------------

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Roy Morris-4
In reply to this post by posting (Bugzilla)
tcpdump -entttv -i enc0


Stephen Bosch wrote:
> Does tcpdump work on enc0?
>
> -Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

posting (Bugzilla)
In reply to this post by Marcus Glocker
Marcus Glocker wrote:

> On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>>
>> -Stephen-
>
> $ man enc
>
> "The enc interface allows an administrator to see outgoing packets before
> they have been processed by ipsec(4), or incoming packets after they have
> been similarly processed, via tcpdump(8)."

I am not seeing any traffic on enc0 when using tcpdump, that is why I asked.

Thanks,

-Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Hans-Joerg Hoexer
In reply to this post by posting (Bugzilla)
On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:
> Does tcpdump work on enc0?
>
> -Stephen-
>
yes:

<hshoexer@yerbouti:1>$ sudo tcpdump -n -i enc0
Password:
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0, link-type ENC
19:32:49.036465 (authentic,confidential): SPI 0x7483bd72: 192.168.3.14.738 >
192.168.3.28.2049: xid 0x93071cba 112 getattr [|nfs]
19:32:49.037284 (authentic,confidential): SPI 0x97ed55a0: 192.168.3.28.2049 >
192.168.3.14.738: xid 0x93071cba reply ok 96 getattr DIR 40755 ids 0/0 sz 512
19:32:49.086492 (authentic,confidential): SPI 0x3beb96bd: 192.168.3.14.671 >
192.168.3.27.2049: xid 0x93071ecc 112 getattr [|nfs]
19:32:49.087405 (authentic,confidential): SPI 0x358880c8: 192.168.3.27.2049 >
192.168.3.14.671: xid 0x93071ecc reply ok 96 getattr DIR 40755 ids 0/0 sz 512
19:32:54.199148 (authentic,confidential): SPI 0x3beb96bd: 192.168.3.14.788 >
192.168.3.27.2049: xid 0x72000000 40 null
19:32:54.199847 (authentic,confidential): SPI 0x358880c8: 192.168.3.27.2049 >
192.168.3.14.788: xid 0x72000000 reply ok 24 null
^C
6 packets received by filter
0 packets dropped by kernel
<hshoexer@yerbouti:2>$

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Otto Moerbeek
In reply to this post by posting (Bugzilla)
On Wed, 5 Jul 2006, Stephen Bosch wrote:

> Does tcpdump work on enc0?

Are you really too lazy to read a manual page?

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

posting (Bugzilla)
Otto Moerbeek wrote:
> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>
> Are you really too lazy to read a manual page?

Please don't get me started. I have been working on this problem with
precious little assistance from folks like you for over a week now, and
I've read enough man pages to bind two volumes.

So the answer to your question, Otto, is "No."

-Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

posting (Bugzilla)
In reply to this post by Otto Moerbeek
Otto Moerbeek wrote:
> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>
>> Does tcpdump work on enc0?
>
> Are you really too lazy to read a manual page?

And for the record -- since some people found that question beyond the
pale -- I have been tcpdumping enc0 all morning and I am seeing no
traffic, inspite of the fact that I have active SAs up and running.

And why?

Because the man page doesn't mention that tcpdump ignores the host
parameter when used with enc0 (this is something someone else was kind
enough to point out, proving that the question wasn't pointless).

So -- let's try this -- let's fix the man page, instead of being snarky
and blaming the person asking the question.

Thank you for your help.

-Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

fuzzyping
In reply to this post by posting (Bugzilla)
On Jul 5, 2006, at 1:31 PM, Stephen Bosch wrote:

> Marcus Glocker wrote:
>> On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote:
>>
>>> Does tcpdump work on enc0?
>>>
>>> -Stephen-
>>
>> $ man enc
>>
>> "The enc interface allows an administrator to see outgoing packets  
>> before
>> they have been processed by ipsec(4), or incoming packets after  
>> they have
>> been similarly processed, via tcpdump(8)."
>
> I am not seeing any traffic on enc0 when using tcpdump, that is why  
> I asked.

Don't use any tcpdump filters, they don't work with enc0.  A simple  
"tcpdump -ni enc0" should be sufficient to see any packets crossing  
your tunnel.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Otto Moerbeek
In reply to this post by posting (Bugzilla)
On Wed, 5 Jul 2006, Stephen Bosch wrote:

> Otto Moerbeek wrote:
> > On Wed, 5 Jul 2006, Stephen Bosch wrote:
> >
> >> Does tcpdump work on enc0?
> >
> > Are you really too lazy to read a manual page?
>
> And for the record -- since some people found that question beyond the
> pale -- I have been tcpdumping enc0 all morning and I am seeing no
> traffic, inspite of the fact that I have active SAs up and running.
>
> And why?
>
> Because the man page doesn't mention that tcpdump ignores the host
> parameter when used with enc0 (this is something someone else was kind
> enough to point out, proving that the question wasn't pointless).
>
> So -- let's try this -- let's fix the man page, instead of being snarky
> and blaming the person asking the question.
>
> Thank you for your help.

I think that is very clear, after all the src and dst addresses are
part of the ipsec encapsulated header, and not of a regular IP header.
The host specifier of tcpdump only applies to IP headers.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Matthew R. Dempsky
In reply to this post by posting (Bugzilla)
On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote:
> I am not seeing any traffic on enc0 when using tcpdump, that is why I
> asked.

Are you sure IPsec is being used?  Can you see IPsec-processed traffic
on the physical interface?

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Paul de Weerd
In reply to this post by posting (Bugzilla)
On Wed, Jul 05, 2006 at 12:09:49PM -0600, Stephen Bosch wrote:
| Otto Moerbeek wrote:
| > On Wed, 5 Jul 2006, Stephen Bosch wrote:
| >
| >> Does tcpdump work on enc0?
| >
| > Are you really too lazy to read a manual page?
|
| And for the record -- since some people found that question beyond the
| pale -- I have been tcpdumping enc0 all morning and I am seeing no
| traffic, inspite of the fact that I have active SAs up and running.
|
| And why?
|
| Because the man page doesn't mention that tcpdump ignores the host
| parameter when used with enc0 (this is something someone else was kind
| enough to point out, proving that the question wasn't pointless).
|
| So -- let's try this -- let's fix the man page, instead of being snarky
| and blaming the person asking the question.

Let's try asking more informed questions then. You asked 'Does tcpdump
work on enc0?'. The answer to this question is literally in the
manpage. Had you given some context, you might have gotten more in
depth responses. Here's an example :

        Hey everybody,

        I see in the manpage for enc that tcpdump should
        work on these pseudo-devices. I'm trying right now
        with "tcpdump enc0 host 1.2.3.4" but I don't see any
        traffic. I do have active SAs up and running, so
        what is going on ? Of course I googled it, but I
        came up empty handed...

        Any response would be appreciated.

        Thanks,

        Stephen Bosch


Had you given all the info you're giving us now beforehand in your
single lined posting to this mailing list, I bet you would have gotten
more useful answers. The only one who seems snarky is you, IMO.

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Will H. Backman
In reply to this post by Otto Moerbeek
Otto Moerbeek wrote:

> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>
>  
>> Otto Moerbeek wrote:
>>    
>>> On Wed, 5 Jul 2006, Stephen Bosch wrote:
>>>
>>>      
>>>> Does tcpdump work on enc0?
>>>>        
>>> Are you really too lazy to read a manual page?
>>>      
>> And for the record -- since some people found that question beyond the
>> pale -- I have been tcpdumping enc0 all morning and I am seeing no
>> traffic, inspite of the fact that I have active SAs up and running.
>>
>> And why?
>>
>> Because the man page doesn't mention that tcpdump ignores the host
>> parameter when used with enc0 (this is something someone else was kind
>> enough to point out, proving that the question wasn't pointless).
>>
>> So -- let's try this -- let's fix the man page, instead of being snarky
>> and blaming the person asking the question.
>>
>> Thank you for your help.
>>    
>
> I think that is very clear, after all the src and dst addresses are
> part of the ipsec encapsulated header, and not of a regular IP header.
> The host specifier of tcpdump only applies to IP headers.
>
> -Otto
>
>  
Perhaps the lesson learned is:  Include the command you are typing with
any help request.

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

posting (Bugzilla)
In reply to this post by Matthew R. Dempsky
Matthew R. Dempsky wrote:
> On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote:
>> I am not seeing any traffic on enc0 when using tcpdump, that is why I
>> asked.
>
> Are you sure IPsec is being used?  Can you see IPsec-processed traffic
> on the physical interface?

Aye, I have other tunnels up that are working.

This is part of my effort to get this NAT through IPsec working. The
traffic is not going where I expect it to.

I'm looking for a place to listen that will give me some insight into
the problem.

Thanks,

-Stephen-

Reply | Threaded
Open this post in threaded view
|

Re: tcpdump on enc0

Chris Kuethe
In reply to this post by posting (Bugzilla)
On 7/5/06, Stephen Bosch <[hidden email]> wrote:
> Does tcpdump work on enc0?

Did you ifconfig enc0 up

--
GDB has a 'break' feature; why doesn't it have 'fix' too?