Trying to get tcpdump to work

Jeffrey Mogul mogul at wrl.dec.com
Thu May 9 09:08:16 AEST 1991 

In article <tih.673686101 at barsoom> tih at barsoom.nhh.no (Tom Ivar Helbekkmo) writes:
>I set up my packet filter to run in promiscuous mode here yesterday, on
>a 5000/200 with 4.1, and our whole VAXcluster (VMS) started crashing like
>nobody's business...  I've heard that promiscuous mode will break LAT if
>you've got LAT installed on the Ultrix host running it, which I haven't,
>but I'm wondering if it still may have been my experimenting that killed
>the VAXen.  We use LAT very extensively, in fact 3 out of every 4 packets
>on our ethernet are LAT packets.  Anybody know anything about it?

[In a separate message, Tom told me he had successfully run tcpdump
on his workstation.]

If the workstation where you ran tcpdump really and truly does not
have LAT installed (i.e., configured into its kernel), and if you
didn't run any applications that sent packets via the packet filter,
then I can't see any possible way for what you did to crash the VMS
machines.  Running the packet filter in promiscuous mode should not
cause any novel packets to be sent.

Perhaps your kernel does contain LAT support, and perhaps the use
of promiscuous mode is confusing the LAT code enough that it sends
weird packets that then confuse the VMS machines.  It has already
been made clear by several people on this newsgroup that Ultrix
4.1 has a problem when LAT and promiscuous mode are used together,
but if the VMS machines are also crashing, that is news to me.
(I believe that the Ultrix problem has been fixed in Ultrix 4.2).

Since several people have reported similar problems, I would appreciate
getting more precise details, describing the exact sequence of events.
For example, I don't believe that simply running "/etc/pfconfig +p -a"
can explain this, since all that this command does is to set a flag
that, later on, allows the interface to be put into promiscuous mode
by programs such as tcpdump.  On the other hand, if the crash occurs
while tcpdump is running, or right after you stop running tcpdump,
that would be helpful to know.

It would also be helpful if you would send me a copy of your Ultrix
configuration file (e.g., conf/{mips,vax}/CONFIGNAME), so I can see
whether LAT is really in your Ultrix kernel or not.  (And please provide
the usual information on Ultrix version number, processor type, etc.)

Please send this to "mogul at decwrl.dec.com", not to comp.unix.ultrix.  I can't
promise that I will be able to do anything, but I'll try.

Thanks
-Jeff

More information about the Comp.unix.ultrix mailing list