SUMMARY: Use of tcpdump (not showing telnet sessions)

From: George Gallen <ggallen_at_slackinc.com>
Date: Fri, 05 Jun 1998 09:50:59 -0400

The solution was to configure my card for promiscuios mode
pfconfig +c +p tu0

RESPONSES:
You need to kick your card into promiscuous/copyall mode to
see everything:

pfstat tu0 (or ln0 or whatever) will show if it's in that
mode:

pfconfig +c +p tu0

will do the trick. You do need to be root to do this. You
may not want to leave your card that way (as anyone else who
logs on might (depending on permissions and such) be able to
snoop the network.

Hope this helps
S

-- 
------------------------------------------------------------------------
-
Sean O'Connell                                  Email:
sean_at_stat.Duke.EDU
Institute of Statistics and Decision Sciences   Phone: (919) 684-5419
Duke University                                 Fax:   (919) 684-8594
------------------------------------------------------------------------
-------------------------------------
>From arnaud valeix (arnaud.valeix_at_sncf.fr):
First before using tcpdump , did you try to do this :
	pfconfig -a +promisc +copyall -b 255
	Anyway try this
------------------------------------------------------------------------
--------------------------------------------
And to anyone else who responds after this -- Thanx
ORIGINAL POST
We have been having some network clog ups. Initially I needed to
MAKEDEV pfilt in order for tcpdump to function (My kernel already
had support compiled into it for packetfiliter).
When I run tcpdump as itself to display all network activity. I can
see my lat connections from the terminal server to the alpha and
some misc router activity on another part of the network, however
I have yet to see the telnet session traffic, why wouldn't tcpdump
show those? I have read the man's (many times), I have tried 
different switches, I tried tcpdump ip to filter out the lat's, still
no luck.
I probably am not running it correctly. I can see the telnet connections
with netstat, but I want to see if there is some kind of denial of
service
attack going on during the clog ups, so I figured tcpdump would
show what traffic is slowing it down.
If there was a short on the network, would that show up in any form
under tcpdump?
Are there any other programs (public domain or gnu) which would help
to determine the slowdowns.
The problem is that the if the terminal servers can't talk to our alpha
server
for over 1 second and LAT drops all the sessions (logging anyone on
the terminal server off from unix - not a good thing).
Could a denial of service clog up a network enough to knock out the
LAT connections apparantly if LAT can't contact it's connection after
1 second it drops the connection, where as telnet will wait much much
longer.
Thanx
George Gallen
ggallen_at_slackinc.com

Received on Fri Jun 05 1998 - 15:53:07 NZST