On Wednesday, Oct 8, 2003, at 19:46 US/Eastern, Eben King wrote:
> "tcpdump: listening on eth0"
>
> and then nothing, even when I restart the router. Does tcpdump work
> outside of tcpd, syslogd, and all other programs? I think so, but
> hey...
Yes, tcpdump operates at the link layer and bypasses everything else
(or it should anyway).
So, if you're seeing nothing, either the device isn't sending out any
syslog packets, or it's failing to ARP for the IP address of the syslog
server. If you run tcpdump again without the "port syslog" bit, you'll
see all traffic on that interface, including any possible ARP requests
that are failing.
I don't think that's your problem, but I mention it for the sake of
completeness.
The only other possibilities I can think of are packet filter settings
on the device preventing the syslog data from leaving, or if you have a
switched Ethernet, some kind of bizarre switch problem isolating the
syslog server from the device.
But if you can telnet/ping/etc. from one to the other, it's probably
just a problem with the device itself. (perhaps you already mentioned
whether that works, I don't recall)
> When I hit ^C, tcpdump prints
>
> <number> packets received by filter
>
> That's <number> on all ports, yes?
Actually, it depends on the platform running tcpdump. Sometimes it's
the total number of packets received by tcpdump on that interface,
sometimes it's only those packets that matched the filter expression.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:55:38 EDT