Intel 10GB NIC tcpdump
-
Dear All,
Please let me know if it is possible to use tcpdump with Intel 10GB ethernet NICs under 2.4.4-RELEASE-p2 (amd64) as it used to be possible with 1GB cards.
I have one security sensitive VLAN with little traffic, where I would like to trace packets. For a long time, I used shellcmd
tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap
Now, I have upgraded all LAN connections to 10GB Ethernet in two variants. Most servers are C3858. Their onboard NICs are:
"Ethernet Connection X553/X557-AT 10GBASE-T"
One remaining server is C2757 with an addon card:
"Ethernet Controller 10G X550T"
Since upgrading to 10GB, booting does not go beyond the shellcmd. The console does not end with the usual welcome greeting listing networks and options. I is rather stuck at:
tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes
Without success, I did try all tuning and troubleshooting steps listed for ix cards under https://www.netgate.com/docs/pfsense/hardware/tuning-and-troubleshooting-network-cards.html?highlight=ixgbe
Regards,
Michael
-
There is no difference as far as I'm aware. I've run packet captures on 10G NICs hundreds of times.
You are starting a tcpdump from a shellcmd?
What command are you using exactly? Why are you doing that?
Does it continue to boot once the dump is complete?
Steve
-
Dear Steve,
The method is "shellcmd" from the shellcmd package. The command I was used to use is:
tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap
As far as I understand, the command runs indefinitely creating new files after 3600 seconds (option -G3600).
I am doing this because I suspect an increased risk of fetching a trojan in that subnet. For that case, I would like to retain the first bytes of packets.
Booting used to continue after kicking of the tcpdump process. Currently, the last entry on the command line is
tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes
Further start actions are not executed, i.e, many services will not start automatically.
Regards,
Michael
-
Hmm, so the command remained the same? Just the interfaces in lagg0 that changed?
Steve