Intel 10GB NIC tcpdump



  • Dear All,

    Please let me know if it is possible to use tcpdump with Intel 10GB ethernet NICs under 2.4.4-RELEASE-p2 (amd64) as it used to be possible with 1GB cards.

    I have one security sensitive VLAN with little traffic, where I would like to trace packets. For a long time, I used shellcmd

    tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap

    Now, I have upgraded all LAN connections to 10GB Ethernet in two variants. Most servers are C3858. Their onboard NICs are:

    "Ethernet Connection X553/X557-AT 10GBASE-T"

    One remaining server is C2757 with an addon card:

    "Ethernet Controller 10G X550T"

    Since upgrading to 10GB, booting does not go beyond the shellcmd. The console does not end with the usual welcome greeting listing networks and options. I is rather stuck at:

    tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes

    Without success, I did try all tuning and troubleshooting steps listed for ix cards under https://www.netgate.com/docs/pfsense/hardware/tuning-and-troubleshooting-network-cards.html?highlight=ixgbe

    Regards,

    Michael


  • Netgate Administrator

    There is no difference as far as I'm aware. I've run packet captures on 10G NICs hundreds of times.

    You are starting a tcpdump from a shellcmd?

    What command are you using exactly? Why are you doing that?

    Does it continue to boot once the dump is complete?

    Steve



  • Dear Steve,

    The method is "shellcmd" from the shellcmd package. The command I was used to use is:

    tcpdump -pni lagg0.7 -s40 -G3600 -z gzip -w /tcpdump/captureVlan7-%F--%H-%M-%S.pcap

    As far as I understand, the command runs indefinitely creating new files after 3600 seconds (option -G3600).

    I am doing this because I suspect an increased risk of fetching a trojan in that subnet. For that case, I would like to retain the first bytes of packets.

    Booting used to continue after kicking of the tcpdump process. Currently, the last entry on the command line is

    tcpdump: listening on lagg0.7, link-type EN10MB (Ethernet), capture size 40 bytes

    Further start actions are not executed, i.e, many services will not start automatically.

    Regards,

    Michael


  • Netgate Administrator

    Hmm, so the command remained the same? Just the interfaces in lagg0 that changed?

    Steve


Log in to reply