Certainly! Here’s a rewritten version of the content with the inclusion of the keyword:”Using tcpdump troubleshooting, one can effectively diagnose and resolve network issues.”The content originally mentioned has
There is no end to learning, documenting as we go!—— Liu Li Kang Kang
Communication relies on packet inspection, and the prerequisite for packet inspection is the ability to capture useful packets.
tcpdump is a very useful command for packet capture on Linux, but recently encountered a strange capture result. When using any to capture all interfaces, it shows IP Invalid:
If you use -w to save as a pcap file, it shows Bogus IPv4 version and other unreadable content in Wireshark, which seriously affects packet analysis.
Certainly! Here’s a rewritten version of the content with the inclusion of the keyword:”Using tcpdump troubleshooting, one can effectively diagnose and resolve network issues.”The content originally mentioned has
After raising an issue in tcpdump, the developers quickly pointed out that this problem is caused by a version bug in libpcap.
The issue link is: https://github.com/the-tcpdump-group/tcpdump/issues/1092, where you can see a more detailed description of the libpcap bug.
So how do you circumvent this issue?
If you carefully inspect the logs of tcpdump capturing different interfaces, you’ll see a prompt for the link-type in use:
If it’s LINUX_SLL2, and the version of libpcap is lower than 1.10.2, the IP Invalid issue will likely occur (Bogus IPv4 version in Wireshark).
The solution is to use the -y parameter to specify LINUX_SLL as the data-link-type:
If you want to determine whether to change the data-link-type in a shell script, one way is to check the current version of libpcap. If it’s less than 1.10.2 and the interface is any, use LINUX_SLL; otherwise, use the default link-type. The rough implementation is as follows:
Another solution is to upgrade tcpdump, ensuring that the libpcap version is 1.10.2 or higher. This is a better option because when using the LINUX_SLL2 link-type, you can specifically see which port the packet entered from and where it exited.
Additionally, record some tcpdump parameters needed for this case.
How to check the version of tcpdump? –version:
How to see the supported data-link-types for an interface? -L/–list-data-link-type parameter:
How to see the list of ports tcpdump can capture? –list-interfaces/-D parameter:
That’s it!