TCPDump VLAN – Analyzing TCPDump Length with VLAN

tcpdumpvlan

I run ping:

ping -c 15 -s 120 -D 192.5.15.22

The same time I watch tcpdump:

tcpdump -n -e -vv -ttt -i iavf0 vlan
tcpdump: listening on iavf0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 52:54:00:d6:e6:62 > 3a:db:46:ce:e8:b7, ethertype 802.1Q (0x8100), length 166: vlan 11, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 148, bad cksum 0 (->9d33)!)
192.5.15.22 > 192.5.15.23: ICMP echo request, id 26245, seq 0, length 128
00:00:00.000161 3a:db:46:ce:e8:b7 > 52:54:00:d6:e6:62, ethertype 802.1Q (0x8100), length 166: vlan 11, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 148)
192.5.15.23 > 192.5.15.22: ICMP echo reply, id 26245, seq 0, length 128
00:00:01.040554 52:54:00:d6:e6:62 > 3a:db:46:ce:e8:b7, ethertype 802.1Q (0x8100), length 166: vlan 11, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 148, bad cksum 0 (->9d33)!)

If I am correct I see 166 bytes lenghts (166-120=46 bytes) because Ethernet field (18 bytes) is not seen by User Space. It is cut-off by the Kernel Space, am I right?
I do not know why I see 148 bytes? 148-120=28 bytes, where is the rest up to 64 bytes?
What is the reason of bad checksum?

Best Answer

Sending an ICMP packet with a data payload of 120 bytes.
The ICMP (echo request) header is 8 bytes for a total ICMP size of 128 bytes.
The IPv4 header of the packet carrying this ICMP payload is 20 bytes (when not using any IP option) for a total IPv4 packet size of 148 bytes.
The Ethernet header with additional 802.1Q header of the frame carrying this IPv4 payload is 18 bytes (instead of 14 bytes for non VLAN-tagged frames), for a total size of 166 bytes. Those 18 bytes might be hidden from applications working at IP layer, but they aren't hidden from everything (eg: tcpdump did capture them), whatever possible special format they might be available as. (Note: in the previous Wikipedia link, the Preamble and CRC/FCS are usually not seen by the system but only by the NIC and not counted toward the usual frame length.)

Apparent bad checksum in output is because of hardware acceleration. Most NICs can do IPv4 checksum offload in hardware/firmware so the NIC's driver and/or the network stack know(s) there's no need to do any checksum and the IPv4 checksum field isn't computed (or recomputed when routing) by the OS. As tcpdump captures the emitted frame before it is actually processed by the NIC's hardware/firmware this IPv4 field has still an incorrect value yet to be computed on the fly by the NIC.

Related Solutions

Packet loss rate with iperf and tcpdump

I've experienced significant dataloss with iPerf in UDP mode as a result of the CPU not being able to keep up. For some reason, iPerf with UDP seems to be much more CPU intensive than iPerf with TCP. Do you experience the same loss percentages when you set iPerf to half the rate?

To answer your second question about how much packet loss is acceptable, it really depends on what application you are running, how much traffic you've got. Really, there shouldn't be any loss if you are under your bandwidth limit. For most things, I probably wouldn't complain too much about .25%, but that is still a lot of loss if you are running at really high rates.

[EDIT 1] Some other thoughts that I've had on the topic:

Try incrementing the rates of iPerf. If there is a systemic problem somewhere, it is likely that you'll experience the same percentage of loss no matter what the rate. If you are at the limits of your hardware, or your provider does some sort of RED, then there will likely be no loss up to a certain rate, and then incrementally worse loss the higher above that you go.
Do your tcpdump measurement of the iPerf session, just to verify that your tests are accurate.
Try iPerf with TCP. This won't report loss, but if you are getting loss then the connection won't be able to scale up very high. Since latency will also affect this, make sure to test to an endpoint with as little latency as possible.
Depending on what gear you have on the inside of your connection, make sure you are as close it it as possible. E.g. if you have multiple switches between your test system and the edge router, move to a directly connected switch.
If you have a managed switch, check the stats on it to make sure the loss isn't occurring there. I've encountered some cheaper switches that start dropping when you get close to 100Mbps of UDP traffic on them (mostly old and cheap unmanaged switches though).
Try simultaneous iPerfs from two different clients to two different hosts, so that you can be sure the limit isn't a result of CPU or a cheap local NIC card.

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Packet loss rate with iperf and tcpdump

tcpdump – How to Capture ACK or SYN Packets

Related Topic