Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!linac!att!pacbell.com!decwrl!pa.dec.com!mogul From: mogul@wrl.dec.com (Jeffrey Mogul) Newsgroups: comp.unix.ultrix Subject: Re: Trying to get tcpdump to work Message-ID: <1991May8.230816.25416@pa.dec.com> Date: 8 May 91 23:08:16 GMT References: <1991May7.141459.11191@fcom.cc.utah.edu> Sender: news@pa.dec.com (News) Organization: DEC Western Research Lines: 46 In article tih@barsoom.nhh.no (Tom Ivar Helbekkmo) writes: >I set up my packet filter to run in promiscuous mode here yesterday, on >a 5000/200 with 4.1, and our whole VAXcluster (VMS) started crashing like >nobody's business... I've heard that promiscuous mode will break LAT if >you've got LAT installed on the Ultrix host running it, which I haven't, >but I'm wondering if it still may have been my experimenting that killed >the VAXen. We use LAT very extensively, in fact 3 out of every 4 packets >on our ethernet are LAT packets. Anybody know anything about it? [In a separate message, Tom told me he had successfully run tcpdump on his workstation.] If the workstation where you ran tcpdump really and truly does not have LAT installed (i.e., configured into its kernel), and if you didn't run any applications that sent packets via the packet filter, then I can't see any possible way for what you did to crash the VMS machines. Running the packet filter in promiscuous mode should not cause any novel packets to be sent. Perhaps your kernel does contain LAT support, and perhaps the use of promiscuous mode is confusing the LAT code enough that it sends weird packets that then confuse the VMS machines. It has already been made clear by several people on this newsgroup that Ultrix 4.1 has a problem when LAT and promiscuous mode are used together, but if the VMS machines are also crashing, that is news to me. (I believe that the Ultrix problem has been fixed in Ultrix 4.2). Since several people have reported similar problems, I would appreciate getting more precise details, describing the exact sequence of events. For example, I don't believe that simply running "/etc/pfconfig +p -a" can explain this, since all that this command does is to set a flag that, later on, allows the interface to be put into promiscuous mode by programs such as tcpdump. On the other hand, if the crash occurs while tcpdump is running, or right after you stop running tcpdump, that would be helpful to know. It would also be helpful if you would send me a copy of your Ultrix configuration file (e.g., conf/{mips,vax}/CONFIGNAME), so I can see whether LAT is really in your Ultrix kernel or not. (And please provide the usual information on Ultrix version number, processor type, etc.) Please send this to "mogul@decwrl.dec.com", not to comp.unix.ultrix. I can't promise that I will be able to do anything, but I'll try. Thanks -Jeff