Re: Mysteriously stops...

[Guy Harris <guy () alum mit edu>]

On Wed, Apr 14, 2004 at 04:56:49PM -0400, Norman Elton wrote:
> We've got a system running RedHat Enterprise WS 3.1, kernel 
> 2.4.21-9.0.1, running tcpdump 3.7.2 and libpcap 0.7.2. When I run a 
> tcpdump (tcpdump -i eth2 -nne), things run fine for about two minutes, 
> then the dump mysterious stops, as if I killed it using Control-C. It 
> reports the number of packets analyzed and drops, and returns me to the 
> command line.

So is that the tcpdump that comes with RH Enterprise WS 3.1, or is it
built from tcpdump.org's source?

> Needless to say, I didn't ask the dump to stop! This doesn't happen on 
> other boxes,

With the same version of tcpdump?

> but it does happen on other interfaces on the same server 
> running the Intel e100 driver. A card running e1000 doesn't seem to 
> have any problems.

On the same machine that's having problems with e100 interfaces?

> I'm at a loss for ideas. Is there a valid reason why a tcpdump would 
> stop without my telling it to do so?

None that I know of - 3.7.2 from tcpdump.org has a "-c" flag to tell it
to stop after a specified number of packets have been captured, and a
"-C" flag to tell it to stop before it'd have written out a specified
number of megabytes, and if it receives a SIGTERM, SIGINT, or SIGHUP,
it'll stop, but it shouldn't stop spontaneously.  You didn't mention a
"-c" or "-C" flag, and you presumably didn't ^C it or send it a signal
from the command line, so about the only way I could see this happening
would be if it were delivered one of those signals for some other
reason, e.g. the kernel deciding to send it that signal for some reason.

You didn't mention a "-w" flag - were you saving to a file in binary
form with "-w", or are you getting printed output?  If it's printed
output, is it going to a file, or just to the terminal?
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.