<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Can you try tcpdump? It seems able to show all packets.</p>
<p>Steve<br>
</p>
<br>
<div class="moz-cite-prefix">On 28/04/17 15:32, Andrew Furey wrote:<br>
</div>
<blockquote
cite="mid:CAMW7W7XZZWqU+b8uEpRXp9D4y12etq+mOq1fML4aUZHjS=M2MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Just a correlation - on my standard Wheezy homebrew
gateway with two nics, I don't see any PPPoE packets through
iftop on the raw interface either (iftop -i eth1, which ppp0
runs on top of). Ifconfig looks like this:<br>
<br>
eth1 Link encap:Ethernet HWaddr 74:da:38:9c:75:b1<br>
inet6 addr: fe80::76da:38ff:fe9c:75b1/64
Scope:Link<br>
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500
Metric:1<br>
RX packets:631715166 errors:0 dropped:1769
overruns:0 frame:0<br>
TX packets:554353641 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:2854283371 (2.6 GiB) TX bytes:3337899266
(3.1 GiB)<br>
Interrupt:43 Base address:0x4000<br>
<br>
ppp0 Link encap:Point-to-Point Protocol<br>
inet addr:blah P-t-P:blah Mask:255.255.255.255<br>
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492
Metric:1<br>
RX packets:3162633 errors:0 dropped:0 overruns:0
frame:0<br>
TX packets:3398939 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:3<br>
RX bytes:664127785 (633.3 MiB) TX bytes:600514443
(572.6 MiB)<br>
<br>
<br>
</div>
Maybe that's just how iftop works? I don't have the others
installed to test with.<br>
<br>
</div>
Andrew<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 28 April 2017 at 14:27, steve boak <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sboak@westnet.com.au" target="_blank">sboak@westnet.com.au</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""> On
28/04/17 13:00, byron ester wrote:<br>
<blockquote type="cite">
<div dir="ltr">
<div>Are you running iftop in promiscuous mode (-p)?</div>
<div>Is it running as root?</div>
</div>
</blockquote>
<br>
<br>
</span> Thanks Byron, checked a few things...<br>
<br>
<b>sudo iftop -p -i br0</b> only displays occasional DHCP
packets,<br>
<br>
<b>sudo tcpdump -i br0</b> and <b>sudo tcpdump
--no-promiscuous-mode -i br0</b> both display all
packets including decoded PPPoE as mentioned earlier -
showing that the br0 interface being in promiscuous mode
already is working.<br>
<br>
I only really mentioned iftop as an example, although it
does illustrate the problem and is easily replicated.<br>
<br>
I am actually running ntopng as a service on a headless
machine, accessed on port 3000 (standard debian jessie apt
install). From what I can glean from various places,
ntopng (as a service) starts as root, attaches to the
interface in promiscuous mode, then drops privileges and
runs as 'nobody'. The actual running process is:<br>
<br>
nobody 13524 3.9 2.7 151588 26424 ? Ssl
13:32 1:08 /usr/sbin/ntopng --daemon --pid
/var/tmp/ntopng.pid -w 3000 -i br0<br>
<br>
I tried starting ntopng directly as root with <b>sudo
/usr/sbin/ntopng -w 3000 -i br0</b>. I get a few status
lines logged on the console, everything looks good,
including capture on br0.<br>
<br>
But still no PPPoE packets seen, just occasional DHCP
requests.<span class="HOEnZb"><font color="#888888"><br>
<br>
Steve</font></span>
<div>
<div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 28, 2017 at
12:28 PM, steve boak <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sboak@westnet.com.au"
target="_blank">sboak@westnet.com.au</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Hi All<br>
<br>
I have an NBN satellite connection which is
still not yet up to the reliability I would
like, so I have been investigating methods of
monitoring the connection.<br>
<br>
I have a Rasperry Pi in bridge configuration
(extra USB ethernet adapter) in line between
the router and satellite modem. The router
establishes a PPPoE session with Westnet, so
most of the traffic I should see is
encapsulated in PPPoE packets.<br>
<br>
The Pi works well, I can monitor throughput
with interface stats and all passing traffic
is visible on the bridge port br0 when using
tcpdump - for example:<br>
<br>
11:21:56.072589 PPPoE [ses 0xe993] LCP,
Echo-Request (0x09), id 203, length 14<br>
11:21:56.073087 PPPoE [ses 0xe993] LCP,
Echo-Reply (0x0a), id 203, length 14<br>
<br>
However, when I use iftop, ntop, or the newer
ntopng I can only see regular IP packets and
PPPoE traffic seems to be ignored or hidden.<br>
<br>
br0 is in promiscuous mode, and all packets
are available because tcpdump can see them.<br>
<br>
pi@raspberrypi:~ $ ifconfig<br>
br0 Link encap:Ethernet HWaddr
70:11:24:8c:e7:9b<br>
inet addr:192.168.100.254
Bcast:192.168.100.255 Mask:255.255.255.0<br>
inet6 addr:
fe80::7211:24ff:fe8c:e79b/64 Scope:Link<br>
UP BROADCAST RUNNING PROMISC
MULTICAST MTU:1500 Metric:1<br>
RX packets:1315251 errors:0
dropped:44581 overruns:0 frame:0<br>
TX packets:966 errors:0 dropped:0
overruns:0 carrier:0<br>
collisions:0 txqueuelen:0<br>
RX bytes:1019322018 (972.1 MiB) TX
bytes:355421 (347.0 KiB)<br>
<br>
eth0 Link encap:Ethernet HWaddr
b8:27:eb:02:59:76<br>
UP BROADCAST RUNNING MULTICAST
MTU:1500 Metric:1<br>
RX packets:1115843 errors:0
dropped:0 overruns:0 frame:0<br>
TX packets:637565 errors:0 dropped:0
overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:1137978736 (1.0 GiB) TX
bytes:207997192 (198.3 MiB)<br>
<br>
eth1 Link encap:Ethernet HWaddr
70:11:24:8c:e7:9b<br>
UP BROADCAST RUNNING MULTICAST
MTU:1500 Metric:1<br>
RX packets:636600 errors:0 dropped:0
overruns:0 frame:0<br>
TX packets:1116809 errors:0
dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:193628821 (184.6 MiB) TX
bytes:1158423387 (1.0 GiB)<br>
<br>
Is there something I have missed? ntopng looks
like it should decode PPPoE packets, but all I
can see is a few DHCP requests on the
interface. The same with iftop.<br>
<br>
Thanks in advance for any ideas...<span
class="m_-6489853374452729166HOEnZb"><font
color="#888888"><br>
<br>
Steve<br>
<br>
-- <br>
Steve Boak, VK6HSB, 0411 255 789, P.O. Box
240, Nannup, WA 6275<br>
<br>
______________________________<wbr>_________________<br>
PLUG discussion list: <a
moz-do-not-send="true"
href="mailto:plug@plug.org.au"
target="_blank">plug@plug.org.au</a><br>
<a moz-do-not-send="true"
href="http://lists.plug.org.au/mailman/listinfo/plug"
rel="noreferrer" target="_blank">http://lists.plug.org.au/mailm<wbr>an/listinfo/plug</a><br>
Committee e-mail: <a
moz-do-not-send="true"
href="mailto:committee@plug.org.au"
target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a
moz-do-not-send="true"
href="http://www.plug.org.au/membership"
rel="noreferrer" target="_blank">http://www.plug.org.au/members<wbr>hip</a><br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_-6489853374452729166mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
PLUG discussion list: <a moz-do-not-send="true" class="m_-6489853374452729166moz-txt-link-abbreviated" href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a>
<a moz-do-not-send="true" class="m_-6489853374452729166moz-txt-link-freetext" href="http://lists.plug.org.au/mailman/listinfo/plug" target="_blank">http://lists.plug.org.au/<wbr>mailman/listinfo/plug</a>
Committee e-mail: <a moz-do-not-send="true" class="m_-6489853374452729166moz-txt-link-abbreviated" href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a>
PLUG Membership: <a moz-do-not-send="true" class="m_-6489853374452729166moz-txt-link-freetext" href="http://www.plug.org.au/membership" target="_blank">http://www.plug.org.au/<wbr>membership</a></pre>
</blockquote>
<pre class="m_-6489853374452729166moz-signature" cols="72">--
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275</pre>
</div></div></div>
______________________________<wbr>_________________
PLUG discussion list: <a moz-do-not-send="true" href="mailto:plug@plug.org.au">plug@plug.org.au</a>
<a moz-do-not-send="true" href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/<wbr>mailman/listinfo/plug</a>
Committee e-mail: <a moz-do-not-send="true" href="mailto:committee@plug.org.au">committee@plug.org.au</a>
PLUG Membership: <a moz-do-not-send="true" href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/<wbr>membership</a>
</blockquote></div>
--
<div class="gmail_signature" data-smartmail="gmail_signature">Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
-- Bill Garrett</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275</pre></body></html>