Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted. Oh, and to rule out other issues: 1. Corruption seen both when using network taps and when using a port span/mirror (so it's not the taps). 2. Corruption *not* seen using the on-board broadcom nics of the test host (so it's not the box). So I'm pretty sure we narrowed it down to the card. We tried the card in an indentical host and saw the same problems. I thought it might be a driver issue - I tried both gentoo and FreeBSD (not sure how different the drivers are) just to see if it mattered at all and it didn't. Much googling didn't show this to be a known issue - just wondering if anyone else has seen it? Other recommendations welcome - the next step is, I suppose, a broadcom-based PCI-X card. (I've got some old pizza boxes I'm trying to repurpose as network probes.) Thanks, John -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Hello John , On Sun, 15 Feb 2009, John A. Kilpatrick wrote:
Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted.
Oh, and to rule out other issues:
1. Corruption seen both when using network taps and when using a port span/mirror (so it's not the taps). 2. Corruption *not* seen using the on-board broadcom nics of the test host (so it's not the box).
So I'm pretty sure we narrowed it down to the card. We tried the card in an indentical host and saw the same problems.
I thought it might be a driver issue - I tried both gentoo and FreeBSD (not sure how different the drivers are) just to see if it mattered at all and it didn't. Much googling didn't show this to be a known issue - just wondering if anyone else has seen it? Other recommendations welcome - the next step is, I suppose, a broadcom-based PCI-X card. (I've got some old pizza boxes I'm trying to repurpose as network probes.)
Thanks, John Does this device provide 4 unique mac-addresses ? Reason for the question is some old(I mean old) multiport cards presented a single mac-address because the were driven by a single 'Switch chip' . Just a thought . I've been looking a the Intel site gandering over the overview & have not seen anything to relieve my concern . But one Hopes they have learned not to create themselves such a problem .
Hth , JimL -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network&System Engineer | 2133 McCullam Ave | Give me Linux | | babydr@baby-dragons.com | Fairbanks, AK. 99701 | only on AXP | +------------------------------------------------------------------+
Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted.
Oh, and to rule out other issues:
1. Corruption seen both when using network taps and when using a port span/mirror (so it's not the taps). 2. Corruption *not* seen using the on-board broadcom nics of the test host (so it's not the box).
So I'm pretty sure we narrowed it down to the card. We tried the card in an indentical host and saw the same problems.
I thought it might be a driver issue - I tried both gentoo and FreeBSD (not sure how different the drivers are) just to see if it mattered at all and it didn't. Much googling didn't show this to be a known issue - just wondering if anyone else has seen it? Other recommendations welcome - the next step is, I suppose, a broadcom-based PCI-X card. (I've got some old pizza boxes I'm trying to repurpose as network probes.)
Thanks, John Does this device provide 4 unique mac-addresses ? Reason for
Yea cards are default for separate physicals MACs, since they are supported by individual net chips. The only time one would see a "logical" Mac, is when the ports are trunked, and this is driven by software. Jay Murphy IP Network Specialist NM Department of Health ITSD - IP Network Operations Santa Fe, New Mexico 87502 Bus. Ph.: 505.827.2851 "We move the information that moves your world." -----Original Message----- From: Mr. James W. Laferriere [mailto:babydr@baby-dragons.com] Sent: Monday, February 16, 2009 11:39 AM To: John A. Kilpatrick Cc: nanog@nanog.org Subject: Re: Capture problems with Intel quad cards? Hello John , On Sun, 15 Feb 2009, John A. Kilpatrick wrote: the question is some old(I mean old) multiport cards presented a single mac-address because the were driven by a single 'Switch chip' . Just a thought . I've been looking a the Intel site gandering over the overview & have not seen anything to relieve my concern . But one Hopes they have learned not to create themselves such a problem . Hth , JimL -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network&System Engineer | 2133 McCullam Ave | Give me Linux | | babydr@baby-dragons.com | Fairbanks, AK. 99701 | only on AXP | +------------------------------------------------------------------+ ______________________________________________________________________ This inbound email has been scanned by the MessageLabs Email Security System. ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted.
Oh, and to rule out other issues:
1. Corruption seen both when using network taps and when using a port span/mirror (so it's not the taps). 2. Corruption *not* seen using the on-board broadcom nics of the test host (so it's not the box).
So I'm pretty sure we narrowed it down to the card. We tried the card in an indentical host and saw the same problems.
I thought it might be a driver issue - I tried both gentoo and FreeBSD (not sure how different the drivers are) just to see if it mattered at all and it didn't. Much googling didn't show this to be a known issue - just wondering if anyone else has seen it? Other recommendations welcome - the next step is, I suppose, a broadcom-based PCI-X card. (I've got some old pizza boxes I'm trying to repurpose as network probes.)
Thanks, John Does this device provide 4 unique mac-addresses ? Reason for
One more note.... it is a bridging chip, not switching, that is resident on the board that is the communicator to the other NIC chipsets. Jay Murphy IP Network Specialist NM Department of Health ITSD - IP Network Operations Santa Fe, New Mexico 87502 Bus. Ph.: 505.827.2851 "We move the information that moves your world." -----Original Message----- From: Mr. James W. Laferriere [mailto:babydr@baby-dragons.com] Sent: Monday, February 16, 2009 11:39 AM To: John A. Kilpatrick Cc: nanog@nanog.org Subject: Re: Capture problems with Intel quad cards? Hello John , On Sun, 15 Feb 2009, John A. Kilpatrick wrote: the question is some old(I mean old) multiport cards presented a single mac-address because the were driven by a single 'Switch chip' . Just a thought . I've been looking a the Intel site gandering over the overview & have not seen anything to relieve my concern . But one Hopes they have learned not to create themselves such a problem . Hth , JimL -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network&System Engineer | 2133 McCullam Ave | Give me Linux | | babydr@baby-dragons.com | Fairbanks, AK. 99701 | only on AXP | +------------------------------------------------------------------+ ______________________________________________________________________ This inbound email has been scanned by the MessageLabs Email Security System. ______________________________________________________________________ Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System.
On Mon, Feb 16, 2009 at 12:35 AM, John A. Kilpatrick <john@hypergeek.net> wrote:
Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted.
Dumb question... It sounds like you've only used the card in packet capture mode (i.e. promiscuous mode). Have you tried testing the card just for normal host-to-host network flows? Maybe you have a bad card? If you still see problems on host-host flows, it's more likely to be a bad card rather then a bad driver. (Given that a driver that can't handle host-host flows is going to be obvious pretty quickly.) Good Luck, Bill Bogstad
Hello, On Sun, Feb 15, 2009 at 09:35:30PM -0800, John A. Kilpatrick wrote:
Has anyone had problems with using current Intel quad ethernet cards for packet capture? As a proof-of-concept test we bought an Intel PWLA8494GT and hooked it up to some Network Critical taps. There was a very strange issue with corruption of the captured packets. The *only* issue (but it's a big one) is that the source IP on some captured packets is munged. As far as I can tell that's the *only* issue with the packet captures - no other data is corrupted. ... So I'm pretty sure we narrowed it down to the card. We tried the card in an indentical host and saw the same problems.
About three years back we had an issue with a dual-port E1000 NIC in Intel 7230NH based 1U servers. Together with the knowledgeable folks at iXsystems we tracked that down to a PCI riser card issue. The 'default' riser was the standard PCB 1U with perpendicular female PCI connector. Using these we saw checksum mismatches on many packets using FreeBSD. After replacing this riser with another one that has a flat ribbon cable to draw more power from an adjacent PCI slot all works well. We did similar elimination troubleshooting: the board worked fine, the card worked fine, the card worked fine when sticking it into the slot while the case was open. Just when using the riser we had trouble. -andreas -- Andreas Ott K6OTT andreas@naund.org
participants (5)
-
Andreas Ott -
Bill Bogstad -
John A. Kilpatrick -
Mr. James W. Laferriere -
Murphy, Jay, DOH