tcpdump port xx bug ? - only happens on interface connected to
pppoe
John-Mark Gurney
gurney_j at resnet.uoregon.edu
Tue Dec 14 11:28:13 PST 2004
Axel Gonzalez wrote this message on Tue, Dec 14, 2004 at 01:48 -0600:
> Ok, found the 'bug'.. maybe it helps someone ;)
>
> It only happens on the interface connected to DSL modem
>
> note the: > tcpdump: WARNING: rl0: no IPv4 address assigned
>
> when accessing the interface rl0 and specify a port, it can't capture packets,
> but it can capture packets with no problems on tun0 (tun0 is the interface
> that actually has the ip)
>
> still is weird how it can capture packages when no port is specified, but then
> maybe its the way its suposed to be :)
>
> On Tuesday 14 December 2004 00:08, Conrad J. Sabatier wrote:
> > On Mon, 13 Dec 2004 23:02:50 -0600, Axel Gonzalez <loox at e-shell.net> wrote:
> > > is anyone able to confirm or deny this (before a PR is filled)?
> > >
> > > # tcpdump port xx
> > >
> > > doesnt seem to work:
> > >
> > > su-2.05b# tcpdump port http
> > > tcpdump: WARNING: rl0: no IPv4 address assigned
> > > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> > > decode listening on rl0, link-type EN10MB (Ethernet), capture size 68
> > > bytes ^C
> > > 0 packets captured
> > > 503 packets received by filter
> > > 0 packets dropped by kernel
> > >
> > >
> > > if no port is specified, it works fine:
> > >
> > > su-2.05b# tcpdump | grep freeb
> > > tcpdump: WARNING: rl0: no IPv4 address assigned
> > > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> > > decode listening on rl0, link-type EN10MB (Ethernet), capture size 68
> > > bytes 22:57:30.768184 PPPoE [ses 0xc744] IP
^^^^^^^^^^^^^^^^^^^
> > > xxxx.prod-infinitum.com.mx.55842 > www.freebsd.org.http: S
> > > 564552288:564552288(0) win 65535 <mss 1440,nop,[| tcp]>
> > > 22:57:30.843127 PPPoE [ses 0xc744] IP www.freebsd.org.http >
^^^^^^^^^^^^^^^^^^^
> > > xxx.prod-infinitum.com.mx.55842: S 3276387435:3276387435(0) ack 564552289
> > > win 57344 <mss 1460,nop,[|tcp]>
You'd need to ping the tcpdump developers about the exact meaning
of port... I believe the port command only looks at unecapsulated
frames, which is what is happening here...
The compiler is probably just checking for the rules when the tcp/udp
packet is unencapsulated, probably because it'd be very difficult to
auto handle packets inside encapsulation..
So, this is probably a design decision... :)
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-amd64
mailing list