bpf issues
Edward Dean
edwarddean3 at gmail.com
Mon Sep 14 18:06:22 UTC 2009
Good day,
I hope this is the appropriate list. I am having issues using BPFs to
filter out traffic captures. If I want to block a specific host by IP, the
traffic is still recorded. I tried tcpdump and get the same results.
Am I missing something?
Examples:
# tcpdump -nt -i igb2 -w tcpdump.pcap not host 10.100.66.31
# tcpdump -nt -r tcpdump.pcap | less
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 42904:44352(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 44352:45800(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>
IP 10.100.66.30.3090 > 10.100.66.31.13724: . ack 5792 win 65535
<nop,nop,timestamp 587015 1324022>
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 45800:47248(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>
It gets stranger, if I read the pcap file and filter for the host it returns
blank:
# tcpdump -nt -r tcpdump.pcap host 10.100.66.31
reading from file tcpdump.pcap, link-type EN10MB (Ethernet)
#
I have tried several variations of syntax and had no luck. Also used
several tools (tcpdump, tshark, daemonlogger) and have had the same results
so I suspect it may be libpcap related. The system is running FreeBSD 7.2
GENERIC amd64
Any suggestions would be much appreciated.
Cheers!
More information about the freebsd-net
mailing list