ngrep/ixgbe bpf bug

elof2 at sentor.se elof2 at sentor.se
Tue Dec 1 11:22:42 UTC 2015 

Yes, 100% of the traffic is vlan-tagged, but I get the same results with:

ngrep -d ix1 "q" vlan
   no matches

If I invert the test to show all packets that do not contain "foobar", it 
still matches 0 packets:

ngrep -d ix1 -v "foobar"
ix1: no IPv4 address assigned: Can't assign requested address
interface: ix1
don't match: foobar
^Cexit
263567 received, 0 dropped

So 263567 vlan-tagged packets are received, 0 dropped.
There are "q":s in there, and I promise that they don't all contain 
"foobar". :)


If I add -R, to not drop privileges, I get the same result.



'tcpdump -i ix1 -lnes0' show packets just as it should:
12:14:02.113842 28:c0:da:db:c7:40 > 00:e0:20:11:0a:95, ethertype 802.1Q 
(0x8100), length 139: vlan 123, p 0, ethertype IPv4, 10.123.123.123.993 > 
10.321.321.321.50904: Flags [P.], seq 2632602368:2632602437, ack 
2214392113, win 8316, options [nop,nop,TS val 3824950099 ecr 179534445], 
length 69
...and so on... Everything looks just as expected.


#ifconfig ix1
ix1: flags=488c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST,MONITOR> metric 0 mtu 1500
         options=8403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
         ether 0c:c4:7a:58:e2:3d
         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
         media: Ethernet autoselect (10Gbase-T <full-duplex>)
         status: active



Could ngrep fail because of monitor mode?
#ifconfig ix1 -monitor
#ifconfig ix1
ix1: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
         ether 0c:c4:7a:58:e2:3d
         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
         media: Ethernet autoselect (10Gbase-T <full-duplex>)
         status: active
#ngrep -d ix1 -v "foobar"
ix1: no IPv4 address assigned: Can't assign requested address
interface: ix1
don't match: foobar
^Cexit
157082 received, 0 dropped

Nope, same-same. Zero BPF matches.
#netstat -B
   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
12293    ix1 p--s---    157082         0         0     0     0 ngrep
                                               ^^^^^^

/Elof


On Tue, 1 Dec 2015, Alexander V. Chernikov wrote:

> Do you have vlans on top of ixgbe?
> And actually I wonder what does tcpdump show for the same expression.
> ( and tcpdump -i ixX -lnes0 might provide good traces on what is going on)
>
> 30.11.2015, 19:09, "elof2 at sentor.se" <elof2 at sentor.se>:
>> No one has a theory?
>>
>> /Elof
>>
>> On Thu, 5 Nov 2015, elof2 at sentor.se wrote:
>>
>>>  Hi all!
>>>
>>>  Why don't ngrep work on ix interfaces?
>>>
>>>  It shows nice values if I sniff on other interfaces, e.g. igb0 and
>>>  bridge0:
>>>
>>>  # ngrep -d igb0 "q" ip
>>>  I see some matching packets. Everything looks good.
>>>
>>>  # netstat -B
>>>   Pid Netif Flags Recv Drop Match Sblen Hblen Command
>>>  1800 igb0 p--s--- 135 0 129 380 0 ngrep
>>>  The BPF stats show Recv and Match values. Good.
>>>
>>>  # ngrep -d bridge0 "q" ip
>>>   I see some matching packets. Good.
>>>
>>>  # netstat -B
>>>   Pid Netif Flags Recv Drop Match Sblen Hblen Command
>>>  1901 bridge0 p--s--- 661897 0 659170 425606 0 ngrep
>>>  Again, the BPF stats show Recv and Match values. Good.
>>>
>>>  However, if I sniff on an ix interface:
>>>
>>>  # ngrep -d ix1 "q" ip
>>>  I get no matching packets!
>>>
>>>  # netstat -B
>>>   Pid Netif Flags Recv Drop Match Sblen Hblen Command
>>>  1816 ix1 p--s--- 45340 0 0 0 0 ngrep
>>>                                                 ^^^
>>>  ...and the BPF stats always show zero Matches.
>>>
>>>  Bug in the ixgbe driver or in ngrep?
>>>
>>>  /Elof
>>>
>>>  _______________________________________________
>>>  freebsd-net at freebsd.org mailing list
>>>  https://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>  To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list