tcpdump filter not functioning correctly with igb on FreeBSD 11.1

Eugene Grosbein eugen at grosbein.net
Tue Feb 6 20:56:14 UTC 2018 

07.02.2018 0:29, David Athay wrote:

> I am running tcpdump -ni igb0 with a filter, and I see some weird results.
> 
> If I use ‘not’ with host or port then it shows only those hosts or ports, and if I don’t use not, and just use host’ or ‘port’ it filters them out as if I had used ‘not’.
> 
> tcpdump -ni igb0 not port 22
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val 554193435 ecr 716910521], length 188
> 17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0
> 17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0
> 
> tcpdump -ni igb0 not host X.X.X.X
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val 554326474 ecr 717043360], length 188
> 17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0
> 17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0
> 
> tcpdump -ni igb0 host X.X.X.X
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
> ^C
> 0 packets captured
> 55 packets received by filter
> 0 packets dropped by kernel
> 
> tcpdump -ni igb0 port 22
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
> ^C
> 0 packets captured
> 408 packets received by filter
> 0 packets dropped by kernel
> 
> Seems to work fine on our FreeBSD 10.3 servers that use igb, and doesn’t happen on FreeBSD 11.1 servers that use bge.
> 
> Can anyone explain what is happening?

Please show output of:

tcpdump --version
uname -aUK

More information about the freebsd-net mailing list