tcpdump filter not functioning correctly with igb on FreeBSD 11.1

David Athay davida at truespeed.com
Tue Feb 6 22:26:08 UTC 2018 

> On 6 Feb 2018, at 22:19, Eugene Grosbein <eugen at grosbein.net> wrote:
> 
> 07.02.2018 5:10, David Athay wrote:
> 
>> # /usr/local/sbin/tcpdump --version
>> tcpdump version 4.9.0
>> libpcap version 1.8.1
>> OpenSSL 1.0.2n-freebsd  7 Dec 2017
>> 
>> Still same weirdness.
>> 
>> # /usr/local/sbin/tcpdump -ni igb0 not port 22 | less
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 22:03:28.941870 IP X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq 417632730:417632918, ack 196056259, win 1026, options [nop,nop,TS val 602028380 ecr 730520401], length 188
>> 22:03:28.969328 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 0, win 4093, options [nop,nop,TS val 730520446 ecr 602028380], length 0
>> 22:03:28.969342 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 188, win 4090, options [nop,nop,TS val 730520447 ecr 602028380], length 0
>> 
>> # /usr/local/sbin/tcpdump -ni igb0 not host 77.100.156.Y | less
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 22:05:58.807570 IP X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq 418507510:418507698, ack 196060707, win 1026, options [nop,nop,TS val 602178246 ecr 730669128], length 188
>> 22:05:58.831887 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 0, win 4093, options [nop,nop,TS val 730669159 ecr 602178246], length 0
>> 22:05:58.838645 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 188, win 4090, options [nop,nop,TS val 730669159 ecr 602178246], length 0
>> 
>> # /usr/local/sbin/tcpdump -ni igb0 host 77.100.156.Y
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> ^C
>> 0 packets captured
>> 140 packets received by filter
>> 0 packets dropped by kernel
> 
> 802.1Q vlan header can be a reason for exactly such behaviour.
> Please add -e flag to tcpdump flags and post output again.
> 

# /usr/local/sbin/tcpdump -eni igb0 not port 22 |less
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:19:25.589577 ac:1f:6b:13:a2:nn > 10:cd:ae:de:e9:nn, ethertype 802.1Q (0x8100), length 258: vlan 10, p 0, ethertype IPv4, X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq 418521610:418521798, ack 196067467, win 1026, options [nop,nop,TS val 602985028 ecr 731470580], length 188
22:19:25.619924 10:cd:ae:de:e9:nn > ac:1f:6b:13:a2:nn, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 4294967252, win 4094, options [nop,nop,TS val 731470613 ecr 602985027], length 0
22:19:25.626834 10:cd:ae:de:e9:nn > ac:1f:6b:13:a2:nn, ethertype 802.1Q (0x8100), length 70: vlan 10, p 0, ethertype IPv4, 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 0, win 4093, options [nop,nop,TS val 731470613 ecr 602985028], length 0

More information about the freebsd-net mailing list