tcpdump filter not functioning correctly with igb on FreeBSD 11.1
Eugene Grosbein
eugen at grosbein.net
Tue Feb 6 22:47:41 UTC 2018
07.02.2018 5:26, David Athay wrote:
>> 802.1Q vlan header can be a reason for exactly such behaviour.
>> Please add -e flag to tcpdump flags and post output again.
>
> # /usr/local/sbin/tcpdump -eni igb0 not port 22 |less
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 22:19:25.589577 ac:1f:6b:13:a2:nn > 10:cd:ae:de:e9:nn, ethertype 802.1Q (0x8100), length 258: vlan 10, p 0, ethertype IPv4, X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq 418521610:418521798, ack 196067467, win 1026, options [nop,nop,TS val 602985028 ecr 731470580], length 188
Well, that explains everything. You should use "vlan and not port 22" and "vlan and host X.X.X.X"
(same without "not") when filtering vlan-tagged traffic as documented in the pcap-filter(7) manual page
or else you get wrong results. "Works as intended".
Deinstall extra tcpdump/libcap packages, if you do not need them.
More information about the freebsd-net
mailing list