From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 23:39:56 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA8E21065670 for ; Tue, 21 Dec 2010 23:39:56 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 92F278FC08 for ; Tue, 21 Dec 2010 23:39:56 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id A260B2B7C5E for ; Tue, 21 Dec 2010 18:39:55 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:from:from :date:date:message-id; s=dkim; t=1292974794; x=1294789194; bh=+b oAjuodLHlj20eWfCKkLdvPdj0ZRGnOtsO8qPIxYf8=; b=G4qM/yBVNOfQJ/UvOR jR+B/HKXm1FZrC6v6CRJLrFxjzIzbQ3nMMEWql7GKbCeuIZmxlJKc8QMDkdEB5LU JsRKptn/cl7Dh7kmxnGUp1wno2dr0c/l+5i2gajrG8twn2982+lknuMBe/c8KNQp xpKqgshKYz1SSf0X1q32R66hk= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.13 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id EE6622B7C5D for ; Tue, 21 Dec 2010 18:39:54 -0500 (EST) Received: from macintosh.secnap.com (10.70.3.3) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.702.0; Tue, 21 Dec 2010 18:39:54 -0500 Message-ID: <4D113ACA.5050104@secnap.com> Date: Tue, 21 Dec 2010 18:39:54 -0500 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: References: <4D03A13F.7070204@secnap.com> In-Reply-To: <4D03A13F.7070204@secnap.com> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: packet capture and if_bridge ignore bpf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2010 23:39:56 -0000 On 12/11/10 11:05 AM, Michael Scheidell wrote: > I am just not working on tracking this down, and sometimes like to use > tcpdump/tshark to watch specific packets on a host to look for > 'interesting' things. > I think I have seen this since 6.x I don't remember it on 5.x, but > 5.x used 'bridge' and 6.x and 7.x are using if_bridge. > > system is 7.3, amd64. tried this on 6.x amd64, and i386. same results. > googled a lot and didn't see anything I could use. > im an idiot. its vlan trunked traffic, for tagged vlan packets. on the systems that don't look like they work: (tshark|tcpdump) -niem0 vlan and net 204.89.241.0/24 works just fine. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________