Date: Wed, 7 Feb 2018 05:47:21 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: David Athay <davida@truespeed.com> Cc: freebsd-net@freebsd.org Subject: Re: tcpdump filter not functioning correctly with igb on FreeBSD 11.1 Message-ID: <5A7A3079.4080404@grosbein.net> In-Reply-To: <DBA7BD66-CDB7-4FF2-88E4-EBC2B71E1F3E@truespeed.com> References: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com> <5A7A1657.4050706@grosbein.net> <E149211C-9207-4162-950D-1BA788AA3A5F@truespeed.com> <5A7A19DD.6050400@grosbein.net> <64C4AA32-5A49-4D6F-B7A7-93CDB0E59F09@truespeed.com> <5A7A24DC.0@grosbein.net> <293C7809-A1AE-4040-8963-F9A6802CB898@truespeed.com> <5A7A29D6.3050307@grosbein.net> <DBA7BD66-CDB7-4FF2-88E4-EBC2B71E1F3E@truespeed.com>
next in thread | previous in thread | raw e-mail | index | archive | help
07.02.2018 5:26, David Athay wrote: >> 802.1Q vlan header can be a reason for exactly such behaviour. >> Please add -e flag to tcpdump flags and post output again. > > # /usr/local/sbin/tcpdump -eni igb0 not port 22 |less > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes > 22:19:25.589577 ac:1f:6b:13:a2:nn > 10:cd:ae:de:e9:nn, ethertype 802.1Q (0x8100), length 258: vlan 10, p 0, ethertype IPv4, X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq 418521610:418521798, ack 196067467, win 1026, options [nop,nop,TS val 602985028 ecr 731470580], length 188 Well, that explains everything. You should use "vlan and not port 22" and "vlan and host X.X.X.X" (same without "not") when filtering vlan-tagged traffic as documented in the pcap-filter(7) manual page or else you get wrong results. "Works as intended". Deinstall extra tcpdump/libcap packages, if you do not need them.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A7A3079.4080404>