Date: Tue, 6 Feb 2018 17:29:23 +0000 From: David Athay <davida@truespeed.com> To: freebsd-net@freebsd.org Subject: tcpdump filter not functioning correctly with igb on FreeBSD 11.1 Message-ID: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com>
next in thread | raw e-mail | index | archive | help
I am running tcpdump -ni igb0 with a filter, and I see some weird results. If I use ‘not’ with host or port then it shows only those hosts or ports, and if I don’t use not, and just use host’ or ‘port’ it filters them out as if I had used ‘not’. tcpdump -ni igb0 not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val 554193435 ecr 716910521], length 188 17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0 17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0 tcpdump -ni igb0 not host X.X.X.X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq 521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val 554326474 ecr 717043360], length 188 17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win 23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0 17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0 tcpdump -ni igb0 host X.X.X.X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 55 packets received by filter 0 packets dropped by kernel tcpdump -ni igb0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 408 packets received by filter 0 packets dropped by kernel Seems to work fine on our FreeBSD 10.3 servers that use igb, and doesn’t happen on FreeBSD 11.1 servers that use bge. Can anyone explain what is happening? — David Athay Senior DevOps Engineer TrueSpeed Communications Ltd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95AA0EAB-B3D6-4E68-83B2-914894D6FB90>