Date: Mon, 14 Sep 2009 13:40:45 -0400 From: Edward Dean <edwarddean3@gmail.com> To: freebsd-net@freebsd.org Subject: bpf issues Message-ID: <d8a11c3b0909141040o5a3d7f81t79525485bfe8a9ad@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Good day, I hope this is the appropriate list. I am having issues using BPFs to filter out traffic captures. If I want to block a specific host by IP, the traffic is still recorded. I tried tcpdump and get the same results. Am I missing something? Examples: # tcpdump -nt -i igb2 -w tcpdump.pcap not host 10.100.66.31 # tcpdump -nt -r tcpdump.pcap | less IP 10.100.66.31.13724 > 10.100.66.30.3090: . 42904:44352(1448) ack 1 win 64340 <nop,nop,timestamp 1324022 586994> IP 10.100.66.31.13724 > 10.100.66.30.3090: . 44352:45800(1448) ack 1 win 64340 <nop,nop,timestamp 1324022 586994> IP 10.100.66.30.3090 > 10.100.66.31.13724: . ack 5792 win 65535 <nop,nop,timestamp 587015 1324022> IP 10.100.66.31.13724 > 10.100.66.30.3090: . 45800:47248(1448) ack 1 win 64340 <nop,nop,timestamp 1324022 586994> It gets stranger, if I read the pcap file and filter for the host it returns blank: # tcpdump -nt -r tcpdump.pcap host 10.100.66.31 reading from file tcpdump.pcap, link-type EN10MB (Ethernet) # I have tried several variations of syntax and had no luck. Also used several tools (tcpdump, tshark, daemonlogger) and have had the same results so I suspect it may be libpcap related. The system is running FreeBSD 7.2 GENERIC amd64 Any suggestions would be much appreciated. Cheers!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d8a11c3b0909141040o5a3d7f81t79525485bfe8a9ad>