From owner-freebsd-net@FreeBSD.ORG  Mon Sep 14 18:06:22 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 35FA51065672
	for <freebsd-net@freebsd.org>; Mon, 14 Sep 2009 18:06:22 +0000 (UTC)
	(envelope-from edwarddean3@gmail.com)
Received: from mail-qy0-f195.google.com (mail-qy0-f195.google.com
	[209.85.221.195])
	by mx1.freebsd.org (Postfix) with ESMTP id E895A8FC1A
	for <freebsd-net@freebsd.org>; Mon, 14 Sep 2009 18:06:21 +0000 (UTC)
Received: by qyk33 with SMTP id 33so284491qyk.14
	for <freebsd-net@freebsd.org>; Mon, 14 Sep 2009 11:06:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type;
	bh=97ZIHtix2ft43dvZaL88hskpX0f+kWm+hOzrtzfRs7o=;
	b=FWjyqkx15X+qxJT4TKDejI4pYigbyCWToYBnxynKUe0qQ6iLc6sMPE4QwFnNfT776h
	WPM8+9y81PZsE4FcbAcGN44wZ9dsUC2nVASquqhgImT8pDzALDaCou5u3QzDFvdJytyO
	JLFDsPwqAIBf+xZNt48541g2uVMvLGIG4LTlg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=KMysTnYc7gxWJoSppRD0a4lJJ+khHdF94lAEYY06OysTfJYXYTDqbFVeeXEwrj426R
	CiHLp7HNAzKHGRHdVE/tPSj5E49IyOW8ex1+qYf0nWMCE8J3okcuh6Bd1kxrEf95MaON
	L8GbVANBeUFDP2NtSASqNJ1RzjsBmYwcVoBXg=
MIME-Version: 1.0
Received: by 10.224.12.198 with SMTP id y6mr400173qay.207.1252950045506; Mon, 
	14 Sep 2009 10:40:45 -0700 (PDT)
Date: Mon, 14 Sep 2009 13:40:45 -0400
Message-ID: <d8a11c3b0909141040o5a3d7f81t79525485bfe8a9ad@mail.gmail.com>
From: Edward Dean <edwarddean3@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: bpf issues
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2009 18:06:22 -0000

Good day,

I hope this is the appropriate list.  I am having issues using BPFs to
filter out traffic captures.  If I want to block a specific host by IP, the
traffic is still recorded.  I tried tcpdump and get the same results.

Am I missing something?

Examples:

# tcpdump -nt -i igb2 -w tcpdump.pcap not host 10.100.66.31
# tcpdump -nt -r tcpdump.pcap | less
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 42904:44352(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 44352:45800(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>
IP 10.100.66.30.3090 > 10.100.66.31.13724: . ack 5792 win 65535
<nop,nop,timestamp 587015 1324022>
IP 10.100.66.31.13724 > 10.100.66.30.3090: . 45800:47248(1448) ack 1 win
64340 <nop,nop,timestamp 1324022 586994>

It gets stranger, if I read the pcap file and filter for the host it returns
blank:

# tcpdump -nt -r tcpdump.pcap host 10.100.66.31
reading from file tcpdump.pcap, link-type EN10MB (Ethernet)
#

I have tried several variations of syntax and had no luck.  Also used
several tools (tcpdump, tshark, daemonlogger) and have had the  same results
so I suspect it may be libpcap related.  The system is running FreeBSD 7.2
GENERIC amd64

Any suggestions would be much appreciated.

Cheers!