From owner-freebsd-net@FreeBSD.ORG Mon Sep 14 19:23:33 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C377C106574A for ; Mon, 14 Sep 2009 19:23:33 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id 1319D8FC20 for ; Mon, 14 Sep 2009 19:23:32 +0000 (UTC) Received: (qmail 67873 invoked from network); 14 Sep 2009 19:23:30 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 14 Sep 2009 19:23:30 -0000 Date: Mon, 14 Sep 2009 21:23:30 +0200 (CEST) Message-Id: <20090914.212330.74729619.sthaug@nethelp.no> To: edwarddean3@gmail.com From: sthaug@nethelp.no In-Reply-To: References: X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: bpf issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Sep 2009 19:23:33 -0000 > I hope this is the appropriate list. I am having issues using BPFs to > filter out traffic captures. If I want to block a specific host by IP, the > traffic is still recorded. I tried tcpdump and get the same results. > > Am I missing something? Does your igb2 interface use VLAN encapsulation? If it does, you won't see it in the tcpdump output unless you use -e, but you still need to specify it together with your IP based filters - or tcpdump will apply the wrong (off by 4 bytes) offset. E.g. "tcpdump -nt -r tcpdump.pcap vlan and host 10.100.66.31" Steinar Haug, Nethelp consulting, sthaug@nethelp.no