From owner-freebsd-net@freebsd.org  Tue Feb  6 22:26:08 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22EAAF0D26C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  6 Feb 2018 22:26:08 +0000 (UTC)
 (envelope-from davida@truespeed.com)
Received: from mail.truespeed.com (mail.truespeed.com [31.210.26.210])
 by mx1.freebsd.org (Postfix) with ESMTP id ACDB086115
 for <freebsd-net@freebsd.org>; Tue,  6 Feb 2018 22:26:07 +0000 (UTC)
 (envelope-from davida@truespeed.com)
Received: from dspam.truespeed.com (localhost [127.0.0.1])
 by mail.truespeed.com (Postfix) with SMTP id DC1E5268529
 for <freebsd-net@freebsd.org>; Tue,  6 Feb 2018 22:26:06 +0000 (UTC)
Received: from [192.168.0.19]
 (cpc130860-hawk18-2-0-cust75.know.cable.virginm.net [77.100.156.76])
 (Authenticated sender: davida@truespeed.com)
 by mail.truespeed.com (Postfix) with ESMTPSA id 75062268524;
 Tue,  6 Feb 2018 22:26:06 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: tcpdump filter not functioning correctly with igb on FreeBSD 11.1
From: David Athay <davida@truespeed.com>
In-Reply-To: <5A7A29D6.3050307@grosbein.net>
Date: Tue, 6 Feb 2018 22:26:05 +0000
Cc: freebsd-net@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <DBA7BD66-CDB7-4FF2-88E4-EBC2B71E1F3E@truespeed.com>
References: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com>
 <5A7A1657.4050706@grosbein.net>
 <E149211C-9207-4162-950D-1BA788AA3A5F@truespeed.com>
 <5A7A19DD.6050400@grosbein.net>
 <64C4AA32-5A49-4D6F-B7A7-93CDB0E59F09@truespeed.com>
 <5A7A24DC.0@grosbein.net>
 <293C7809-A1AE-4040-8963-F9A6802CB898@truespeed.com>
 <5A7A29D6.3050307@grosbein.net>
To: Eugene Grosbein <eugen@grosbein.net>
X-Mailer: Apple Mail (2.3273)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 22:26:08 -0000


> On 6 Feb 2018, at 22:19, Eugene Grosbein <eugen@grosbein.net> wrote:
>=20
> 07.02.2018 5:10, David Athay wrote:
>=20
>> # /usr/local/sbin/tcpdump --version
>> tcpdump version 4.9.0
>> libpcap version 1.8.1
>> OpenSSL 1.0.2n-freebsd  7 Dec 2017
>>=20
>> Still same weirdness.
>>=20
>> # /usr/local/sbin/tcpdump -ni igb0 not port 22 | less
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> 22:03:28.941870 IP X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq =
417632730:417632918, ack 196056259, win 1026, options [nop,nop,TS val =
602028380 ecr 730520401], length 188
>> 22:03:28.969328 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 0, =
win 4093, options [nop,nop,TS val 730520446 ecr 602028380], length 0
>> 22:03:28.969342 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack =
188, win 4090, options [nop,nop,TS val 730520447 ecr 602028380], length =
0
>>=20
>> # /usr/local/sbin/tcpdump -ni igb0 not host 77.100.156.Y | less
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> 22:05:58.807570 IP X.X.X.X.22 > 77.100.156.Y.52743: Flags [P.], seq =
418507510:418507698, ack 196060707, win 1026, options [nop,nop,TS val =
602178246 ecr 730669128], length 188
>> 22:05:58.831887 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack 0, =
win 4093, options [nop,nop,TS val 730669159 ecr 602178246], length 0
>> 22:05:58.838645 IP 77.100.156.Y.52743 > X.X.X.X.22: Flags [.], ack =
188, win 4090, options [nop,nop,TS val 730669159 ecr 602178246], length =
0
>>=20
>> # /usr/local/sbin/tcpdump -ni igb0 host 77.100.156.Y
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> ^C
>> 0 packets captured
>> 140 packets received by filter
>> 0 packets dropped by kernel
>=20
> 802.1Q vlan header can be a reason for exactly such behaviour.
> Please add -e flag to tcpdump flags and post output again.
>=20

# /usr/local/sbin/tcpdump -eni igb0 not port 22 |less
tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
22:19:25.589577 ac:1f:6b:13:a2:nn > 10:cd:ae:de:e9:nn, ethertype 802.1Q =
(0x8100), length 258: vlan 10, p 0, ethertype IPv4, X.X.X.X.22 > =
77.100.156.Y.52743: Flags [P.], seq 418521610:418521798, ack 196067467, =
win 1026, options [nop,nop,TS val 602985028 ecr 731470580], length 188
22:19:25.619924 10:cd:ae:de:e9:nn > ac:1f:6b:13:a2:nn, ethertype 802.1Q =
(0x8100), length 70: vlan 10, p 0, ethertype IPv4, 77.100.156.Y.52743 > =
X.X.X.X.22: Flags [.], ack 4294967252, win 4094, options [nop,nop,TS val =
731470613 ecr 602985027], length 0
22:19:25.626834 10:cd:ae:de:e9:nn > ac:1f:6b:13:a2:nn, ethertype 802.1Q =
(0x8100), length 70: vlan 10, p 0, ethertype IPv4, 77.100.156.Y.52743 > =
X.X.X.X.22: Flags [.], ack 0, win 4093, options [nop,nop,TS val =
731470613 ecr 602985028], length 0