Date: Tue, 6 Feb 2018 17:29:23 +0000 From: David Athay <davida@truespeed.com> To: freebsd-net@freebsd.org Subject: tcpdump filter not functioning correctly with igb on FreeBSD 11.1 Message-ID: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com>
next in thread | raw e-mail | index | archive | help
I am running tcpdump -ni igb0 with a filter, and I see some weird = results. If I use =E2=80=98not=E2=80=99 with host or port then it shows only = those hosts or ports, and if I don=E2=80=99t use not, and just use = host=E2=80=99 or =E2=80=98port=E2=80=99 it filters them out as if I had = used =E2=80=98not=E2=80=99. tcpdump -ni igb0 not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes 17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq = 521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val = 554193435 ecr 716910521], length 188 17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win = 23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0 17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win = 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0 tcpdump -ni igb0 not host X.X.X.X tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes 17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq = 521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val = 554326474 ecr 717043360], length 188 17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win = 23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0 17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, win = 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0 tcpdump -ni igb0 host X.X.X.X tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes ^C 0 packets captured 55 packets received by filter 0 packets dropped by kernel tcpdump -ni igb0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes ^C 0 packets captured 408 packets received by filter 0 packets dropped by kernel Seems to work fine on our FreeBSD 10.3 servers that use igb, and = doesn=E2=80=99t happen on FreeBSD 11.1 servers that use bge. Can anyone explain what is happening? =E2=80=94 David Athay Senior DevOps Engineer TrueSpeed Communications Ltd.=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95AA0EAB-B3D6-4E68-83B2-914894D6FB90>