Date: Tue, 6 Feb 2018 21:03:12 +0000 From: David Athay <davida@truespeed.com> To: Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net@freebsd.org Subject: Re: tcpdump filter not functioning correctly with igb on FreeBSD 11.1 Message-ID: <E149211C-9207-4162-950D-1BA788AA3A5F@truespeed.com> In-Reply-To: <5A7A1657.4050706@grosbein.net> References: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com> <5A7A1657.4050706@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I was originally using 11.1-RELEASE but I have since updated to = 11-STABLE. Weirdness still persists $ tcpdump --version tcpdump version 4.9.2 libpcap version 1.8.1 OpenSSL 1.0.2n-freebsd 7 Dec 2017 $ uname -aUK FreeBSD s5.pkfm.banes 11.1-STABLE FreeBSD 11.1-STABLE #2 r328930: Tue = Feb 6 16:05:59 GMT 2018 = root@s5.pkfm.banes:/usr/obj/usr/src/sys/TRUESPEED amd64 1101509 1101509 =E2=80=94 David Athay Senior DevOps Engineer TrueSpeed Communications Ltd.=20 > On 6 Feb 2018, at 20:55, Eugene Grosbein <eugen@grosbein.net> wrote: >=20 > 07.02.2018 0:29, David Athay wrote: >=20 >> I am running tcpdump -ni igb0 with a filter, and I see some weird = results. >>=20 >> If I use =E2=80=98not=E2=80=99 with host or port then it shows only = those hosts or ports, and if I don=E2=80=99t use not, and just use = host=E2=80=99 or =E2=80=98port=E2=80=99 it filters them out as if I had = used =E2=80=98not=E2=80=99. >>=20 >> tcpdump -ni igb0 not port 22 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode >> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes >> 17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq = 521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val = 554193435 ecr 716910521], length 188 >> 17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win = 23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0 >> 17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, = win 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0 >>=20 >> tcpdump -ni igb0 not host X.X.X.X >> tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode >> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes >> 17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq = 521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val = 554326474 ecr 717043360], length 188 >> 17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win = 23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0 >> 17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, = win 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0 >>=20 >> tcpdump -ni igb0 host X.X.X.X >> tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode >> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes >> ^C >> 0 packets captured >> 55 packets received by filter >> 0 packets dropped by kernel >>=20 >> tcpdump -ni igb0 port 22 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode >> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 = bytes >> ^C >> 0 packets captured >> 408 packets received by filter >> 0 packets dropped by kernel >>=20 >> Seems to work fine on our FreeBSD 10.3 servers that use igb, and = doesn=E2=80=99t happen on FreeBSD 11.1 servers that use bge. >>=20 >> Can anyone explain what is happening? >=20 > Please show output of: >=20 > tcpdump --version > uname -aUK >=20 >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E149211C-9207-4162-950D-1BA788AA3A5F>