From owner-freebsd-net@freebsd.org  Tue Feb  6 21:03:15 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A4A6F06443
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  6 Feb 2018 21:03:15 +0000 (UTC)
 (envelope-from davida@truespeed.com)
Received: from mail.truespeed.com (mail.truespeed.com [31.210.26.210])
 by mx1.freebsd.org (Postfix) with ESMTP id 955F781244
 for <freebsd-net@freebsd.org>; Tue,  6 Feb 2018 21:03:14 +0000 (UTC)
 (envelope-from davida@truespeed.com)
Received: from dspam.truespeed.com (localhost [127.0.0.1])
 by mail.truespeed.com (Postfix) with SMTP id 6EEAD266EA8
 for <freebsd-net@freebsd.org>; Tue,  6 Feb 2018 21:03:13 +0000 (UTC)
Received: from [192.168.0.19]
 (cpc130860-hawk18-2-0-cust75.know.cable.virginm.net [77.100.156.76])
 (Authenticated sender: davida@truespeed.com)
 by mail.truespeed.com (Postfix) with ESMTPSA id 03636266E97;
 Tue,  6 Feb 2018 21:03:12 +0000 (UTC)
From: David Athay <davida@truespeed.com>
Message-Id: <E149211C-9207-4162-950D-1BA788AA3A5F@truespeed.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: tcpdump filter not functioning correctly with igb on FreeBSD 11.1
Date: Tue, 6 Feb 2018 21:03:12 +0000
In-Reply-To: <5A7A1657.4050706@grosbein.net>
Cc: freebsd-net@freebsd.org
To: Eugene Grosbein <eugen@grosbein.net>
References: <95AA0EAB-B3D6-4E68-83B2-914894D6FB90@truespeed.com>
 <5A7A1657.4050706@grosbein.net>
X-Mailer: Apple Mail (2.3273)
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 21:03:15 -0000

I was originally using 11.1-RELEASE but I have since updated to =
11-STABLE. Weirdness still persists

$ tcpdump --version
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.0.2n-freebsd  7 Dec 2017

$ uname -aUK
FreeBSD s5.pkfm.banes 11.1-STABLE FreeBSD 11.1-STABLE #2 r328930: Tue =
Feb  6 16:05:59 GMT 2018     =
root@s5.pkfm.banes:/usr/obj/usr/src/sys/TRUESPEED  amd64 1101509 1101509


=E2=80=94
David Athay
Senior DevOps Engineer
TrueSpeed Communications Ltd.=20

> On 6 Feb 2018, at 20:55, Eugene Grosbein <eugen@grosbein.net> wrote:
>=20
> 07.02.2018 0:29, David Athay wrote:
>=20
>> I am running tcpdump -ni igb0 with a filter, and I see some weird =
results.
>>=20
>> If I use =E2=80=98not=E2=80=99 with host or port then it shows only =
those hosts or ports, and if I don=E2=80=99t use not, and just use =
host=E2=80=99 or =E2=80=98port=E2=80=99 it filters them out as if I had =
used =E2=80=98not=E2=80=99.
>>=20
>> tcpdump -ni igb0 not port 22
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> 17:18:08.863067 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq =
521876235:521876423, ack 2066644163, win 1026, options [nop,nop,TS val =
554193435 ecr 716910521], length 188
>> 17:18:08.864772 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win =
23656, options [nop,nop,TS val 716910525 ecr 554193434], length 0
>> 17:18:08.866353 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, =
win 23651, options [nop,nop,TS val 716910526 ecr 554193435], length 0
>>=20
>> tcpdump -ni igb0 not host X.X.X.X
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> 17:20:21.901147 IP X.X.X.X.22 > Y.Y.Y.Y.50893: Flags [P.], seq =
521879011:521879199, ack 2066645503, win 1026, options [nop,nop,TS val =
554326474 ecr 717043360], length 188
>> 17:20:21.902970 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 0, win =
23656, options [nop,nop,TS val 717043364 ecr 554326472], length 0
>> 17:20:21.903364 IP Y.Y.Y.Y.50893 > X.X.X.X.22: Flags [.], ack 188, =
win 23650, options [nop,nop,TS val 717043364 ecr 554326474], length 0
>>=20
>> tcpdump -ni igb0 host X.X.X.X
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> ^C
>> 0 packets captured
>> 55 packets received by filter
>> 0 packets dropped by kernel
>>=20
>> tcpdump -ni igb0 port 22
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
>> listening on igb0, link-type EN10MB (Ethernet), capture size 262144 =
bytes
>> ^C
>> 0 packets captured
>> 408 packets received by filter
>> 0 packets dropped by kernel
>>=20
>> Seems to work fine on our FreeBSD 10.3 servers that use igb, and =
doesn=E2=80=99t happen on FreeBSD 11.1 servers that use bge.
>>=20
>> Can anyone explain what is happening?
>=20
> Please show output of:
>=20
> tcpdump --version
> uname -aUK
>=20
>=20