Good day all, Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and I'm hoping someone can help make sense of it. Both 6.4.1 and 6.5.0 (vanilla) do not seem to be honoring BPF filters. In the below example, you can see I'm filtering for only port 22 packets and piping that into a second capture filtering for anything not port 22. This should not produce results. It only seems to happen at the beginning of a capture process. In testing within a few seconds the filters seem to begin working correctly. In 6.0.2 on Ubuntu 12.04 I don't see this problem.
admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn -r - not port 22 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes reading from file -, link-type EN10MB (Ethernet) 00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP 00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP 00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP 00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP 00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq 5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1448: HTTP 00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1200: HTTP 00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq 8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], length 1328: HTTP 00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack 9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 Let me know if there's any additional debugging information I can provide that would assist. Thanks! Jason
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
