Hi Jason I think this this due to libpcap which is activating the socket before setting the bpf filter, thus you receive packets in that window. I am trying to avoid this somehow.
Jason > On 19 Jan 2017, at 17:58, Jason <[email protected]> wrote: > > Good day all, > > Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and I'm > hoping someone can help make sense of it. Both 6.4.1 and 6.5.0 (vanilla) do > not seem to be honoring BPF filters. In the below example, you can see I'm > filtering for only port 22 packets and piping that into a second capture > filtering for anything not port 22. This should not produce results. It > only seems to happen at the beginning of a capture process. In testing > within a few seconds the filters seem to begin working correctly. In 6.0.2 > on Ubuntu 12.04 I don't see this problem. > > admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn -r > - not port 22 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 > bytes > reading from file -, link-type EN10MB (Ethernet) > 00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq > 2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val > 358340136 ecr 93575], length 1448: HTTP > 00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq > 1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1448: HTTP > 00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack > 2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 > 00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq > 2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1200: HTTP > 00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq > 4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1448: HTTP > 00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack > 5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 > 00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq > 5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1448: HTTP > 00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq > 6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1200: HTTP > 00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack > 8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 > 00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq > 8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], > length 1328: HTTP > 00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack > 9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 > > Let me know if there's any additional debugging information I can provide > that would assist. > > Thanks! > Jason > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
