Hi Jason there is a workaround for this, please check latest dev packages and let me know.
Thank you Alfredo > On 19 Jan 2017, at 18:45, Alfredo Cardigliano <[email protected]> wrote: > > Hi Jason > I think this this due to libpcap which is activating the socket before > setting the bpf filter, > thus you receive packets in that window. I am trying to avoid this somehow. > > Jason > >> On 19 Jan 2017, at 17:58, Jason <[email protected]> wrote: >> >> Good day all, >> >> Yesterday I discovered a problem on Ubuntu 16.04.1 (kernel 4.4.0-59) and I'm >> hoping someone can help make sense of it. Both 6.4.1 and 6.5.0 (vanilla) do >> not seem to be honoring BPF filters. In the below example, you can see I'm >> filtering for only port 22 packets and piping that into a second capture >> filtering for anything not port 22. This should not produce results. It >> only seems to happen at the beginning of a capture process. In testing >> within a few seconds the filters seem to begin working correctly. In 6.0.2 >> on Ubuntu 12.04 I don't see this problem. >> >> admin@ubuntu:~$ sudo tcpdump -nn -i eth0 -w - port 22 | tcpdump -ttttt -nn >> -r - not port 22 >> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 >> bytes >> reading from file -, link-type EN10MB (Ethernet) >> 00:00:00.000000 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq >> 2650108171:2650109619, ack 73754825, win 520, options [nop,nop,TS val >> 358340136 ecr 93575], length 1448: HTTP >> 00:00:00.000013 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq >> 1448:2896, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1448: HTTP >> 00:00:00.000020 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack >> 2896, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 >> 00:00:00.000032 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq >> 2896:4096, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1200: HTTP >> 00:00:00.000035 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq >> 4096:5544, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1448: HTTP >> 00:00:00.000039 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack >> 5544, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 >> 00:00:00.000046 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [.], seq >> 5544:6992, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1448: HTTP >> 00:00:00.000047 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq >> 6992:8192, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1200: HTTP >> 00:00:00.000049 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack >> 8192, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 >> 00:00:00.000173 IP 80.249.106.10.80 > 192.168.55.30.37680: Flags [P.], seq >> 8192:9520, ack 1, win 520, options [nop,nop,TS val 358340136 ecr 93575], >> length 1328: HTTP >> 00:00:00.000230 IP 192.168.55.30.37680 > 80.249.106.10.80: Flags [.], ack >> 9520, win 6327, options [nop,nop,TS val 93575 ecr 358340136], length 0 >> >> Let me know if there's any additional debugging information I can provide >> that would assist. >> >> Thanks! >> Jason >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
