tcpdump mailing list archives

Re: odd issue with Linux VLAN interface

From: Guy Harris <guy () alum mit edu>
Date: Tue, 27 Jan 2015 16:42:39 -0800


On Jan 27, 2015, at 4:28 PM, Denis Ovsienko <denis () ovsienko info> wrote:

I.e., "tcpdump -i eth0 not tcp" prints *only* TCP packets?


Yes, exactly. Just checked once again.

Just out of curiosity, what does "tcpdump -i eth0 -d not tcp" print?


root@homepc:~# tcpdump -pni eth0 -d not tcp
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2  jf 7


If ethertype == IPv6, go to 2, else go to 7

(002) ldb      [20]
(003) jeq      #0x6             jt 10 jf 4


If IPv6 Next Header is TCP, go to 10, else go to 4

(004) jeq      #0x2c            jt 5  jf 11


If IPv6 Next Header is Fragment Header, go to 5, else go to 11

(005) ldb      [54]
(006) jeq      #0x6             jt 10 jf 11


If header after that is TCP, go to 10, else go to 11

(007) jeq      #0x800           jt 8  jf 11


If ethertype == IPv4, go to 8, else go to 11

(008) ldb      [23]
(009) jeq      #0x6             jt 10 jf 11


If IPv4 Protocol is TCP, go to 10, else go to 11

(010) ret      #0


Reject packet

(011) ret      #262144


Accept packet

So that *looks* OK.

Could you run "tcpdump -i eth0 -xx not tcp" and see what the contents of the TCP packets being accepted are?

And what does "tcpdump -v" print?  Was it built with the latest libpcap?  This might be an issue with the kernel and 
libpcap not properly working together to deal with VLAN tags - this commit:

        commit 04660eb1e56102e2369473cae2538e4d3d263607
        Author: Michal Sekletar <msekleta () redhat com>
        Date:   Fri Oct 31 15:19:54 2014 +0100

            Use BPF extensions in compiled filters
    
            libpcap will generate BPF filter code which uses BPF extensions if target
            platform supports them. Currently supported BPF extensions are vlan_tci and
            vlan_pr.
    
            Also to properly handle such filters when filtering in userspace libpcap now
            employs bpf_filter1.

fixed some issues there.


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
- Re: odd issue with Linux VLAN interface Guy Harris (Jan 27)
  - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
    - Re: odd issue with Linux VLAN interface Guy Harris (Jan 27)
    - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 27)
    - Re: odd issue with Linux VLAN interface Michael Richardson (Jan 28)
- Re: odd issue with Linux VLAN interface Michael Richardson (Jan 27)
  - Re: odd issue with Linux VLAN interface Denis Ovsienko (Jan 28)
    - Re: odd issue with Linux VLAN interface Michael Richardson (Jan 28)