tcpdump mailing list archives
Re: When will a packet filter be ignored/unused?
From: Darren Reed <Darren.Reed () Sun COM>
Date: Tue, 16 Mar 2010 21:41:37 -0700
On 16/03/10 04:40 PM, Jim Lloyd wrote:
I have a working application using libpcap that doesn't always filter as I expect. The application is designed to sniff http traffic, so the filter can be as simple as "tcp port 80". However, we allow sniffing multiple http servers running on different ports, so it is common to use a filter like "tcp and (port 80 or port 8080)". Because of this, when sniffing a single port, the filter we use will look like "tcp and (port 80)". This filter seems to work correctly "most" of the time, but in varying situations we start to see packets where neither the source port or the destination port matches the specified port. Until today, I only noticed this for relatively high volume packet sniffing (say 250mbps). But now I am seeing it on one of our machines with a relatively modest volume of traffic (about 18mbps). I imagine it might be driver specific, and now I see that the ethernet interfaces on the servers I have available for testing have a more diverse set of drivers than I was aware. Using ethtool and checking a few different interfaces, I see drivers bnx2, tg3, and forcedeth. I seem to be having problems with bnx2. Is this a known issue? No error code is returned when we compile and install the filter. Is there any way to determine if a filter is being ignored?
You might want to verify that libpcap is generating the correct byte codes with tcpdump with something like this:
tcpdump -d 'tcp and (port 80)' (000) ldh [12] (001) jeq #0x86dd jt 2 jf 8 # ipv6? (002) ldb [20] # yes... (003) jeq #0x6 jt 4 jf 19 # tcp? (004) ldh [54] # yes... (005) jeq #0x50 jt 18 jf 6 # port 80? (006) ldh [56] # no... (007) jeq #0x50 jt 18 jf 19 # port 80? (008) jeq #0x800 jt 9 jf 19 # ipv4? (009) ldb [23] # yes... (010) jeq #0x6 jt 11 jf 19 # tcp? (011) ldh [20] # yes... (012) jset #0x1fff jt 19 jf 13 # compute start of tcp (013) ldxb 4*([14]&0xf) (014) ldh [x + 14] (015) jeq #0x50 jt 18 jf 16 # port 80? (016) ldh [x + 16] # no... (017) jeq #0x50 jt 18 jf 19 # port 80? (018) ret #96 # yes.. (019) ret #0If the byte code verifies correctly then you might want to do a full packet header dump of those that get to you and aren't meant to - maybe there is something different about them...
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- When will a packet filter be ignored/unused? Jim Lloyd (Mar 16)
- Re: When will a packet filter be ignored/unused? Darren Reed (Mar 16)
- Re: When will a packet filter be ignored/unused? Michael Richardson (Mar 16)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 17)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 18)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)