tcpdump mailing list archives

Loosing half the conversion when any BFP is used

From: "Bill Richardson" <wrichardson () llbean com>
Date: Wed, 19 Dec 2007 11:07:12 -0500

This may not be the right list to ask but thought I would give this a
try. I have looked and looked and have not seen anyone with this
problem. 
 
In the past I have been able to take large inclusive tcpdump files and
read them back in with the -r option using tcpdump and BFP them to a
host or port and save to a smaller more usable file that I would view
with wireshark.
For example:
tcpdump -r large.pcap host 192.168.0.1 -w small.pcap
 
This has worked in the past but have noticed it not working about 2
months ago I'm only seeing half the conversion when I apply any BFP's
 
Here is an example of the problem looking at the last 4 packets in a
capture. The first example is using
no BFP and I see both sides of the conversation. The last 3 examples
using BFP and I only see one side of the conversation. 
 
tcpdump -r test.pcap -nn |grep 172.21.89.75
08:05:28.729250 IP 172.21.89.75.4000 > 172.21.89.70.45647: .
1555:1569(14) ack 3496 win 202
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.739994 IP 172.21.89.75.4000 > 172.21.89.70.45647: .
1569:1583(14) ack 3496 win 202
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 
tcpdump -r test.pcap -nn host 172.21.89.75
08:05:28.713883 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3456:3476(20) ack 1555 win 5840
08:05:28.718513 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3476:3496(20) ack 1555 win 5840
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 

tcpdump -r test.pcap -nn src host 172.21.89.75
 
nothing shows at all ?????????????
 
tcpdump -r test.pcap -nn dst host 172.21.89.75
08:05:28.713883 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3456:3476(20) ack 1555 win 5840
08:05:28.718513 IP 172.21.89.70.45647 > 172.21.89.75.4000: P
3476:3496(20) ack 1555 win 5840
08:05:28.729258 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1569
win 5840
08:05:28.740003 IP 172.21.89.70.45647 > 172.21.89.75.4000: . ack 1583
win 5840
 
I am seeing the same results from the following systems:
 
Centos 4.5 with tcpdump-3.8.2-10.RHEL4 Kernel=2.6.9-55.0.12.ELsmp
Redhat 5 with tcpdump-3.9.4-11.el5 Kernel=2.6.18-53.1.4.el5
WinXP with winpcap4.0.2 and windump 3.9.5
 
I have one system that the BPF's work. Its a F5 BigIP running Redhat?
"uname -a" gives the following:
Kernel= 2.4.21-9.1.2.37.0smp 
Its running tcpdump-3.7.2-9.1.2.39.0
 
At first I thought it was a Kernel problem between 2.4 and 2.6 but when
Windump didn't work???? Is this a Libpcap problem? Anyone one else
seeing this problem?
 
 
Thanks for your help
Bill 
 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
- Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 19)
  - Re: Loosing half the conversion when any BFP is used Guy Harris (Dec 19)
    - Re: Loosing half the conversion when any BFP is used Bill Richardson (Dec 20)
    - Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
    - Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 20)
    - Re: Loosing half the conversion when any BFP is Guy Harris (Dec 20)
    - Re: Loosing half the conversion when any BFP is Bill Richardson (Dec 21)